Hsftp contains a flaw that may allow a malicious user to execute arbitrary code on the client machine. The issue is triggered when the client user lists the contents of a directory which contains a maliciously crafted filename. It is possible that the flaw may allow execution of arbitrary code resulting in a loss of confidentiality and integrity.
Classification
Location:
Local Access Required,
Remote / Network Access
Attack Type:
Input Manipulation
Impact:
Loss of Confidentiality,
Loss of Integrity
Exploit:
Exploit Rumored
Solution
Currently, there are no known upgrades, patches, or workarounds available to correct this issue. Users of Hsftp 1.14 are counseled to connect only to trusted servers.
We currently have no CVSS2 data on this vulnerability. Feel free to suggest it.
Blogs
This product uses the Daylife API but is not endorsed or certified by Daylife.
This section lists the latest news and blogs found via the daylife API (and for older items, the technorati API), which mention or otherwise discuss this vulnerability.
