| VID |
16129 |
| Severity |
40 |
| Port |
21, ... |
| Protocol |
TCP |
| Class |
FTP |
| Detailed Description |
A version of ProFTPD FTP Server which is older than version 1.3.0a is detected as running on the host. ProFTPD is a free available FTP server for Unix-based operating systems. ProFTPD versions prior to 1.3.0a are vulnerable to a stack-based buffer overflow vulnerability, caused by improper bounds checking by the sreplace function. A remote attacker could exploit this vulnerability to execute arbitrary code on the host or cause the affected server to crash.
* Note: This check solely relied on the banner of the remote FTP server to assess this vulnerability, so this might be a false positive.
* References:
http://archives.neohapsis.com/archives/bugtraq/2006-11/0095.html
http://www.securityfocus.com/archive/1/452760/30/0/threaded
http://www.frsirt.com/english/advisories/2006/4451
http://securitytracker.com/alerts/2006/Nov/1017167.html
http://secunia.com/advisories/22803
* Platforms Affected:
ProFTPD Project, ProFTPD versions prior to 1.3.0a
Linux Any version
Unix Any version |
| Recommendation |
Upgrade to the latest version of ProFTPD (1.3.0a or later), available from the ProFTPD Web site at http://www.proftpd.org/
For Gentoo Linux:
Upgrade to the fixed version of proftpd, as listed in Gentoo Linux Security Announcement GLSA 200611-26 at http://www.gentoo.org/security/en/glsa/glsa-200611-26.xml
For Debian Linux:
Upgrade to the fixed version of proftpd package, as listed in Debian Security Advisory DSA-1222-2 at http://www.us.debian.org/security/2006/dsa-1222
For other distributions:
Contact your vendor for upgrade or patch information. |
| Related URL |
CVE-2006-5815 (CVE) |
| Related URL |
20992 (SecurityFocus) |
| Related URL |
30147 (ISS) |
|
