Title: WarFTPd Multiple Macro Vulnerabilities
Severity: MODERATE
Description:
WarFTPd ships with various macros to assist in the setup of complex FTP sites.
It is possible to call these macros remotely, some of which can be used to compromise the server. Some of these macros will give out server and operating system information, and can be used to reveal the contents of files in error messages, including the configuration files for WarFTP which can include plaintext administrator passwords.
The extent of the vulnerability differs between versions of WarFTPd:
Version 1.67b2 and prior:
Authenticated users can gain access to restricted files.
Version 1.70:
Remote attackers can gain access to any file on the system, as well as run any system command with administrative priveleges if an ODBC driver is installed. This can be done without needing to be logged into the FTP server.
Affected Products:
- Jgaa WarFTPd 1.67.0b2
- Jgaa WarFTPd 1.70.0b
References:
- Jgaa: Jgaa Support Site
- Jgaa: SECURITY ALERT - WAR FTP DAEMON ALL VERSIONS
- Jgaa: WarFTP Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
