Buffer overflows in (1) try_netscape_proxy and (2) try_squid_eplf for lftp 2.6.9 and earlier allow remote HTTP servers to execute arbitrary code via long directory names that are processed by the ls or rels commands.

A buffer overflow exists in lftp which may be triggered when requesting a directory listing from a malicious server over HTTP.

Ulf Harnhammar discovered a buffer overflow in lftp, a set of sophisticated command-line FTP/HTTP client programs. An attacker could create a carefully crafted directory on a website so that the execution of an 'ls' or 'rels' command would lead to the execution of arbitrary code on the client machine.

The client is using a version of lftp less than 2.6.10.  This version is vulnerable to a remote buffer overflow from a malicious server.

A buffer overflow vulnerability was discovered by Ulf Harnhammar in the lftp FTP client when connecting to a web server using HTTP or HTTPS and using the 'ls' or 'rels' command on specially prepared directory. This vulnerability exists in lftp versions 2.3.0 through 2.6.9 and is corrected upstream in 2.6.10.

The updated packages are patched to protect against this problem.

Ulf Harnhammar found a remotely-triggerable buffer overflow in lftp.

An attacker could create a carefully crafted directory on a website such that, if a user connects to that directory using the lftp client and subsequently issues a 'ls' or 'rels' command, the attacker could execute arbitrary code on the users machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0963 to this issue.

Users of lftp are advised to upgrade to these erratum packages, which upgrade lftp to a version which is not vulnerable to this issue.

Red Hat would like to thank Ulf Harnhammar for discovering and alerting us to this issue. 

This update notification is being re-issued to correct the advisory ID and issue date. The update packages themselves are unchanged.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated lftp packages are now available that fix a buffer overflow security vulnerability.

lftp is a command-line file transfer program supporting FTP and HTTP protocols.

Ulf Harnhammar discovered a buffer overflow bug in versions of lftp up to and including 2.6.9. An attacker could create a carefully crafted directory on a website such that, if a user connects to that directory using the lftp client and subsequently issues a 'ls' or 'rels' command, the attacker could execute arbitrary code on the users machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0963 to this issue.

Users of lftp are advised to upgrade to these erratum packages, which contain a backported security patch and are not vulnerable to this issue.

Red Hat would like to thank Ulf Harnhammar for discovering and alerting us to this issue.

ID	Name	Product	Family	Severity
37677	FreeBSD : lftp HTML parsing vulnerability (d7af61c8-2cc0-11d8-9355-0020ed76ef5a)	Nessus	FreeBSD Local Security Checks	high
15243	Debian DSA-406-1 : lftp - buffer overflow	Nessus	Debian Local Security Checks	high
1136	lftp HTTP Directory Name Handling Remote Overflow	Nessus Network Monitor	Web Clients	high
14098	Mandrake Linux Security Advisory : lftp (MDKSA-2003:116)	Nessus	Mandriva Local Security Checks	high
13667	Fedora Core 1 : lftp (2003-034)	Nessus	Fedora Local Security Checks	high
12441	RHEL 2.1 / 3 : lftp (RHSA-2003:404)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2003-0963

critical

Tenable Plugins

high

high

high

high

high

high