CVE-2007-2348

Name of the Vulnerable Software and Affected Versions lftp versions prior to 3.5.9

Description The issue is related to the mirror --script feature in lftp, which does not properly quote shell metacharacters. This might allow remote user-assisted attackers to execute shell commands via a malicious script. It is worth noting that the script already supports commands such as "get" which could potentially overwrite executable files.

Recommendations For versions prior to 3.5.9, update to version 3.5.9 or later to resolve the issue. As a temporary workaround, consider restricting the use of the mirror --script feature until a patch is applied. Avoid using potentially malicious scripts with the mirror --script feature to minimize the risk of exploitation.