Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
LFTP lftpget get1命令输入验证漏洞
Vulnerability Description
LFTP是软件开发者Alexander V. Lukyanov所研发的一款基于命令行的FTP/HTTP客户端,它提供命令补全、断点续传、多个后台任务执行等功能。 LFTP 4.0.6之前版本中lftpget的get1命令在决定下载的目标文件名之前不能准确验证服务器提供的文件名。远程服务器可以借助类似伪造文件名一样的Content-Disposition头创建或者覆盖任意的文件,并且可能导致主目录dotfile中而执行任意代码。
CVSS Information
N/A
Vulnerability Type
N/A