CVE-2009-3478

Name of the Vulnerable Software and Affected Versions FireFTP Extension version 1.0.5

Description The issue allows remote authenticated SFTP users to manipulate victims into altering permissions, deleting, downloading, or moving the wrong file. This is achieved by using a filename containing double quotes, which is not properly filtered or encoded when constructing the command to send to psftp.exe. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited.

Recommendations For FireFTP Extension version 1.0.5, consider disabling the use of double quotes in filenames as a temporary workaround until a patch is available. Restrict access to the sftp.js and controlSocket.js.in files to minimize the risk of exploitation. Avoid using filenames with double quotes in the affected API endpoints until the issue is resolved.