Risk | Low |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2011-0418 |
CWE-ID | CWE-20 |
Exploitation vector | Network |
Public exploit | Public exploit code for vulnerability #1 is available. |
Vulnerable software Subscribe |
Pure-FTPd Server applications / File servers (FTP/HTTP) |
Vendor | PureFTPd.org |
Security Bulletin
This security bulletin contains one low risk vulnerability.
EUVDB-ID: #VU32849
Risk: Low
CVSSv3.1: 1.4 [CVSS:3.1/CVSS:3.1/AV:N/AC:L/PR:/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2011-0418
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote #AU# to perform service disruption.
The glob implementation in Pure-FTPd before 1.0.32, and in libc in NetBSD 5.1, does not properly expand expressions containing curly brackets, which allows remote authenticated users to cause a denial of service (memory consumption) via a crafted FTP STAT command.
MitigationInstall update from vendor's website.
Vulnerable software versionsPure-FTPd: 1.0.1 - 1.0.31
External linkshttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c#rev1.28
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c.diff?r1=1.27&r2=1.28&f=h
http://securityreason.com/achievement_securityalert/97
http://securityreason.com/securityalert/8228
http://www.mandriva.com/security/advisories?name=MDVSA-2011:094
http://www.pureftpd.org/project/pure-ftpd/news
http://www.securityfocus.com/bid/47671
http://www.vupen.com/english/advisories/2011/1273
http://bugzilla.redhat.com/show_bug.cgi?id=704283
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.