1. CVE-Search
  2. CVE-1999-0997
ID CVE-1999-0997
Summary wu-ftp with FTP conversion enabled allows an attacker to execute commands via a malformed file name that is interpreted as an argument to the program that does the conversion, e.g. tar or uncompress.
References
Vulnerable Configurations
  • cpe:2.3:a:millenux_gmbh:anonftp:2.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:millenux_gmbh:anonftp:2.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:university_of_washington:wu-ftpd:2.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:university_of_washington:wu-ftpd:2.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:university_of_washington:wu-ftpd:2.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:university_of_washington:wu-ftpd:2.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:university_of_washington:wu-ftpd:2.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:university_of_washington:wu-ftpd:2.6.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:linux:5.2:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:linux:5.2:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:linux:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:linux:6.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:linux:6.1:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:linux:6.1:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 05-09-2008 - 20:18)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
refmap via4
bugtraq 19991220 Security vulnerability in certain wu-ftpd (and derivitives) configurations (fwd)
debian DSA-377
xf wuftp-ftp-conversion
statements via4
contributor Joshua Bressers
lastmodified 2006-09-27
organization Red Hat
statement Red Hat does not consider CVE-1999-0997 to be a security vulnerability. The wu-ftpd process chroots itself into the target ftp directory and will only run external commands as the user logged into the ftp server. Because the process chroots itself, an attacker needs a valid login with write access to the ftp server, and even then they could only potentially execute commands as themselves.
Last major update 05-09-2008 - 20:18
Published 20-12-1999 - 05:00
Last modified 05-09-2008 - 20:18
Back to Top