Reflection FTP 7.01 buffer overflow

[Michel Arboi <arboi () YAHOO COM>]

In November 2000, we discovered that Reflection FTP 7.01 server is
vulnerable to a buffer overflow on the password.
The server checks the length of the username, but entering a too long
password makes it crash.
We did not check if this is just a DoS or can be exploited.

We e-mailed WRQ Support who answered that the problem was unknown but
unfortunately the product was discontinued, so there will be no patch.
Information is available at
http://support.wrq.com/lifecycle/product_reclass.html
They also mentionned that this product was provided as a personal
convenience and should not be used in a production environment.

That is a pity, as it had some interesting features (e.g. restricting
the source address)


__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year!  http://personal.mail.yahoo.com/