Note: The stoplight on this page indicates the highest possible severity level for this category of vulnerabilities. To determine the severity level of this particular vulnerability, refer to the colored dot next to the link to this tutorial on the previous page.
CAN 2001-0065
A remote attacker could execute arbitrary code by sending
a very long argument with the SITE CHOWN command.
A valid user account is required to exploit this vulnerability,
but this could be the anonymous account if anonymous access is
allowed. Any version of bftpd with SITE commands
enabled is affected by this vulnerability. (It is only enabled by
default in versions 1.0.13 and earlier.)
The fix is to set the ENABLE_SITE variable equal to no in /etc/bftpd.conf.
A format string vulnerability could allow an attacker to crash the server by listing a directory which contains a file with a very long filename. To exploit this vulnerability, an attacker would require access to a writable directory, either anonymously or as an authenticated user, in order to create the file with the long filename.
bftpd 1.0.12 and prior versions are affected by this vulnerability. The fix is to upgrade to the latest version.
A remote attacker could crash the FTP server by sending a very long argument to the USER command. It is unlikely that this could be used to execute commands, however, because bftpd filters non-printable characters (such as shellcode) out of arguments before they are processed.
bftpd 1.0.11 and possibly prior versions are affected by this vulnerability. The fix is to upgrade to the latest version.
Additionally, you can read more about securing all information servers at this CIAC site.