[Japanese]

JVNDB-2014-000103

EmFTP may insecurely load executable files

Overview

EmFTP contains a flaw when loading files, where an unitended executable file may be loaded when attempting to open a file without an extension. For example, if a text file named "exmaple" (without an extension) and an executable "example.exe" are in the same directory, attemtping to open the file "example" will result in the execution of "example.exe".
CVSS Severity (What is CVSS?)

Base Metrics: 5.1 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial

Affected Products


Emurasoft, Inc.
  • EmFTP Professional
  • EmFTP Standard

Impact

An attacker may execute arbitrary code with the privilege of the vulnerable application.
Solution

[Apply a workaround]
EmFTP development has ended. The developer recommends the following workaround.

When opening local files, do not use EmFTP. Use Run command or Windows Explorer.
Vendor Information

Emurasoft, Inc.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-3910
References

  1. JVN : JVN#50367052
  2. National Vulnerability Database (NVD) : CVE-2014-3910
Revision History

[2014/09/04]
  Web page was published
[2014/09/09]
   References : Content was added