CVE-2007-2348
published 2007-04-27CVE-2007-2348: mirror --script in lftp before 3.5.9 does not properly quote shell metacharacters, which might allow remote user-assisted attackers to execute shell commands…
PriorityP428medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
3.17%
86.4th percentile
mirror --script in lftp before 3.5.9 does not properly quote shell metacharacters, which might allow remote user-assisted attackers to execute shell commands via a malicious script. NOTE: it is not clear whether this issue crosses security boundaries, since the script already supports commands such as "get" which could overwrite executable files.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alexander_v_lukyanov | lftp | <= 3.5.8 | — |
| alexander_v_lukyanov | lftp | >= 0 < 3.5.9-1 | 3.5.9-1 |
| alexander_v_lukyanov | lftp | >= 0 < 3.5.9-1 | 3.5.9-1 |
| alexander_v_lukyanov | lftp | >= 0 < 3.5.9-1 | 3.5.9-1 |
| alexander_v_lukyanov | lftp | >= 0 < 3.5.9-1 | 3.5.9-1 |
| debian | lftp | < lftp 3.5.9-1 (bookworm) | lftp 3.5.9-1 (bookworm) |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8LOW
vendor_redhat6.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
lftp mirror --script does not escape names and targets of symbolic links
vendor_redhat·2007-01-09·CVSS 6.8
CVE-2007-2348 [MEDIUM] lftp mirror --script does not escape names and targets of symbolic links
lftp mirror --script does not escape names and targets of symbolic links
mirror --script in lftp before 3.5.9 does not properly quote shell metacharacters, which might allow remote user-assisted attackers to execute shell commands via a malicious script. NOTE: it is not clear whether this issue crosses security boundaries, since the script already supports commands such as "get" which could overwrite executable files.
Statement: This issue does not affect lftp as supplied with Red Hat Enterprise Linux 3.
This issue was addressed for Red Hat Enterprise Linux 5 by
https://rhn.redhat.com/errata/RHSA-2009-1278.html
The Red Hat Security Response Team has rated this issue as having low security impact, this issue will not fixed in Red Hat Enterprise Linux 4.
Package: lftp (Red Hat Enterprise
Debian
CVE-2007-2348: lftp - mirror --script in lftp before 3.5.9 does not properly quote shell metacharacter...
vendor_debian·2007·CVSS 6.8
CVE-2007-2348 [MEDIUM] CVE-2007-2348: lftp - mirror --script in lftp before 3.5.9 does not properly quote shell metacharacter...
mirror --script in lftp before 3.5.9 does not properly quote shell metacharacters, which might allow remote user-assisted attackers to execute shell commands via a malicious script. NOTE: it is not clear whether this issue crosses security boundaries, since the script already supports commands such as "get" which could overwrite executable files.
Scope: local
bookworm: resolved (fixed in 3.5.9-1)
bullseye: resolved (fixed in 3.5.9-1)
forky: resolved (fixed in 3.5.9-1)
sid: resolved (fixed in 3.5.9-1)
trixie: resolved (fixed in 3.5.9-1)
GHSA
GHSA-m4hr-2hrx-m38c: mirror --script in lftp before 3
ghsa_unreviewed·2022-05-01
CVE-2007-2348 [MEDIUM] GHSA-m4hr-2hrx-m38c: mirror --script in lftp before 3
mirror --script in lftp before 3.5.9 does not properly quote shell metacharacters, which might allow remote user-assisted attackers to execute shell commands via a malicious script. NOTE: it is not clear whether this issue crosses security boundaries, since the script already supports commands such as "get" which could overwrite executable files.
OSV
CVE-2007-2348: mirror --script in lftp before 3
osv·2007-04-27·CVSS 6.8
CVE-2007-2348 [MEDIUM] CVE-2007-2348: mirror --script in lftp before 3
mirror --script in lftp before 3.5.9 does not properly quote shell metacharacters, which might allow remote user-assisted attackers to execute shell commands via a malicious script. NOTE: it is not clear whether this issue crosses security boundaries, since the script already supports commands such as "get" which could overwrite executable files.
No detection rules found.
No public exploits indexed.
Bugzilla
lftp affected by problems described in CVE-2007-2348
bugzilla·2007-05-07·CVSS 6.8
CVE-2007-2348 [MEDIUM] lftp affected by problems described in CVE-2007-2348
lftp affected by problems described in CVE-2007-2348
Description of problem:
According to
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2348
version of lftp used in RHEL 5 and earlier have issues with
quoting in scripts generated by 'mirror --script' and this may
cause priviledge escalation and a remote command execution
(although possibilty of such attack looks somewhat remote).
Looking at versions it appears that this lftp will be affected
by bug #211483 as well.
The same will apply to FC5; FC6 and rawhide currently sport
versions where this bug was fixed.
Version-Release number of selected component (if applicable):
lftp-3.5.1-2.fc6
Discussion:
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Produc
Bugzilla
CVE-2007-2348 lftp mirror --script does not escape names and targets of symbolic links
bugzilla·2007-04-12·CVSS 6.8
CVE-2007-2348 [MEDIUM] CVE-2007-2348 lftp mirror --script does not escape names and targets of symbolic links
CVE-2007-2348 lftp mirror --script does not escape names and targets of symbolic links
+++ This bug was initially created as a clone of Bug #236238 +++
Description of problem:
Does not escape names of symlinks when producing a script to be
passed to the shell, which could be abused by an attacked to
trick the user into executing arbitrary code with crafted symbolic
link.
Version-Release number of selected component (if applicable):
Doesn't Affect: RHEL2.1 no support for --script
Doesn't Affect: RHEL3 ditto
Affects: RHEL4
Affects: RHEL5
Affects: FC5
Affects: FC6
Steps to Reproduce:
1. ln -s '$(touch /tmp/gotya; echo kwak)' malicious
2. serve that file via ftp and attempt to download it with lftp via mirror --script
3. Try to run the resulting script with lftp -f
Actual results:
The
Bugzilla
CVE-2007-2348 lftp mirror --script does not escape names and targets of symbolic links
bugzilla·2007-04-12·CVSS 6.8
CVE-2007-2348 [MEDIUM] CVE-2007-2348 lftp mirror --script does not escape names and targets of symbolic links
CVE-2007-2348 lftp mirror --script does not escape names and targets of symbolic links
Description of problem:
Does not escape names of symlinks when producing a script to be
passed to the shell, which could be abused by an attacked to
trick the user into executing arbitrary code with crafted symbolic
link.
Version-Release number of selected component (if applicable):
Doesn't Affect: RHEL2.1 no support for --script
Doesn't Affect: RHEL3 ditto
Affects: RHEL4
Affects: RHEL5
Affects: FC5
Affects: FC6
Steps to Reproduce:
1. ln -s '$(touch /tmp/gotya; echo kwak)' malicious
2. serve that file via ftp and attempt to download it with lftp via mirror --script
3. Try to run the resulting script with lftp -f
Actual results:
The downloaded file will point to "kwak", while file /tmp/gotya will b
http://bugs.gentoo.org/show_bug.cgi?id=173524http://lftp.yar.ru/news.htmlhttp://rhn.redhat.com/errata/RHSA-2009-1278.htmlhttp://secunia.com/advisories/25107http://secunia.com/advisories/25132http://secunia.com/advisories/36559http://www.securityfocus.com/bid/23736http://www.vupen.com/english/advisories/2007/1590https://issues.rpath.com/browse/RPL-1229https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10806http://bugs.gentoo.org/show_bug.cgi?id=173524http://lftp.yar.ru/news.htmlhttp://rhn.redhat.com/errata/RHSA-2009-1278.htmlhttp://secunia.com/advisories/25107http://secunia.com/advisories/25132http://secunia.com/advisories/36559http://www.securityfocus.com/bid/23736http://www.vupen.com/english/advisories/2007/1590https://issues.rpath.com/browse/RPL-1229https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10806
2007-04-27
Published