← Advisories

WFTPD Pro Server 3.30.0.1 (pre auth) Multiple Remote Denial of Service Vulnerabilities

Low

Advisory ID

ZSL-2009-4904

Release Date

26 January 2009

Vendor

Texas Imperial Software - http://www.wftpd.com

Affected Version

3.30.0.1

CVE

N/A

Tested On

Microsoft Windows XP Professional SP2 (English)

Summary

Professional FTP server for Windows NT / 2000 / XP / 2003.

Description

WFTPD Pro Server 3.30.0.1 suffers from multiple remote vulnerabilities which resolves in denial of service. Several commands are vulnerable including: LIST, MLST, NLST, NLST -al, STAT and maybe more.

This issue is reported to affect only servers that have the 'Enable Security' configuration option disabled.

Proof of Concept

wftpdpro_dos.cTXT

Disclosure Timeline

26.01.2009Vendor contacted.

27.01.2009Vendor responds and asks more details.

27.01.2009Sent detailed description to vendor.

28.01.2009Vendor classifies the issue as a bug because of the Enable Security option being disabled.

28.01.2009Vendor scheduled a patch in the next upcoming release.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://www.securityfocus.com/bid/33426

[2]http://www.packetstormsecurity.org/filedesc/wftpdpro_dos.c.txt.html

Changelog

26.01.2009Initial release