CVE-2008-7262

Advisory

Pyftpdlib before 0.3.0 has a path traversal vulnerability in case of symbolic links escaping user's home directory.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

=================================

**Enhancements**

- 42: implemented FEAT command (RFC-2389).
- 48: real permissions, owner, and group for files on UNIX platforms are now
provided when processing LIST command.
- 51: added the new demo/throttled_ftpd.py script.
- 52: implemented MLST and MLSD commands (RFC-3659).
- 58: implemented OPTS command (RFC-2389).
- 59: iterators are now used for calculating requests requiring long time to
complete (LIST and MLSD commands) drastically increasing the daemon
scalability when dealing with many connected clients.
- 61: extended the set of assignable user permissions.

**Bug fixes**

- 41: an unhandled exception occurred on QUIT if user was not yet
authenticated.
- 43: hidden the server identifier returned in STAT response.
- 44: a wrong response code was given on PORT in case of failed connection
attempt.
- 45: a wrong response code was given on HELP if the provided argument wasn't
recognized as valid command.
- 46: a wrong response code was given on PASV in case of unauthorized FXP
connection attempt.
- 47: can't use FTPServer.max_cons option on Python 2.3.
- 49: a "550 No such file or directory" was returned when LISTing a directory
containing a broken symbolic link.
- 50: DTPHandler class did not respect what specified in ac_out_buffer_size
attribute.
- 53: received strings having trailing white spaces was erroneously stripped.
- 54: LIST/NLST/STAT outputs are now sorted by file name.
- 55: path traversal vulnerability in case of symbolic links escaping user's
home directory.
- 56: can't rename broken symbolic links.
- 57: invoking LIST/NLST over a symbolic link which points to a direoctory
shouldn't list its content.
- 60: an unhandled IndexError exception error was raised in case of certain
bad formatted PORT requests.

**API changes since 0.2.0**

- New IteratorProducer and BufferedIteratorProducer classes have been added.
- DummyAuthorizer class changes:
- The permissions management has been changed and the set of available
permissions have been extended (see Issue 61). add_user() method
now accepts "eladfm" permissions beyond the old "r" and "w".
- r_perm() and w_perm() methods have been removed.
- New has_perm() and get_perms() methods have been added.

- AbstractedFS class changes:
- normalize() method has been renamed in ftpnorm().
- translate() method has been renamed in ftp2fs().
- New methods: fs2ftp(), stat(), lstat(), islink(), realpath(), lexists(),
validpath().
- get_list_dir(), get_stat_dir() and format_list() methods now return an
iterator object instead of a string.
- format_list() method has a new "ignore_err" keyword argument.
- global debug() function has been removed.

Resources

• https://pypi.org/project/pyftpdlib
• https://pyup.io/changelogs/pyftpdlib/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7262
• http://code.google.com/p/pyftpdlib/issues/detail?id=55
• http://code.google.com/p/pyftpdlib/source/browse/trunk/HISTORY