| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <42334C75.2020707@portsonline.net> From: ml at portsonline.net (ports) Subject: PlatinumFTP 1.0.18 remote DoS Gary H. Jones II wrote: > That software uses an FTP server ActiveX control made by Mabry Software. > Any ftp server that uses this activex control is vulnerable. > > The ActiveX control is the cause of these bugs, not the PlatinumFTP software > itself, when I took a look at the software, I noticed it was written in VB5, > finding a format string in a program written in VB would be a *very* rare > find, so I figured there would be a 3rd party control within the app that > was written in C++. > > I ran it through a debugger, passed a few %s's and watched it crash. The > title of the error message is "Mabry Socket Window: > PlatinumFTPserverEngine.exe - Application Error", this is what lead to the > discovery of the real issue. > > I downloaded the latest sample/demo of this ActiveX, and it is still > vulnerable when you run VBSampleOCX.exe. > Available here http://www.mabry.com/ftpserv/index.htm. Thanks for this useful informations! :) At least it was nice to make the 'PlatinumFTP 1.0.18 remote DoS' posting, although it's getting more and more useless ;) ports
Powered by blists - more mailing lists