| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 25 Oct 2011 17:23:40 +0800 From: YGN Ethical Hacker Group <lists@...g.net> To: full-disclosure <full-disclosure@...ts.grok.org.uk>, bugtraq <bugtraq@...urityfocus.com>, secalert@...urityreason.com, bugs@...uritytracker.com, vuln <vuln@...unia.com>, vuln@...urity.nnov.ru, news@...uriteam.com, moderators@...db.org Subject: zFtp Server <= 2011-04-13 | "STAT,CWD" Remote Denial of Service Vulnerability zFtp Server <= 2011-04-13 | "STAT,CWD" Remote Denial of Service Vulnerability 1. OVERVIEW The zFTP server is found to be vulnerable to denial of service in handling multiple STAT and CWD command requests. 2. BACKGROUND The zFTP server is a Windows based FTP server with focus on clever Active Directory integration and powerful, effortless administration. 3. VERSIONS AFFECTED 2011-04-13 and earlier 4. PROOF-OF-CONCEPT/EXPLOIT http://www.exploit-db.com/exploits/18028/ 5. SOLUTION The vendor has released the patched version (http://download.zftpserver.com/zFTPServer_Suite_Setup.exe) 6. VENDOR Vastgota-Data 7. CREDIT This vulnerability was discovered by Myo Soe, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 8. DISCLOSURE TIME-LINE 2011-06-19: notified vendor through email 2011-10-17: vendor released fixed version, 2011-10-17 2011-10-25: vulnerability disclosed 9. REFERENCES Original Advisory URL: http://core.yehg.net/lab/pr0js/advisories/%5Bzftpserver_2011-04-13%5D_stat,cwd_dos zFTP Server Home Page: http://zftpserver.com #yehg [2011-10-25]
Powered by blists - more mailing lists