Details of VAR-200911-0244

ID

VAR-200911-0244

CVE

CVE-2009-4051

TITLE

Home FTP Server SITE INDEX Command Denial of Service Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2009-5696 // CNNVD: CNNVD-200911-234

DESCRIPTION

Home FTP Server 1.10.1.139 allows remote attackers to cause a denial of service (daemon outage) via multiple invalid SITE INDEX commands. Home Ftp Server is an easy to use FTP server. After the user logs in to the Home FTP Server, performing the following steps will cause the server to stop responding: 1.sock.connect((hostname, 21))2.sock.send(\"user %s\" %username)3.sock.send (\"pass %s\" %passwd)4.for i in range(1,20): sock.send(\"SITE INDEX \"+ \"a\"*30*i +\"\")5.sock.close(). Home FTP Server is prone to a remote denial-of-service vulnerability because it fails to handle user-supplied input. Successfully exploiting this issue allows remote attackers to crash the affected application, denying service to legitimate users. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. The vulnerability is confirmed in version 1.10.1.139. Other versions may also be affected. SOLUTION: Restrict access to trusted users only. PROVIDED AND/OR DISCOVERED BY: zhangmc ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.52

sources: NVD: CVE-2009-4051 // JVNDB: JVNDB-2009-003908 // CNVD: CNVD-2009-5696 // BID: 37033 // PACKETSTORM: 82705

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2009-5696

AFFECTED PRODUCTS

vendor:	downstairs dnsalias	model:	home ftp server	scope:	eq	version:	1.10.1.139	Trust: 2.4
vendor:	no	model:	-	scope:	-	version:	-	Trust: 0.6
vendor:	home	model:	ftp server home ftp server	scope:	eq	version:	1.10.3	Trust: 0.3
vendor:	home	model:	ftp server home ftp server	scope:	eq	version:	1.10.1.139	Trust: 0.3
vendor:	home	model:	ftp server home ftp server	scope:	eq	version:	1.10.138	Trust: 0.3
vendor:	home	model:	ftp server home ftp server b45	scope:	eq	version:	1.0.7	Trust: 0.3
vendor:	home	model:	ftp server home ftp server build	scope:	eq	version:	1.4.584	Trust: 0.3
vendor:	home	model:	ftp server home ftp server	scope:	eq	version:	1.3.4.93	Trust: 0.3

sources: CNVD: CNVD-2009-5696 // BID: 37033 // JVNDB: JVNDB-2009-003908 // CNNVD: CNNVD-200911-234 // NVD: CVE-2009-4051

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2009-4051
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2009-4051
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2009-5696
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-200911-234
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2009-4051
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2009-5696
severity:	HIGH
baseScore:	7.1
vectorString:	AV:N/AC:M/AU:N/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: CNVD: CNVD-2009-5696 // JVNDB: JVNDB-2009-003908 // CNNVD: CNNVD-200911-234 // NVD: CVE-2009-4051

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.8

sources: JVNDB: JVNDB-2009-003908 // NVD: CVE-2009-4051

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200911-234

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-200911-234

CONFIGURATIONS

sources: JVNDB: JVNDB-2009-003908

PATCH

title:

Top Page

url:

http://downstairs.dnsalias.net/homeftpserver.html

Trust: 0.8

sources: JVNDB: JVNDB-2009-003908

EXTERNAL IDS

db:	BID	id:	37033	Trust: 2.5
db:	NVD	id:	CVE-2009-4051	Trust: 2.4
db:	SECUNIA	id:	37381	Trust: 1.7
db:	VUPEN	id:	ADV-2009-3269	Trust: 1.6
db:	JVNDB	id:	JVNDB-2009-003908	Trust: 0.8
db:	CNVD	id:	CNVD-2009-5696	Trust: 0.6
db:	BUGTRAQ	id:	20091116 HOME FTP SERVER 'SITE INDEX' COMMAND REMOTE DENIAL OF SERVICE VULNERABILITY	Trust: 0.6
db:	CNNVD	id:	CNNVD-200911-234	Trust: 0.6
db:	PACKETSTORM	id:	82705	Trust: 0.1

sources: CNVD: CNVD-2009-5696 // BID: 37033 // JVNDB: JVNDB-2009-003908 // PACKETSTORM: 82705 // CNNVD: CNNVD-200911-234 // NVD: CVE-2009-4051

REFERENCES

url:	http://www.vupen.com/english/advisories/2009/3269	Trust: 1.6
url:	http://www.securityfocus.com/bid/37033	Trust: 1.6
url:	http://secunia.com/advisories/37381	Trust: 1.6
url:	http://www.securityfocus.com/archive/1/507893/100/0/threaded	Trust: 1.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-4051	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-4051	Trust: 0.8
url:	http://marc.info/?l=bugtraq&m=125838711621042&w=2	Trust: 0.6
url:	http://www.securityfocus.com/archive/1/archive/1/507893/100/0/threaded	Trust: 0.6
url:	http://downstairs.dnsalias.net/homeftpserver.html	Trust: 0.3
url:	/archive/1/507893	Trust: 0.3
url:	http://secunia.com/advisories/37381/	Trust: 0.1
url:	http://secunia.com/advisories/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/advisories/business_solutions/	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/advisories/about_secunia_advisories/	Trust: 0.1

sources: CNVD: CNVD-2009-5696 // BID: 37033 // JVNDB: JVNDB-2009-003908 // PACKETSTORM: 82705 // CNNVD: CNNVD-200911-234 // NVD: CVE-2009-4051

CREDITS

zhangmc※ zhangmc@mail.ustc.edu.cn

Trust: 0.6

sources: CNNVD: CNNVD-200911-234

SOURCES

db:	CNVD	id:	CNVD-2009-5696
db:	BID	id:	37033
db:	JVNDB	id:	JVNDB-2009-003908
db:	PACKETSTORM	id:	82705
db:	CNNVD	id:	CNNVD-200911-234
db:	NVD	id:	CVE-2009-4051

LAST UPDATE DATE

2025-04-10T23:03:00.785000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2009-5696	date:	2014-01-27T00:00:00
db:	BID	id:	37033	date:	2010-05-28T17:51:00
db:	JVNDB	id:	JVNDB-2009-003908	date:	2012-06-26T00:00:00
db:	CNNVD	id:	CNNVD-200911-234	date:	2009-11-23T00:00:00
db:	NVD	id:	CVE-2009-4051	date:	2025-04-09T00:30:58.490

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2009-5696	date:	2009-11-16T00:00:00
db:	BID	id:	37033	date:	2009-11-16T00:00:00
db:	JVNDB	id:	JVNDB-2009-003908	date:	2012-06-26T00:00:00
db:	PACKETSTORM	id:	82705	date:	2009-11-17T16:47:40
db:	CNNVD	id:	CNNVD-200911-234	date:	2009-11-23T00:00:00
db:	NVD	id:	CVE-2009-4051	date:	2009-11-23T17:30:00.717