Reported January 23, 2002, by Arne Vidstrom.

VERSIONS AFFECTED

  • Pi-Soft’s SpoonFTP versions up to and including 1.1.0.0 for Windows 2000, Windows Me, Windows NT, and Windows 9x

 

DESCRIPTION
A vulnerability exists in Pi-Soft’s SpoonFTP that can result in an attacker being able to bounce a connection through the vulnerable server and attack a third-party host. An intruder can also launch this FTP bounce attack from ports lower than 1024, to which the attacker typically doesn't have user access.

 

VENDOR RESPONSE

The vendor, Pi-Soft Consulting, has released version 1.2, which fixes this vulnerability.

 

CREDIT
Discovered by Arne Vidstrom.