Summary
This host is running pyftpdlib FTP server and is prone to multiple vulnerabilities.
Impact
Successful exploitation will allow attacker to cause a denial of service.
Impact Level: Application
Solution
Upgrade to pyftpdlib version 0.5.2 or later,
For updates refer to http://code.google.com/p/pyftpdlib/downloads/list
Insight
- Race condition in the FTPHandler class allows remote attackers to cause a denial of service by establishing and then immediately closing a TCP connection.
- Improper permission check for the NLST command allows remote authenticated users to bypass intended access restrictions and list the root directory via an FTP session.
- Memory leak in the on_dtp_close function allows remote authenticated users to cause a denial of service by sending a QUIT command during a data transfer.
Affected
ftpserver.py in pyftpdlib before 0.5.2
References
- http://code.google.com/p/pyftpdlib/issues/detail?id=100
- http://code.google.com/p/pyftpdlib/issues/detail?id=104
- http://code.google.com/p/pyftpdlib/issues/detail?id=105
- http://code.google.com/p/pyftpdlib/issues/detail?id=114
- http://code.google.com/p/pyftpdlib/issues/detail?id=119
- http://code.google.com/p/pyftpdlib/source/browse/trunk/HISTORY
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2009-5011, CVE-2009-5012, CVE-2009-5013, CVE-2010-3494 -
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:N/A:P
Related Vulnerabilities
- Core FTP Server 'Type' Command Remote Denial of Service Vulnerability
- FileCopa FTP Server 'NOOP' Command DoS Vulnerability
- FTPD glob (too many *) denial of service
- Telnet-Ftp Server Directory Traversal Vulnerability
- ProFTPD mod_tls Module NULL Character CA SSL Certificate Validation Security Bypass Vulnerability