GLSA-200501-18 : KDE FTP KIOslave: Command injection
High Nessus Plugin ID 16409
SynopsisThe remote Gentoo host is missing one or more security-related patches.
DescriptionThe remote host is affected by the vulnerability described in GLSA-200501-18 (KDE FTP KIOslave: Command injection)
The FTP KIOslave fails to properly parse URL-encoded newline characters.
An attacker could exploit this to execute arbitrary FTP commands on the server and due to similiarities between the FTP and the SMTP protocol, this vulnerability also allows an attacker to connect to a SMTP server and issue arbitrary commands, for example sending an email.
There is no known workaround at this time.
SolutionAll kdelibs users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose kde-base/kdelibs