SurgeFTP Server LEAK FTP denial of service
| surgeftp-leak-ftp-dos (20011) |  Medium Risk |
Description:
NetWin's SurgeFTP Server is vulnerable to a denial of service attack. This is caused by improper handling in the non-standard LEAK FTP command that was probably initially provided for use in debugging. A remote attacker could exploit this vulnerability by running the system out of file handles to cause a denial of service.
Consequences:
Denial of Service
Remedy:
Upgrade to the latest version of NetWin SurgeFTP Server (2.2m2 or later), available from the SurgeFTP Web site. See References.
References:
- SIG^2 Vulnerability Research Advisory: SurgeFTP LEAK Command Denial-Of-Service Vulnerability .
- SurgeFTP- Unix/Windows Ftp Server Software: SurgeFTP Brilliant, standards compliant, FTP server.
- BID-13054: SurgeFTP LEAK Command Denial of Service Vulnerability
- CVE-2005-1034: SurgeFTP 2.2m1 allows remote attackers to cause a denial of service (application hang) via the LEAK command.
- SA14888: SurgeFTP "LEAK" Command Denial of Service Vulnerability
- SECTRACK ID: 1013664: SurgeFTP LEAK Command Lets Remote Users Deny Service
Platforms Affected:
- NetWin SurgeFTP Server 2.2k3
- NetWin SurgeFTP Server 2.2m1
Reported:
Apr 08, 2005
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net