Summary
ProFTPD is prone to a security-bypass vulnerability because the application fails to properly validate the domain name in a signed CA certificate, allowing attackers to substitute malicious SSL certificates for trusted ones.
Successful exploits allows attackers to perform man-in-the- middle attacks or impersonate trusted servers, which will aid in further attacks.
Versions prior to ProFTPD 1.3.2b and 1.3.3 to 1.3.3.rc1 are vulnerable.
Solution
Updates are available. Please see the references for details.
References
Severity
Classification
-
CVE CVE-2009-3639 -
CVSS Base Score: 5.8
AV:N/AC:M/Au:N/C:N/I:P/A:P
Related Vulnerabilities
- Core FTP Server Directory Traversal Vulnerability
- Wing FTP Server Denial of Service Vulnerability and Information Disclosure Vulnerability
- KnFTP Server 'FEAT' Command Remote Denial of Service Vulnerability
- Core FTP Server 'Type' Command Remote Denial of Service Vulnerability
- War FTP Daemon Directory Traversal