|
Family: Gentoo Local Security Checks --> Category: infos
[GLSA-200501-24] tnftp: Arbitrary file overwriting Vulnerability Scan
Vulnerability Scan Summary tnftp: Arbitrary file overwriting
Detailed Explanation for this Vulnerability Test
The remote host is affected by the vulnerability described in GLSA-200501-24
(tnftp: Arbitrary file overwriting)
The 'mget' function in cmds.c lacks validation of the filenames
that are supplied by the server.
Impact
A possible hacker running an FTP server could supply clients with
malicious filenames, potentially allowing the overwriting of arbitrary
files with the permission of the connected user.
Workaround
There is no known workaround at this time.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1294
http://tigger.uic.edu/~jlongs2/holes/tnftp.txt
Solution:
All tnftp users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-ftp/tnftp-20050103"
Threat Level: Medium
Click HERE for more information and discussions on this network vulnerability scan.
|