ProFTPD is a popular free File Transfer Protocol (FTP) server package. A vulnerability in its handling of files transferred in ASCII mode can allow an attacker to compromise the system running the server.
The File Transfer Protocol (FTP) described in RFC959 defines operations for several data types, including ASCII. For this mode of operation, RFC959 states:
... The sender converts the data from an internal character representation to the standard 8-bit NVT-ASCII representation (see the Telnet specification). The receiver will convert the data from the standard form to his own internal form.
A remote attacker may be able to execute arbitrary code on the vulnerable server with elevated privileges.
Apply a patch from the vendor
Trustix Secure Linux
This vulnerability was discovered and researched by Mark Dowd from Internet Security Systems' (ISS) X-Force. The information was originally published by ISS
This document was written by Chad R Dougherty based on information published by ISS.
|Date First Published:||2003-10-29|
|Date Last Updated:||2003-10-29 16:21 UTC|