CVE-2007-4909

Name of the Vulnerable Software and Affected Versions: WinSCP versions prior to 4.0.4

Description: The issue arises from an interpretation conflict that allows remote attackers to perform arbitrary file transfers with a remote server. This can be achieved via file-transfer commands in the final portion of a URL, specifically affecting scp, and possibly sftp or ftp URLs. For instance, a URL that specifies login to the remote server with a username of scp can be interpreted differently by a web browser's protocol handler and by WinSCP, leading to potential security risks.

Recommendations: For versions prior to 4.0.4, update to version 4.0.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of file-transfer commands in URLs to minimize the risk of exploitation. Avoid using URLs that specify login to the remote server with a username that could be misinterpreted by WinSCP.