This script is Copyright (C) 2010-2013 Tenable Network Security, Inc.
The remote FreeBSD host is missing a security-related update.
The get1 command, as used by lftpget, in LFTP before 4.0.6 does not
properly validate a server-provided filename before determining the
destination filename of a download, which allows remote servers to
create or overwrite arbitrary files via a Content-Disposition header
that suggests a crafted filename, and possibly execute arbitrary code
as a consequence of writing to a dotfile in a home directory.
See also :
Update the affected package.
Risk factor :
High / CVSS Base Score : 7.5