It has been discovered that lftp up to and including version 4.8.3 does not properly sanitize remote file names, leading to a loss of integrity on the local system when reverse mirroring is used. A remote attacker may trick a user to use reverse mirroring on an attacker controlled FTP server, resulting in the removal of all files in the current working directory of the victim's system.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
lftp project lftp |
||
canonical ubuntu linux 12.04 |
||
opensuse leap 42.3 |