Miggo Logo

CVE-2009-5012: Improper Access Control in pyftpdlib

4

CVSS Score

Basic Information

EPSS Score
0.42427%
Published
5/2/2022
Updated
10/14/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
AV:N/AC:L/Au:S/C:P/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
pyftpdlibpip<= 0.5.10.5.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing permission checks for the MLST command. In FTP protocol handling, command-specific methods like ftp_MLST are responsible for access control. The advisory explicitly states MLST didn't require 'l' permission, and FTP command handlers in pyftpdlib are typically implemented as methods prefixed with 'ftp_' in ftpserver.py. The fix would involve adding a permission check in this MLST handler method, which aligns with standard FTP command handling patterns in the library.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*tps*rv*r.py in py*tp*li* ***or* *.*.* *o*s not r*quir* t** l p*rmission *or t** MLST *omm*n*, w*i** *llows r*mot* *ut**nti**t** us*rs to *yp*ss int*n*** ****ss r*stri*tions *n* list t** root *ir**tory vi* *n *TP s*ssion.

Reasoning

T** vuln*r**ility st*ms *rom missin* p*rmission ****ks *or t** MLST *omm*n*. In *TP proto*ol **n*lin*, *omm*n*-sp**i*i* m*t*o*s lik* *tp_MLST *r* r*sponsi*l* *or ****ss *ontrol. T** **visory *xpli*itly st*t*s MLST *i*n't r*quir* 'l' p*rmission, *n* *