| VID |
16048 |
| Severity |
40 |
| Port |
21 |
| Protocol |
TCP |
| Class |
FTP |
| Detailed Description |
The version of the remote Serv-U FTP server is older than version 2.5i.
Serv-U is an FTP server which runs on any Windows platform, allowing users to set up a FTP server on a PC. Serv-U FTP server versions 2.5h and earlier are affected by multiple vulnerabilities as the following:
o CWD command buffer overflow:
A buffer overflow in the processing of the CWD command in Serv-U FTP 2.5 and earlier could allow a remote attacker to create a denial of service, or to execute arbitrary code.
CVE : http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0219
o SITE command buffer overflow:
A buffer overflow in the processing of the SITE command in Serv-U FTP 2.5a could allow a remote attacker to create a denial of service
CVE : http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0838
o Denial of service by NULL bytes, and Pathname exposure:
Serv-U FTP 2.5e and earlier crash after receiving a long string of null bytes. Such an attack could eventually crash the system as well.
Serv-U FTP 2.5d and earlier reveal the full pathname of the server after receiving a request for a file or directory which does not exist.
CVE : http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0837
o Unauthorized file access :
Serv-U FTP server versions 2.5h and earlier allow an authenticated user or an anonymous user to read or write any file on the same disk partition as the FTP server.
CVE : http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0054 |
| Recommendation |
Upgrade to the latest version (2.5i or higher) of Serv-U FTP package from Serv-U web site, http://www.serv-u.com/ |
| Related URL |
CVE-2001-0054,CVE-2000-0837,CVE-1999-0838 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
