| VID |
12018 |
| Severity |
30 |
| Port |
21 |
| Protocol |
TCP |
| Class |
FTP |
| Detailed Description |
The War-FTPd is vulnerable to a Denial of Service attack via MKD and CWD commands.
War-FTPd daemon is very popular FTP server released as freeware, written for personal and professional use on Windows platform. War-FTPd version 1.67 and possibly previous versions(1.6x) could allow a buffer overflow, which causes a denial of service. It occurs because the bound check of the command of MKD and CWD is improper. A remote attacker could have login credentials or anonymous FTP access and submit extremely long pathnames as arguments to command for crashing the server as the follow :
CWD AAAAAA..['A'*8182]...AAAAAA
MKD AAAAAA..['A'*8182]...AAAAAA
It is could cause an "Access Violation" and would kill the war-ftpd.exe process and server to crash.
* References:
http://online.securityfocus.com/bid/966
http://www.iss.net/security_center/static/4010.php |
| Recommendation |
Upgrade to the version 1.71 or later, fixed this vulnerability from [War FTP Daemon], [War FTP Daemon beta (1.70)] at the War-FTP web site,
http://support.jgaa.com/index.php?MenuPage=download |
| Related URL |
CVE-2000-0131 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
