[Japanese]

JVNDB-2012-000011

ALFTP may insecurely load executable files

Overview

ALFTP may use unsafe methods for determining how to load executables.

ALFTP provided by ESTsoft Corp. is a FTP client software with the built in FTP server. ALFTP contains an issue when loading files.
For example, if an user tries to open README (a file without extention) which exists in the same directory where README.exe (a file with .exe extention) exists, README.exe is executed instead of README.

Fumihiko Sano reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 5.1 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial

Affected Products


ESTsoft Corp.
  • ALFTP 5.30.0.1 and earlier

Impact

An attacker may execute arbitrary code with the privilege of the running application.
Solution

[Update the software]
Update to ALFTP 5.31 or later according to the information provided by the developer.
Vendor Information

ESTsoft Corp.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2012-0315
References

  1. JVN : JVN#85695061
  2. National Vulnerability Database (NVD) : CVE-2012-0315
Revision History

[2012/02/13]
  Web page was published