CVE-2010-2251
published 2010-07-06CVE-2010-2251: The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of…
PriorityP343high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
3.63%
88.1th percentile
The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.
Affected
147 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alexander_v_lukyanov | lftp | <= 4.0.5 | — |
| alexander_v_lukyanov | lftp | — | — |
| alexander_v_lukyanov | lftp | — | — |
| alexander_v_lukyanov | lftp | — | — |
| alexander_v_lukyanov | lftp | — | — |
| alexander_v_lukyanov | lftp | — | — |
| alexander_v_lukyanov | lftp | — | — |
| alexander_v_lukyanov | lftp | — | — |
| alexander_v_lukyanov | lftp | — | — |
| alexander_v_lukyanov | lftp | — | — |
| alexander_v_lukyanov | lftp | — | — |
| alexander_v_lukyanov | lftp | — | — |
| alexander_v_lukyanov | lftp | — | — |
| alexander_v_lukyanov | lftp | — | — |
| alexander_v_lukyanov | lftp | — | — |
| alexander_v_lukyanov | lftp | — | — |
| alexander_v_lukyanov | lftp | — | — |
| alexander_v_lukyanov | lftp | — | — |
| alexander_v_lukyanov | lftp | — | — |
| alexander_v_lukyanov | lftp | — | — |
| alexander_v_lukyanov | lftp | — | — |
| alexander_v_lukyanov | lftp | — | — |
| alexander_v_lukyanov | lftp | — | — |
| alexander_v_lukyanov | lftp | — | — |
| alexander_v_lukyanov | lftp | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5LOW
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-96vc-4h75-gh5j: The get1 command, as used by lftpget, in LFTP before 4
ghsa_unreviewed·2022-05-14
CVE-2010-2251 [HIGH] CWE-20 GHSA-96vc-4h75-gh5j: The get1 command, as used by lftpget, in LFTP before 4
The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.
OSV
CVE-2010-2251: The get1 command, as used by lftpget, in LFTP before 4
osv·2010-07-06·CVSS 7.5
CVE-2010-2251 [HIGH] CVE-2010-2251: The get1 command, as used by lftpget, in LFTP before 4
The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.
Ubuntu
LFTP vulnerability
vendor_ubuntu·2010-09-07
CVE-2010-2251 LFTP vulnerability
Title: LFTP vulnerability
It was discovered that LFTP incorrectly filtered filenames suggested
by Content-Disposition headers. If a user or automated system were tricked
into downloading a file from a malicious site, a remote attacker could
create the file with an arbitrary name, such as a dotfile, and possibly run
arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
ATTENTION: This update changes previous behaviour by ignoring the filename
supplied by servers in Content-Disposition headers. To re-enable previous
behaviour, use the new xfer:auto-rename setting.
Red Hat
lftp: multiple HTTP client download filename vulnerability [OCERT 2010-001]
vendor_redhat·2010-05-17·CVSS 7.5
CVE-2010-2251 [HIGH] lftp: multiple HTTP client download filename vulnerability [OCERT 2010-001]
lftp: multiple HTTP client download filename vulnerability [OCERT 2010-001]
The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.
Statement: This issue did not affect the version of lftp as shipped with Red Hat Enterprise Linux 3 and 4 as they did not include support for renaming files to a server-suggested file name.
Package: lftp (Red Hat Enterprise Linux 6) - Not affected
Debian
CVE-2010-2251: lftp - The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly val...
vendor_debian·2010·CVSS 7.5
CVE-2010-2251 [HIGH] CVE-2010-2251: lftp - The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly val...
The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.
Scope: local
bookworm: resolved (fixed in 4.0.6-1)
bullseye: resolved (fixed in 4.0.6-1)
forky: resolved (fixed in 4.0.6-1)
sid: resolved (fixed in 4.0.6-1)
trixie: resolved (fixed in 4.0.6-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2010-3842 mingw32-curl: Did not strip directory parts separated by backslashes, when downloading files
bugzilla·2010-10-13·CVSS 7.5
CVE-2010-3842 [HIGH] CVE-2010-3842 mingw32-curl: Did not strip directory parts separated by backslashes, when downloading files
CVE-2010-3842 mingw32-curl: Did not strip directory parts separated by backslashes, when downloading files
cURL did not properly cut off directory parts from user provided
file name to be downloaded on operating systems, where backslashes
are used to separate directories and file names. This could allow
remote servers to create or overwrite files via a Content-Disposition
header that suggests a crafted filename, and possibly execute arbitrary
code as a consequence of writing to a certain file in a user's home
directory. Different vulnerability than CVE-2010-2251, CVE-2010-2252
and CVE-2010-2253.
Note: As already mentioned in [2]. This flaw only affected those
operating systems, where backslash is used to separate directories
and file names, thus Microsoft Windows, Novell Netware, MSDOS,
Bugzilla
CVE-2010-2251 lftp: multiple HTTP client download filename vulnerability [OCERT 2010-001] [fedora-all]
bugzilla·2010-06-10·CVSS 7.5
CVE-2010-2251 [HIGH] CVE-2010-2251 lftp: multiple HTTP client download filename vulnerability [OCERT 2010-001] [fedora-all]
CVE-2010-2251 lftp: multiple HTTP client download filename vulnerability [OCERT 2010-001] [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
Forr more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=591580
Please note
Bugzilla
CVE-2010-2251 lftp: multiple HTTP client download filename vulnerability [OCERT 2010-001]
bugzilla·2010-05-12·CVSS 7.5
CVE-2010-2251 [HIGH] CVE-2010-2251 lftp: multiple HTTP client download filename vulnerability [OCERT 2010-001]
CVE-2010-2251 lftp: multiple HTTP client download filename vulnerability [OCERT 2010-001]
The draft advisory from oCERT follows:
The lftp, wget and lwp-download applications are ftp/http clients and file
transfer tools supporting various network protocols. The lwp-download
script is shipped along with the libwww-perl library.
Unsafe behaviours have been found in lftp and lwp-download handling the
Content-Disposition header in conjunction with the 'suggested filename'
functionality.
Additionally unsafe behaviours have been found in wget and lwp-download in
case of HTTP 3xx redirections during file dowloading. The two applications
automatically use the URL's filename portion specified in the Location
header.
Implicitly trusting the suggested filenames results in a saved file that
differ
http://lftp.yar.ru/news.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-June/043597.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.htmlhttp://marc.info/?l=oss-security&m=127411372529485&w=2http://marc.info/?l=oss-security&m=127432968701342&w=2http://marc.info/?l=oss-security&m=127611288927500&w=2http://marc.info/?l=oss-security&m=127620248914170&w=2http://secunia.com/advisories/40400http://wiki.rpath.com/Advisories:rPSA-2010-0073http://www.debian.org/security/2010/dsa-2085http://www.ocert.org/advisories/ocert-2010-001.htmlhttp://www.securityfocus.com/archive/1/514499/100/0/threadedhttp://www.vupen.com/english/advisories/2010/1654https://bugzilla.redhat.com/show_bug.cgi?id=591580https://bugzilla.redhat.com/show_bug.cgi?id=602836http://lftp.yar.ru/news.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-June/043597.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.htmlhttp://marc.info/?l=oss-security&m=127411372529485&w=2http://marc.info/?l=oss-security&m=127432968701342&w=2http://marc.info/?l=oss-security&m=127611288927500&w=2http://marc.info/?l=oss-security&m=127620248914170&w=2http://secunia.com/advisories/40400http://wiki.rpath.com/Advisories:rPSA-2010-0073http://www.debian.org/security/2010/dsa-2085http://www.ocert.org/advisories/ocert-2010-001.htmlhttp://www.securityfocus.com/archive/1/514499/100/0/threadedhttp://www.vupen.com/english/advisories/2010/1654https://bugzilla.redhat.com/show_bug.cgi?id=591580https://bugzilla.redhat.com/show_bug.cgi?id=602836
2010-07-06
Published