Info

Disclosure

Feb 23, 2004

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Hsftp contains a flaw that may allow a malicious user to execute arbitrary code on the client machine. The issue is triggered when the client user lists the contents of a directory which contains a maliciously crafted filename. It is possible that the flaw may allow execution of arbitrary code resulting in a loss of confidentiality and integrity.

Classification

Location: Local Access Required, Remote / Network Access, Local / Remote, Context Dependent
Attack Type: Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Exploit: Exploit Rumored

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue. Users of Hsftp 1.14 are counseled to connect only to trusted servers.

Products

Samhain Labs

Hsftp

1.14

References

Secunia Advisory ID: 10950
ISS X-Force ID: 15276
CVE ID: 2004-0159 (see also: NVD)
Bugtraq ID: 9174 9175 9715
Keyword: filename hsftp samhain
Other Advisory URL: http://www.debian.org/security/2004/dsa-447

Credit

Xavier Brouckaert -

Direct URL: http://osvdb.org/4029