PT-2017-15582 · Pure Ftpd+1 · Pure-Ftpd+1
Published
2017-06-29
·
Updated
2022-06-07
·
CVE-2017-2850
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Foscam C1 Indoor HD cameras version 2.52.2.37
Description
A specially crafted HTTP request can allow a user to inject arbitrary characters in the
pureftpd.passwd file during a username change, which in turn allows for bypassing chroot restrictions in the FTP server. An attacker can simply send an HTTP request to the device to trigger this issue.Recommendations
For Foscam C1 Indoor HD cameras version 2.52.2.37, consider restricting access to the web management interface until a fix is available. As a temporary workaround, avoid using the username change feature in the web management interface to prevent potential exploitation.
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Foscam C1 Indoor Hd
Pure-Ftpd