The zFTP server is found to be vulnerable to denial of service in handling STAT and CWD commands with overly large buffer requests.
The zFTP server is a Windows based FTP server with focus on clever Active Directory integration and powerful, effortless administration.
3. VERSIONS AFFECTED
2011-04-13 and earlier
The vendor has released the patched version (http://download.zftpserver.com/zFTPServer_Suite_Setup.exe)
This vulnerability was discovered by Myo Soe, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
8. DISCLOSURE TIME-LINE
2011-06-19: notified vendor through email
2011-10-17: vendor released fixed version, 2011-10-17
2011-10-25: vulnerability disclosed
Original Advisory URL: http://core.yehg.net/lab/pr0js/advisories/[zftpserver_2011-04-13]_stat,cwd_dos
zFTP Server Home Page: http://zftpserver.com