Tan Chew Keong

**Name of the Vulnerable Software and Affected Versions** FireFTP Extension version 1.0.5 **Description** The issue allows remote authenticated SFTP users to manipulate victims into altering permissions, deleting, downloading, or moving the wrong file. This is achieved by using a filename containing double quotes, which is not properly filtered or encoded when constructing the command to send to psftp.exe. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For FireFTP Extension version 1.0.5, consider disabling the use of double quotes in filenames as a temporary workaround until a patch is available. Restrict access to the `sftp.js` and `controlSocket.js.in` files to minimize the risk of exploitation. Avoid using filenames with double quotes in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** NULL FTP Server Free and Pro version 1.1.0.7 **Description** The issue allows remote authenticated users to execute arbitrary commands via a custom SITE command containing shell metacharacters, such as `&` (ampersand), in the middle of an argument. **Recommendations** For version 1.1.0.7, consider restricting access to custom SITE commands or disabling the execution of commands containing shell metacharacters until a patch is available.

Name of the Vulnerable Software and Affected Versions: FFFTP version 1.96b Description: A directory traversal issue allows remote FTP servers to create or overwrite arbitrary files. This occurs when an FTP server responds to an FTP LIST command with a filename containing a .. (dot dot) sequence. Recommendations: For FFFTP version 1.96b, update to a version that fixes this issue to prevent remote FTP servers from creating or overwriting arbitrary files. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** net2ftp versions 0.96 through 0.97 **Description** The issue allows remote attackers to create, read, or delete arbitrary files via a .. (dot dot) in a filename within a TAR or ZIP archive. This can be leveraged for code execution by creating a .php file. **Recommendations** For net2ftp versions 0.96 through 0.97, consider disabling the "Unzip archive" and "Upload files and archives" functionality until a patch is available to prevent exploitation. Restrict access to file upload features to minimize the risk of arbitrary file creation, reading, or deletion. Avoid using the .. (dot dot) notation in filenames within archives to prevent directory traversal.

**Name of the Vulnerable Software and Affected Versions** AceFTP Freeware version 3.80.3 AceFTP Pro version 3.80.3 **Description** A directory traversal issue in the FTP client allows remote FTP servers to create or overwrite arbitrary files by including a .. (dot dot) in a response to a LIST command. **Recommendations** For AceFTP Freeware version 3.80.3, consider disabling the FTP client functionality until a patch is available. For AceFTP Pro version 3.80.3, restrict access to the FTP client to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Data Dynamics ActiveReports version 2.5.0.1314 **Description** The issue concerns multiple insecure method vulnerabilities in the DDActiveReportsViewer2.ARViewer2 ActiveX control. These vulnerabilities allow remote attackers to overwrite arbitrary files by calling specific methods, including the `Pages.Save`, `PrintReport`, or `Canvas.Save` methods. **Recommendations** For Data Dynamics ActiveReports version 2.5.0.1314, consider disabling the `Pages.Save`, `PrintReport`, and `Canvas.Save` methods as a temporary workaround until a patch is available. Restrict access to the arview2.ocx ActiveX control to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AceBIT WISE-FTP versions 4.1.0 through 5.5.8 **Description** A directory traversal issue exists in the FTP client, allowing remote FTP servers to create or overwrite arbitrary files. This can be achieved by including a .. (dot dot backslash) in a response to a LIST command. **Recommendations** For AceBIT WISE-FTP versions 4.1.0 through 5.5.8, consider disabling the FTP client functionality until a patch is available to prevent potential exploitation. Restrict access to sensitive files and directories to minimize the risk of arbitrary file creation or overwrite.

**Name of the Vulnerable Software and Affected Versions** Glub Tech Secure FTP versions prior to 2.5.16 **Description** A directory traversal issue in the FTP client allows remote FTP servers to create or overwrite arbitrary files. This is achieved by including a .. (dot dot backslash) in a response to a LIST command. **Recommendations** For versions prior to 2.5.16, update to version 2.5.16 or later to resolve the issue. As a temporary workaround, consider restricting access to the FTP client until the update is applied. Avoid using the FTP client to connect to untrusted FTP servers until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** UltraEdit version 14.00b **Description** A directory traversal issue exists in the FTP and SFTP clients, allowing remote FTP servers to create or overwrite arbitrary files. This can be achieved by including a .. (dot dot) or a .. (dot dot backslash) in a response to a LIST command. **Recommendations** For UltraEdit version 14.00b, consider restricting access to the FTP and SFTP clients until a patch is available. As a temporary workaround, avoid using the LIST command with untrusted FTP servers to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** BitKinex version 2.9.3 **Description** The issue allows remote FTP and WebDAV servers to create or overwrite arbitrary files on the client system via directory traversal vulnerabilities. This can be achieved by including a .. (dot dot) in responses to specific commands, such as a LIST command from the BitKinex FTP client or a PROPFIND command from the BitKinex WebDAV client. This vulnerability can potentially be leveraged for code execution by writing to a Startup folder. **Recommendations** For BitKinex version 2.9.3, consider restricting access to the FTP and WebDAV clients until a patch is available, and avoid using these clients to connect to untrusted servers. As a temporary workaround, restrict write access to sensitive folders, such as Startup folders, to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Core FTP client version 2.1 Build 1565 **Description** A directory traversal issue allows remote FTP servers to create or overwrite arbitrary files by using .. (dot dot) sequences in responses to LIST commands. This can potentially be leveraged for code execution by writing to a Startup folder. **Recommendations** For Core FTP client version 2.1 Build 1565, consider disabling the LIST command functionality until a patch is available to prevent remote FTP servers from exploiting this issue. Restrict access to sensitive folders, such as Startup folders, to minimize the risk of code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Lhaca File Archiver versions prior to 1.22 **Description** A stack-based buffer overflow issue exists, allowing user-assisted remote attackers to execute arbitrary code via a large LHA "Extended Header Size" value in an LZH archive. **Recommendations** For versions prior to 1.22, update to version 1.22 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WinImage version 8.0.8000 **Description** The issue is related to multiple buffer overflows that can be triggered by a FAT image with long directory names in a deeply nested directory structure. This can lead to the execution of arbitrary code via user-assisted remote attacks. The buffer overflows occur during extraction and traversal, specifically as a stack-based buffer overflow and a heap-based buffer overflow. **Recommendations** For WinImage version 8.0.8000, consider avoiding the use of FAT images with deeply nested directory structures and long directory names until a fix is available. As a temporary workaround, restrict the extraction and traversal of such images to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** yEnc32 version 1.0.7.207 **Description** The issue allows user-assisted remote attackers to execute arbitrary code via a long filename in an NTX file. This is due to a heap-based buffer overflow. **Recommendations** For yEnc32 version 1.0.7.207, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** PowerArchiver 2006 version 9.64.02 PAISO.DLL version 1.7.3.0 (1.7.3 beta) **Description** The issue is related to multiple stack-based buffer overflows in the `LoadTree` and `ReadHeader` functions. This can be exploited by user-assisted attackers to execute arbitrary code via a crafted ISO file containing a file within several nested directories. **Recommendations** For PowerArchiver 2006 version 9.64.02, consider avoiding the use of PAISO.DLL version 1.7.3.0 (1.7.3 beta) until a patch is available. As a temporary workaround, restrict the handling of crafted ISO files to minimize the risk of exploitation. Avoid using the `LoadTree` and `ReadHeader` functions in PAISO.DLL until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Total Commander iso wincmd plugin version 1.7.3.3 and earlier Description: The issue is related to multiple stack-based buffer overflows in the LoadTree, ReadHeader, and LoadXBOXTree functions. This allows user-assisted remote attackers to execute arbitrary code via a long pathname in an ISO image. Recommendations: For Total Commander iso wincmd plugin version 1.7.3.3 and earlier, consider updating to a newer version that contains a fix for this issue. As a temporary workaround, avoid opening ISO images from untrusted sources to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: CruiseWorks versions 1.09c through 1.09d Description: The issue is a stack-based buffer overflow that allows remote attackers to execute arbitrary code. This is achieved by sending a long string in the `doc` parameter to the `/scripts/cruise/cws.exe` endpoint. Recommendations: For CruiseWorks versions 1.09c and 1.09d, consider restricting access to the `/scripts/cruise/cws.exe` endpoint until a patch is available. As a temporary workaround, avoid using long strings in the `doc` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: CruiseWorks versions 1.09c through 1.09d Description: The issue allows remote attackers to read arbitrary files via a .. (dot dot) in the `doc` parameter of the "/scripts/cruise/cws.exe" API endpoint. Recommendations: For versions 1.09c and 1.09d, consider restricting access to the "/scripts/cruise/cws.exe" endpoint until a patch is available. Avoid using the `doc` parameter in the affected endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Neon WebMail for Java versions prior to 5.08 **Description** The issue allows remote attackers to execute arbitrary Java code by sending an e-mail message with a JSP file attachment. This attachment is stored under the web root with a predictable filename, enabling the execution of malicious code. **Recommendations** For versions prior to 5.08, update to version 5.08 or later to resolve the issue. As a temporary workaround, consider restricting the ability to send email messages with JSP file attachments to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Neon WebMail for Java versions prior to 5.08 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved through SQL injection vulnerabilities in the addrlist and maillist servlets. Specifically, the vulnerabilities are found in the `adr sortkey` and `adr sortkey desc` parameters of the addrlist servlet, and the `sortkey` and `sortkey desc` parameters of the maillist servlet. **Recommendations** For versions prior to 5.08, update to version 5.08 or later to resolve the issue. As a temporary workaround, consider restricting access to the addrlist and maillist servlets to minimize the risk of exploitation. Avoid using the `adr sortkey`, `adr sortkey desc`, `sortkey`, and `sortkey desc` parameters in the affected servlets until the issue is resolved.