pyftpdlib FTP Server Multiple Vulnerabilities
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
This host is running pyftpdlib FTP server and is prone to multiple vulnerabilities.
Insight
Insight
Multiple flaws exist because pyftpdlib, - allows remote authenticated users to access arbitrary files and directories via a .. (dot dot) in a LIST, STOR, or RETR command. - does not increment the attempted_logins count for a USER command that specifies an invalid username, which makes it easier for remote attackers to obtain access via a brute-force attack. - allows remote attackers to cause a denial of service via a long command. - does not limit the number of attempts to discover a unique filename, which might allow remote authenticated users to cause a denial of service via a STOU command. - does not prevent TCP connections to privileged ports if the destination IP address matches the source IP address of the connection from the FTP client, which might allow remote authenticated users to conduct FTP bounce attacks via crafted FTP data.
Affected Software
Affected Software
ftpserver.py in pyftpdlib before 0.2.0
Solution
Solution
Upgrade to pyftpdlib version 0.5.2 or later.
Scan for free your assets for this vulnerability + 99,568 other vulnerabilities
It is easy and free to get started with Mageni and it can be installed in Windows, macOS and Linux.
Processing. Please wait...
Free for 7-days then $4 USD monthly regardless of how many IPs, scans, users, or deployments you have. No Contracts, Cancel at Anytime and 7-days Money-Back Guarantee.
Common Vulnerabilities and Exposures (CVE)
References
- http://code.google.com/p/pyftpdlib/issues/detail?id=3
- http://code.google.com/p/pyftpdlib/issues/detail?id=9
- http://code.google.com/p/pyftpdlib/issues/detail?id=11
- http://code.google.com/p/pyftpdlib/issues/detail?id=20
- http://code.google.com/p/pyftpdlib/issues/detail?id=25
- http://code.google.com/p/pyftpdlib/source/browse/trunk/HISTORY
- http://code.google.com/p/pyftpdlib/downloads/list