Ruby ftpd 'filename' Parameter Remote Command Execution Vulnerability
BID:58279
Info
Ruby ftpd 'filename' Parameter Remote Command Execution Vulnerability
| Bugtraq ID: | 58279 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 28 2013 12:00AM |
| Updated: | Feb 28 2013 12:00AM |
| Credit: | Larry W. Cashdollar |
| Vulnerable: |
Wayne Conrad ftpd 0.2.1 |
| Not Vulnerable: |
Wayne Conrad ftpd 0.2.2 |
Discussion
Ruby ftpd 'filename' Parameter Remote Command Execution Vulnerability
ftpd is prone to a remote command-execution vulnerability because the application fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary commands in the context of the affected application.
ftpd 0.2.1 is vulnerable; other versions may also be affected.
ftpd is prone to a remote command-execution vulnerability because the application fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary commands in the context of the affected application.
ftpd 0.2.1 is vulnerable; other versions may also be affected.
Exploit / POC
Ruby ftpd 'filename' Parameter Remote Command Execution Vulnerability
Attackers can use readily available tools to exploit this issue.
Attackers can use readily available tools to exploit this issue.
Solution / Fix
Ruby ftpd 'filename' Parameter Remote Command Execution Vulnerability
Solution:
Reportedly the issue is fixed, however Symantec has not confirmed this. Please contact the vendor for more information.
Solution:
Reportedly the issue is fixed, however Symantec has not confirmed this. Please contact the vendor for more information.
References
Ruby ftpd 'filename' Parameter Remote Command Execution Vulnerability
References:
References:
- Remote command execution for Ruby Gem ftpd-0.2.1 (Full Disclosure)
- RubyGems Fileutils Homepage (RubyGems)