FileZilla Options.cpp and QueueCtrl.cpp buffer overflow

filezilla-options-queuectrl-bo (31500) The risk level is classified as HighHigh Risk

Description:

FileZilla is vulnerable to multiple buffer overflows in the Options.cpp and QueueCtrl.cpp modules. A remote attacker could exploit these vulnerabilities using unspecified attack vectors to execute arbitrary code on the system or cause the affected application to crash.

Platforms Affected:

  • FileZilla, FileZilla 2.2.15
  • FileZilla, FileZilla 2.2.22
  • FileZilla, FileZilla 2.2.23
  • FileZilla, FileZilla 2.2.24
  • FileZilla, FileZilla 2.2.25
  • FileZilla, FileZilla 2.2.26
  • FileZilla, FileZilla 2.2.26a
  • FileZilla, FileZilla 2.2.27
  • FileZilla, FileZilla 2.2.28
  • FileZilla, FileZilla 2.2.29
  • FileZilla, FileZilla 2.2.30
  • FileZilla, FileZilla Server 0.9.20
  • FileZilla, FileZilla Server 0.9.21
  • FileZilla, FileZilla Server 0.9.22

Remedy:

Upgrade to the latest version of FileZilla (2.2.30a or later), available from the SourceForge.net Web site. See References.

Consequences:

Gain Access

References:

  • SourceForge.net: Files, FileZilla - File Release Notes and Changelog - Release Name: 2.2.30a at http://sourceforge.net/project/shownotes.php?group_id=21558&release_id=475423.
  • BID-22057: FileZilla Options And QueueCTRL Modules Multiple Unspecified Buffer Overflow Vulnerabilities
  • CVE-2007-0315: Multiple buffer overflows in FileZilla before 2.2.30a allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors related to (1) Options.cpp when storing settings in the registry, and (2) the transfer queue (QueueCtrl.cpp). NOTE: some of these details are obtained from third party information.
  • VUPEN/ADV-2007-0183: FileZilla Options and QueueCtrl Modules Multiple Client-Side Buffer Overflow Vulnerabilities

Reported:

Jan 02, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page