Vulnerability Description
Directory traversal vulnerability in the FTP client in Total Commander before 7.02 allows remote FTP servers to create or overwrite arbitrary files via "..\" (dot dot backslash) sequences in a filename. NOTE: the "..\" are not displayed when the user lists files. NOTE: this can be leveraged for code execution by writing to a Startup folder.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ghisler | Total Commander | <= 7.01 |
Related Weaknesses (CWE)
References
- http://blog.hispasec.com/lab/advisories/adv_TotalCommander_7_01_Remote_Traversal
- http://osvdb.org/39838
- http://secunia.com/advisories/26734Vendor Advisory
- http://securityreason.com/securityalert/3106
- http://www.ghisler.com/whatsnew.htmPatch
- http://www.securityfocus.com/archive/1/478720/100/0/threaded
- http://www.securityfocus.com/bid/25581Exploit
- http://www.securitytracker.com/id?1018662
- http://www.vupen.com/english/advisories/2007/3102
- https://exchange.xforce.ibmcloud.com/vulnerabilities/36486
- https://exchange.xforce.ibmcloud.com/vulnerabilities/36487
- http://blog.hispasec.com/lab/advisories/adv_TotalCommander_7_01_Remote_Traversal
- http://osvdb.org/39838
- http://secunia.com/advisories/26734Vendor Advisory
- http://securityreason.com/securityalert/3106
FAQ
What is CVE-2007-4756?
CVE-2007-4756 is a vulnerability with a CVSS score of 6.8 (MEDIUM). Directory traversal vulnerability in the FTP client in Total Commander before 7.02 allows remote FTP servers to create or overwrite arbitrary files via "..\" (dot dot backslash) sequences in a filenam...
How severe is CVE-2007-4756?
CVE-2007-4756 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2007-4756?
Check the references section above for vendor advisories and patch information. Affected products include: Ghisler Total Commander.