BID:25655 - WinSCP URL Protocol Handler Arbitrary File Access Vulnerability

WinSCP URL Protocol Handler Arbitrary File Access Vulnerability

BID:25655

Info

WinSCP URL Protocol Handler Arbitrary File Access Vulnerability

Bugtraq ID:	25655
Class:	Access Validation Error
CVE:	CVE-2007-4909
Remote:	Yes
Local:	No
Published:	Sep 13 2007 12:00AM
Updated:	May 07 2015 05:35PM
Credit:	[email protected] is credited with the discovery of this vulnerability.
Vulnerable:	WinSCP WinSCP 4.0.3 WinSCP WinSCP 4.0.2 WinSCP WinSCP 3.8.2 WinSCP WinSCP 3.8.1 WinSCP WinSCP 3.6.7 WinSCP WinSCP 3.6.6 WinSCP WinSCP 3.6.5 Beta WinSCP WinSCP 3.6.1 WinSCP WinSCP 3.6 WinSCP WinSCP 3.5.6 WinSCP WinSCP 3.5.5 Beta WinSCP WinSCP 2.0 .0

Not Vulnerable:	WinSCP WinSCP 4.0.4

Discussion

WinSCP URL Protocol Handler Arbitrary File Access Vulnerability

WinSCP is prone to a vulnerability that lets an attacker upload arbitrary files to a victim's computer or to download arbitrary files from the victim's computer in the context of the vulnerable application.

This issue affects versions prior to WinSCP 4.0.4.

Exploit / POC

WinSCP URL Protocol Handler Arbitrary File Access Vulnerability

The following sample exploit code is available:

/data/vulnerabilities/exploits/25655.html

Solution / Fix

WinSCP URL Protocol Handler Arbitrary File Access Vulnerability

Solution:
The vendor released WinSCP 4.0.4 to address this issue. Please see the references for more information.

WinSCP WinSCP 2.0 .0

WinSCP winscp404.exe
http://downloads.sourceforge.net/winscp/winscp404.exe?modtime=11887754 76&big_mirror=0

WinSCP WinSCP 3.5.5 Beta

WinSCP winscp404.exe
http://downloads.sourceforge.net/winscp/winscp404.exe?modtime=11887754 76&big_mirror=0

WinSCP WinSCP 3.5.6

WinSCP winscp404.exe
http://downloads.sourceforge.net/winscp/winscp404.exe?modtime=11887754 76&big_mirror=0

WinSCP WinSCP 3.6

WinSCP winscp404.exe
http://downloads.sourceforge.net/winscp/winscp404.exe?modtime=11887754 76&big_mirror=0

WinSCP WinSCP 3.6.1

WinSCP winscp404.exe
http://downloads.sourceforge.net/winscp/winscp404.exe?modtime=11887754 76&big_mirror=0

WinSCP WinSCP 3.6.5 Beta

WinSCP winscp404.exe
http://downloads.sourceforge.net/winscp/winscp404.exe?modtime=11887754 76&big_mirror=0

WinSCP WinSCP 3.6.6

WinSCP winscp404.exe
http://downloads.sourceforge.net/winscp/winscp404.exe?modtime=11887754 76&big_mirror=0

WinSCP WinSCP 3.6.7

WinSCP winscp404.exe
http://downloads.sourceforge.net/winscp/winscp404.exe?modtime=11887754 76&big_mirror=0

WinSCP WinSCP 3.8.1

WinSCP winscp404.exe
http://downloads.sourceforge.net/winscp/winscp404.exe?modtime=11887754 76&big_mirror=0

WinSCP WinSCP 3.8.2

WinSCP winscp404.exe
http://downloads.sourceforge.net/winscp/winscp404.exe?modtime=11887754 76&big_mirror=0

WinSCP WinSCP 4.0.2

WinSCP winscp404.exe
http://downloads.sourceforge.net/winscp/winscp404.exe?modtime=11887754 76&big_mirror=0

WinSCP WinSCP 4.0.3

WinSCP winscp404.exe
http://downloads.sourceforge.net/winscp/winscp404.exe?modtime=11887754 76&big_mirror=0

References

WinSCP URL Protocol Handler Arbitrary File Access Vulnerability

References:

WinSCP Product Page (WinSCP)
WinSCP Version 4.0.4 Release Notes (WinSCP)
WinSCP < 4.04 url protocol handler flaw ([email protected])