Back to search
CVE-2011-1575
Published: May 23, 2011
Modified: Aug 6, 2024
PUBLISHED
Description
The STARTTLS implementation in ftp_parser.c in Pure-FTPd before 1.0.30 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted FTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
[oss-security] 20110411 Re: pure-ftpd STARTTLS command injection / new CVE?
mailing-list
x_refsource_MLIST
SUSE-SR:2011:009
vendor-advisory
x_refsource_SUSE
https://bugzilla.redhat.com/show_bug.cgi?id=683221
x_refsource_CONFIRM
[pure-ftpd] 20110308 Pure-FTPd 1.0.30 has been released
mailing-list
x_refsource_MLIST
43988
third-party-advisory
x_refsource_SECUNIA
[oss-security] 20110411 Re: pure-ftpd STARTTLS command injection / new CVE?
mailing-list
x_refsource_MLIST
44548
third-party-advisory
x_refsource_SECUNIA
[oss-security] 20110411 Re: pure-ftpd STARTTLS command injection / new CVE?
mailing-list
x_refsource_MLIST
[oss-security] 20110411 pure-ftpd STARTTLS command injection / new CVE?
mailing-list
x_refsource_MLIST
http://www.pureftpd.org/project/pure-ftpd/news
x_refsource_CONFIRM
https://bugzilla.novell.com/show_bug.cgi?id=686590
x_refsource_CONFIRM
[pure-ftpd] 20110308 Re: Pure-FTPd 1.0.30 has been released
mailing-list
x_refsource_MLIST
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now