Index | News | Research| Products | Support | About

 

 

 

Serious Warning:

CuteFTP Pro may affect the data security

Antiy Labs Cert

Released Date: 1st Jun 2004

Versions which the bug existed:

It has been confirmed that the bug exists in the following versions of CuteFTP:

Cuteftp pro Ver 2.01

Cuteftp pro Ver 3.0

Cuteftp pro Ver 3.3

Cuteftp pro Ver 6.04

Therefore, the bug may exist in all series of CuteFTP pro.

Versions which the bug don't exist:

Series of CuteFTP

Affected OS:

Windows 98

Windows Me

Windows NT

Windows 2000

Windows XP

Windows 2003

• Summary

CuteFTP pro is a excellent client software produced by GlobalSCAPE corp. It's the update version of CuteFTP with quicker speed and easy operated feature. The software supports desultory transporting, can upload and download the whole directory, and it will not be taken away when leaving unused too long. It also supports upload and download files in the form of the queue, the covering and removing of the whole directory. CuteFTP pro is very popular, and has a wildly customer group.

Antiy labs CERT found that there's a serious bug existed in CuteFTP pro, and it can cause a large number of files deleted in some instances.

At present, Antiy labs CERT, through code analyzing, confirmed it a logic error made by program designing.

• Situation Analysis

CuteFTP pro permits customers to modify the path of queue downloading. After the customer modified the file path, it didn't check the input of the customer routinely, and that may result in a delete to the files and directory.

Situation:

When running CuteFTP pro to download files, if the customer paused and modified the directory to store the file, there will be such problem occurred:

If the directory exists, it will delete the directory and named the download file the same name with the directory; if the directory doesn't exist, it will delete all the files and directories in the path.

The coding error places in Ftpte.exe.

• Solution

We have supplied the report to the manufacturer.

We suggest that the customers can stop using Cuteftp pro or avoid the operation above, or use other FTP tools instead.




Copyright © 1999-2001 Antiy Labs All rights reserved