FileZilla Client < 3.7.2 SFTP Integer Overflow
Medium Nessus Plugin ID 69476
SynopsisThe remote Windows host has an application that is affected by a remote integer overflow vulnerability.
DescriptionThe version of FileZilla Client on the remote host is a version prior to 3.7.2. As such, it is affected by an integer overflow vulnerability that exists in the 'getstring()' function from PuTTY used to handle SFTP. This can lead to a heap overflow during the SSH handshake prior to authentication, due to improper bounds checking of the length parameter received from the SFTP server. An attacker could exploit this issue by tricking a user into connecting to a specially crafted SFTP server. This could lead to a denial of service, and potentially code execution.
SolutionUpgrade to FileZilla Client 3.7.2 or later.