ID: CVE-2007-0428 BID-22131 BID-22152
Product: WzdFTPD is a ftp server designed to be modular and portable, work under linux/win32/freebsd/openbsd, and to be entirely configurable online using SITE commands. It supports SSL, IPv6, multithreading, external scripts, and it uses Unix-like permissions and ACLs, with virtual users and groups.
WzdFTPD project also supports bandwidth limitation (per user, per group, or globally), group administrators, and per command authorization.
Scope: Remote Denial of Service
Severity: Medium
Timeline:
- [2006-12-26] Vulnerability discovered
- [2007-01-08] Vendor contacted (without answer)
- [2007-01-19] Vulnerability published
- [2007-01-31] Patched
Platforms: Any
Author: Jose Miguel Esparza
Affected versions: WzdFTPD < 8.1
Description: This vulnerability it's due to a bad truncation of blocks and later ruling out of the characters carriage return (\r), line feed (\n) and horizontal tab (\t) after authentication, resulting in a null character that the function chtlb_lookup is not able to handle.
