CVE-2007-4909 (GCVE-0-2007-4909)
Vulnerability from cvelistv5
Published
2007-09-17 17:00
Modified
2024-08-07 15:08
Severity ?
CWE
  • n/a
Summary
Interpretation conflict in WinSCP before 4.0.4 allows remote attackers to perform arbitrary file transfers with a remote server via file-transfer commands in the final portion of a (1) scp, and possibly a (2) sftp or (3) ftp, URL, as demonstrated by a URL specifying login to the remote server with a username of scp, which is interpreted as an HTTP scheme name by the protocol handler in a web browser, but is interpreted as a username by WinSCP. NOTE: this is related to an incomplete fix for CVE-2006-3015.
References
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T15:08:33.919Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://winscp.cvs.sourceforge.net/winscp/winscp3/core/SessionData.cpp?r1=1.29\u0026r2=1.30"
          },
          {
            "name": "winscp-scpsftp-command-execution(36591)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36591"
          },
          {
            "name": "3141",
            "tags": [
              "third-party-advisory",
              "x_refsource_SREASON",
              "x_transferred"
            ],
            "url": "http://securityreason.com/securityalert/3141"
          },
          {
            "name": "25655",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/25655"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://winscp.net/eng/docs/history/"
          },
          {
            "name": "26820",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/26820"
          },
          {
            "name": "1018697",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id?1018697"
          },
          {
            "name": "20070913 WinSCP \u003c 4.04 url protocol handler flaw",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/479298/100/0/threaded"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2007-09-13T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Interpretation conflict in WinSCP before 4.0.4 allows remote attackers to perform arbitrary file transfers with a remote server via file-transfer commands in the final portion of a (1) scp, and possibly a (2) sftp or (3) ftp, URL, as demonstrated by a URL specifying login to the remote server with a username of scp, which is interpreted as an HTTP scheme name by the protocol handler in a web browser, but is interpreted as a username by WinSCP.  NOTE: this is related to an incomplete fix for CVE-2006-3015."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-15T20:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://winscp.cvs.sourceforge.net/winscp/winscp3/core/SessionData.cpp?r1=1.29\u0026r2=1.30"
        },
        {
          "name": "winscp-scpsftp-command-execution(36591)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36591"
        },
        {
          "name": "3141",
          "tags": [
            "third-party-advisory",
            "x_refsource_SREASON"
          ],
          "url": "http://securityreason.com/securityalert/3141"
        },
        {
          "name": "25655",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/25655"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://winscp.net/eng/docs/history/"
        },
        {
          "name": "26820",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/26820"
        },
        {
          "name": "1018697",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id?1018697"
        },
        {
          "name": "20070913 WinSCP \u003c 4.04 url protocol handler flaw",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://www.securityfocus.com/archive/1/479298/100/0/threaded"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2007-4909",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Interpretation conflict in WinSCP before 4.0.4 allows remote attackers to perform arbitrary file transfers with a remote server via file-transfer commands in the final portion of a (1) scp, and possibly a (2) sftp or (3) ftp, URL, as demonstrated by a URL specifying login to the remote server with a username of scp, which is interpreted as an HTTP scheme name by the protocol handler in a web browser, but is interpreted as a username by WinSCP.  NOTE: this is related to an incomplete fix for CVE-2006-3015."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://winscp.cvs.sourceforge.net/winscp/winscp3/core/SessionData.cpp?r1=1.29\u0026r2=1.30",
              "refsource": "MISC",
              "url": "http://winscp.cvs.sourceforge.net/winscp/winscp3/core/SessionData.cpp?r1=1.29\u0026r2=1.30"
            },
            {
              "name": "winscp-scpsftp-command-execution(36591)",
              "refsource": "XF",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36591"
            },
            {
              "name": "3141",
              "refsource": "SREASON",
              "url": "http://securityreason.com/securityalert/3141"
            },
            {
              "name": "25655",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/25655"
            },
            {
              "name": "http://winscp.net/eng/docs/history/",
              "refsource": "CONFIRM",
              "url": "http://winscp.net/eng/docs/history/"
            },
            {
              "name": "26820",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/26820"
            },
            {
              "name": "1018697",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id?1018697"
            },
            {
              "name": "20070913 WinSCP \u003c 4.04 url protocol handler flaw",
              "refsource": "BUGTRAQ",
              "url": "http://www.securityfocus.com/archive/1/479298/100/0/threaded"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2007-4909",
    "datePublished": "2007-09-17T17:00:00",
    "dateReserved": "2007-09-17T00:00:00",
    "dateUpdated": "2024-08-07T15:08:33.919Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2007-4909\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2007-09-17T17:17:00.000\",\"lastModified\":\"2025-04-09T00:30:58.490\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Interpretation conflict in WinSCP before 4.0.4 allows remote attackers to perform arbitrary file transfers with a remote server via file-transfer commands in the final portion of a (1) scp, and possibly a (2) sftp or (3) ftp, URL, as demonstrated by a URL specifying login to the remote server with a username of scp, which is interpreted as an HTTP scheme name by the protocol handler in a web browser, but is interpreted as a username by WinSCP.  NOTE: this is related to an incomplete fix for CVE-2006-3015.\"},{\"lang\":\"es\",\"value\":\"Conflicto de interpretaci\u00f3n en WinSCP anterior a 4.0.4 permite a atacantes remotos llevar a cabo transferencias de archvios de su elecci\u00f3n con un servidor remoto a trav\u00e9s de comandos de transferencia de archivos en la porci\u00f3n final de un (1) scp, y posiblemente un (2)sftp o (3) ftp, URL, tal y como se demostr\u00f3 con la validaci\u00f3n de una URL espec\u00edfica en un servidor remoto con un nombre de usuario de scp, el cual es interpretado como un nombre de esquema HTTP a trav\u00e9s del manejador de protocolo del navegador web, pero este es interpretado como un nombre de usuario por WinSCP. NOTA: esto est\u00e1 relacionado con un parche incompleto para CVE-2006-3015.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:C/I:C/A:C\",\"baseScore\":9.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":8.6,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":true,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-264\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:winscp:winscp:2.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"833B5B6D-9A6B-4F25-81B0-F27D82940F8D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:winscp:winscp:3.5.5_beta:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1441C593-8BA8-4D10-BE13-4D4D01B5ACB9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:winscp:winscp:3.5.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9FEE92BE-F80D-481E-95DF-2C33E8DE3D3B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:winscp:winscp:3.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"61A75DF1-1A3E-4898-B7A6-750F9FA8D1A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:winscp:winscp:3.6.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"79C692ED-9C28-4CAA-B72A-4CCC78AE8680\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:winscp:winscp:3.6.5_beta:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D214F458-12B5-4280-AF10-33426933992E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:winscp:winscp:3.6.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BD7FE4B2-2433-4B7F-BFA2-DCDEC32F329E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:winscp:winscp:3.6.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B57BACA5-6820-48BB-906F-6AA010429F18\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:winscp:winscp:3.8.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA9F9BEF-14B6-429B-915F-45958C568F76\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:winscp:winscp:3.8.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"89254511-B715-4515-AA6F-86133A2182CD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:winscp:winscp:4.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FDD786A3-A146-4E4B-90C4-D9F8A2E7D986\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:winscp:winscp:4.0.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"200669EB-F6A1-4C6F-9939-EB3ADB472161\"}]}]}],\"references\":[{\"url\":\"http://secunia.com/advisories/26820\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://securityreason.com/securityalert/3141\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://winscp.cvs.sourceforge.net/winscp/winscp3/core/SessionData.cpp?r1=1.29\u0026r2=1.30\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://winscp.net/eng/docs/history/\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/archive/1/479298/100/0/threaded\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/bid/25655\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\"]},{\"url\":\"http://www.securitytracker.com/id?1018697\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/36591\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://secunia.com/advisories/26820\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://securityreason.com/securityalert/3141\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://winscp.cvs.sourceforge.net/winscp/winscp3/core/SessionData.cpp?r1=1.29\u0026r2=1.30\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://winscp.net/eng/docs/history/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/archive/1/479298/100/0/threaded\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/25655\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"http://www.securitytracker.com/id?1018697\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/36591\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.