PT-2008-3871 · Mozilla · Fireftp

Ryan Giobbi

Published

2008-05-22

Updated

2017-08-08

CVE-2008-2399

CVSS v2.0

9.3

High

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: FireFTP add-on versions prior to 0.98.20080518

Description: A directory traversal issue allows remote FTP servers to create or overwrite arbitrary files via .. (dot dot backslash) sequences in responses to (1) MLSD and (2) LIST commands. This can be leveraged for code execution by writing to a Startup folder.

Recommendations: For FireFTP add-on versions prior to 0.98.20080518, update to version 0.98.20080518 or later to resolve the issue. As a temporary workaround, consider restricting access to the MLSD and LIST commands until a patch is available. Avoid using the FireFTP add-on with untrusted FTP servers until the issue is resolved.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2008-2399

Affected Products

Fireftp

PT-2008-3871 · Mozilla · Fireftp

CVE-2008-2399

Weakness Enumeration

Related Identifiers

Affected Products

References · 8