It was discovered that LFTP incorrectly filtered filenames suggested by Content-Disposition headers. If a user or automated system were tricked into downloading a file from a malicious site, a remote attacker could create the file with an arbitrary name, such as a dotfile, and possibly run arbitrary code.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.

CVE-2010-2251 lftp: multiple HTTP client download filename vulnerability

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A vulnerability has been found and corrected in lftp :

The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory (CVE-2010-2251).

Packages for 2008.0 and 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=4 90

Additionally on 2008.0 lftp has been upgraded to 3.7.4.

The updated packages have been patched to correct this issue.

An updated lftp package that fixes one security issue is now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

LFTP is a sophisticated file transfer program for the FTP and HTTP protocols. Like Bash, it has job control and uses the Readline library for input. It has bookmarks, built-in mirroring, and can transfer several files in parallel. It is designed with reliability in mind.

It was discovered that lftp trusted the file name provided in the Content-Disposition HTTP header. A malicious HTTP server could use this flaw to write or overwrite files in the current working directory of a victim running lftp, by sending a different file from what the victim requested. (CVE-2010-2251)

To correct this flaw, the following changes were made to lftp: the 'xfer:clobber' option now defaults to 'no', causing lftp to not overwrite existing files, and a new option, 'xfer:auto-rename', which defaults to 'no', has been introduced to control whether lftp should use server-suggested file names. Refer to the 'Settings' section of the lftp(1) manual page for additional details on changing lftp settings.

All lftp users should upgrade to this updated package, which contains a backported patch to correct this issue.

This update of lftp improves the filename handling of downloaded files to avoid downloading arbitrary content to unexpected locations (like .login). (CVE-2010-2251)

It was discovered that in lftp, a command-line HTTP/FTP client, there is no proper validation of the filename provided by the server through the Content-Disposition header; attackers can use this flaw by suggesting a filename they wish to overwrite on the client machine, and then possibly execute arbitrary code (for instance if the attacker elects to write a dotfile in a home directory).

LFTP is a sophisticated file transfer program for the FTP and HTTP protocols. Like Bash, it has job control and uses the Readline library for input. It has bookmarks, built-in mirroring, and can transfer several files in parallel. It is designed with reliability in mind.

It was discovered that lftp trusted the file name provided in the Content-Disposition HTTP header. A malicious HTTP server could use this flaw to write or overwrite files in the current working directory of a victim running lftp, by sending a different file from what the victim requested. (CVE-2010-2251)

To correct this flaw, the following changes were made to lftp: the 'xfer:clobber' option now defaults to 'no', causing lftp to not overwrite existing files, and a new option, 'xfer:auto-rename', which defaults to 'no', has been introduced to control whether lftp should use server-suggested file names. Refer to the 'Settings' section of the lftp(1) manual page for additional details on changing lftp settings.

All lftp users should upgrade to this updated package, which contains a backported patch to correct this issue.

From Red Hat Security Advisory 2010:0585 :

An updated lftp package that fixes one security issue is now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

LFTP is a sophisticated file transfer program for the FTP and HTTP protocols. Like Bash, it has job control and uses the Readline library for input. It has bookmarks, built-in mirroring, and can transfer several files in parallel. It is designed with reliability in mind.

It was discovered that lftp trusted the file name provided in the Content-Disposition HTTP header. A malicious HTTP server could use this flaw to write or overwrite files in the current working directory of a victim running lftp, by sending a different file from what the victim requested. (CVE-2010-2251)

To correct this flaw, the following changes were made to lftp: the 'xfer:clobber' option now defaults to 'no', causing lftp to not overwrite existing files, and a new option, 'xfer:auto-rename', which defaults to 'no', has been introduced to control whether lftp should use server-suggested file names. Refer to the 'Settings' section of the lftp(1) manual page for additional details on changing lftp settings.

All lftp users should upgrade to this updated package, which contains a backported patch to correct this issue.

The remote host is affected by the vulnerability described in GLSA-201412-08 (Multiple packages, Multiple vulnerabilities fixed in 2010)

    Vulnerabilities have been discovered in the packages listed below.
      Please review the CVE identifiers in the Reference section for details.
      Insight       Perl Tk Module       Source-Navigator       Tk       Partimage       Mlmmj       acl       Xinit       gzip       ncompress       liblzw       splashutils       GNU M4       KDE Display Manager       GTK+       KGet       dvipng       Beanstalk       Policy Mount       pam_krb5       GNU gv       LFTP       Uzbl       Slim       Bitdefender Console       iputils       DVBStreamer   Impact :

    A context-dependent attacker may be able to gain escalated privileges,       execute arbitrary code, cause Denial of Service, obtain sensitive       information, or otherwise bypass security restrictions.
  Workaround :

    There are no known workarounds at this time.

ID	Name	Product	Family	Published	Updated	Severity
49141	Ubuntu 8.04 LTS / 9.04 / 9.10 / 10.04 LTS : lftp vulnerability (USN-984-1)	Nessus	Ubuntu Local Security Checks	9/8/2010	9/19/2019	high
49108	FreeBSD : lftp -- multiple HTTP client download filename vulnerability (29b7e3f4-b6a9-11df-ae63-f255a795cb21)	Nessus	FreeBSD Local Security Checks	9/4/2010	1/6/2021	high
47566	Fedora 12 : lftp-4.0.8-1.fc12 (2010-9819)	Nessus	Fedora Local Security Checks	7/1/2010	1/11/2021	high
48190	Mandriva Linux Security Advisory : lftp (MDVSA-2010:128)	Nessus	Mandriva Local Security Checks	7/30/2010	1/6/2021	high
48232	RHEL 5 : lftp (RHSA-2010:0585)	Nessus	Red Hat Local Security Checks	8/3/2010	1/14/2021	high
47121	openSUSE Security Update : lftp (openSUSE-SU-2010:0334-1)	Nessus	SuSE Local Security Checks	6/23/2010	1/14/2021	high
48219	CentOS 5 : lftp (CESA-2010:0585)	Nessus	CentOS Local Security Checks	8/3/2010	1/4/2021	high
48247	Debian DSA-2085-1 : lftp - missing input validation	Nessus	Debian Local Security Checks	8/5/2010	1/4/2021	high
60827	Scientific Linux Security Update : lftp for SL 5	Nessus	Scientific Linux Local Security Checks	8/1/2012	1/14/2021	high
68077	Oracle Linux 5 : lftp (ELSA-2010-0585)	Nessus	Oracle Linux Local Security Checks	7/12/2013	1/14/2021	high
47120	openSUSE Security Update : lftp (openSUSE-SU-2010:0334-1)	Nessus	SuSE Local Security Checks	6/23/2010	1/14/2021	high
47122	openSUSE Security Update : lftp (openSUSE-SU-2010:0334-1)	Nessus	SuSE Local Security Checks	6/23/2010	1/14/2021	high
79961	GLSA-201412-08 : Multiple packages, Multiple vulnerabilities fixed in 2010	Nessus	Gentoo Local Security Checks	12/15/2014	1/6/2021	critical

Detections

Analytics

Plugins Search

high

high

high

high

high

high

high

high

high

high

high

high

critical