New Search

mirror --script in lftp before 3.5.9 does not properly quote shell metacharacters which might allow remote user-assisted attackers to execute shell commands via a malicious script. NOTE: it is not clear whether this issue crosses security boundaries since the script already supports commands such as "get" which could overwrite executable files.

oval:org.mitre.oval:def:10806

mirror --script in lftp before 3.5.9 does not properly quote shell metacharacters which might allow remote user-assisted attackers to execute shell commands via a malicious script. NOTE: it is not clear whether this issue crosses security boundaries since the script already supports commands such as "get" which could overwrite executable files.

Family:
unix
Status:
ACCEPTED
Platform(s):
  • Red Hat Enterprise Linux 5
  • CentOS Linux 5
  • Oracle Linux 5
Class:
vulnerability
Reference(s):
  • CVE-2007-2348
Product(s):