Reported January 18, 2003, by Lance Fitz-Herbert.
GlobalSCAPE CuteFTP 5.0 XP for Windows, build 18.104.22.168
A buffer-overflow vulnerability in CuteFTP 5.0 XP for Windows can permit an attacker to execute arbitrary code on the vulnerable system. When an FTP server responds to a List command (i.e., to obtain a directory listing), the response travels over a data connection. Sending 257 bytes over a data connection causes a buffer overflow, so the attacker can completely overwrite the IP register by sending 260 bytes of data.
GlobalSCAPE has been notified but hasn't yet released a fix or workaround for this vulnerability.
Discovered by Lance Fitz-Herbert.