CVE-2011-1575

Name of the Vulnerable Software and Affected Versions Pure-FTPd versions prior to 1.0.30

Description The issue is related to a "plaintext command injection" attack, where man-in-the-middle attackers can insert commands into encrypted FTP sessions. This occurs because the STARTTLS implementation does not properly restrict I/O buffering, allowing attackers to send a cleartext command that is processed after TLS is in place.

Recommendations For versions prior to 1.0.30, update to version 1.0.30 or later to resolve the issue. As a temporary workaround, consider restricting access to the FTP server until the update is applied.