Vulnerability
*** PGP SIGNATURE VERIFICATION ***
*** Status: Good Signature
*** Signer: X-Force <xforce@iss.net> (0x7DF5E1BD)
*** Signed: 9/23/2003 10:52:05 AM
*** Verified: 9/23/2003 11:51:58 AM
*** BEGIN PGP VERIFIED MESSAGE ***
Internet Security Systems Security Brief
September 23, 2003
ProFTPD ASCII File Remote Compromise Vulnerability
Synopsis:
ISS X-Force has discovered a flaw in the ProFTPD Unix FTP server.
ProFTPD is a highly configurable FTP (File Transfer Protocol) server for
Unix that allows for per-directory access restrictions, easy
configuration of
virtual FTP servers, and support for multiple authentication mechanisms.
A flaw exists in the ProFTPD component that handles incoming ASCII file
transfers.
Impact:
An attacker capable of uploading files to the vulnerable system can
trigger a buffer overflow and execute arbitrary code to gain complete
control of the system. Attackers may use this vulnerability to destroy,
steal, or manipulate data on vulnerable FTP sites.
Affected Versions:
ProFTPD 1.2.7
ProFTPD 1.2.8
ProFTPD 1.2.8rc1
ProFTPD 1.2.8rc2
ProFTPD 1.2.9rc1
ProFTPD 1.2.9rc2
Note: Versions previous to version 1.2.7 may also be vulnerable.
For the complete ISS X-Force Security Advisory, please visit:
http://xforce.iss.net/xforce/alerts/id/154