CVE-2007-4909 - OpenCVE

Interpretation conflict in WinSCP before 4.0.4 allows remote attackers to perform arbitrary file transfers with a remote server via file-transfer commands in the final portion of a (1) scp, and possibly a (2) sftp or (3) ftp, URL, as demonstrated by a URL specifying login to the remote server with a username of scp, which is interpreted as an HTTP scheme name by the protocol handler in a web browser, but is interpreted as a username by WinSCP. NOTE: this is related to an incomplete fix for CVE-2006-3015.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:M/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Winscp	Winscp

Configuration 1 [-]

OR	cpe:2.3:a:winscp:winscp:2.0.0:::::::*
	cpe:2.3:a:winscp:winscp:3.5.5_beta:::::::*
	cpe:2.3:a:winscp:winscp:3.5.6:::::::*
	cpe:2.3:a:winscp:winscp:3.6:::::::*
	cpe:2.3:a:winscp:winscp:3.6.1:::::::*
	cpe:2.3:a:winscp:winscp:3.6.5_beta:::::::*
	cpe:2.3:a:winscp:winscp:3.6.6:::::::*
	cpe:2.3:a:winscp:winscp:3.6.7:::::::*
	cpe:2.3:a:winscp:winscp:3.8.1:::::::*
	cpe:2.3:a:winscp:winscp:3.8.2:::::::*
	cpe:2.3:a:winscp:winscp:4.0.2:::::::*
	cpe:2.3:a:winscp:winscp:4.0.3:::::::*

No data.

References

Link	Providers
http://secunia.com/advisories/26820
http://securityreason.com/securityalert/3141
http://winscp.cvs.sourceforge.net/winscp/winscp3/core/SessionData.cpp?r1=1.29&r2=1.30
http://winscp.net/eng/docs/history/
http://www.securityfocus.com/archive/1/479298/100/0/threaded
http://www.securityfocus.com/bid/25655
http://www.securitytracker.com/id?1018697
https://exchange.xforce.ibmcloud.com/vulnerabilities/36591

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2007-09-17T17:00:00

Updated: 2024-08-07T15:08:33.919Z

Reserved: 2007-09-17T00:00:00

Link: CVE-2007-4909

Vulnrichment

No data.

NVD

Status : Modified

Published: 2007-09-17T17:17:00.000

Modified: 2018-10-15T21:38:46.207

Link: CVE-2007-4909

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-09-13T00:00:00", "descriptions": [{"lang": "en", "value": "Interpretation conflict in WinSCP before 4.0.4 allows remote attackers to perform arbitrary file transfers with a remote server via file-transfer commands in the final portion of a (1) scp, and possibly a (2) sftp or (3) ftp, URL, as demonstrated by a URL specifying login to the remote server with a username of scp, which is interpreted as an HTTP scheme name by the protocol handler in a web browser, but is interpreted as a username by WinSCP. NOTE: this is related to an incomplete fix for CVE-2006-3015."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-15T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://winscp.cvs.sourceforge.net/winscp/winscp3/core/SessionData.cpp?r1=1.29&r2=1.30"}, {"name": "winscp-scpsftp-command-execution(36591)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36591"}, {"name": "3141", "tags": ["third-party-advisory", "x_refsource_SREASON"], "url": "http://securityreason.com/securityalert/3141"}, {"name": "25655", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/25655"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://winscp.net/eng/docs/history/"}, {"name": "26820", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/26820"}, {"name": "1018697", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id?1018697"}, {"name": "20070913 WinSCP < 4.04 url protocol handler flaw", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/479298/100/0/threaded"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2007-4909", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Interpretation conflict in WinSCP before 4.0.4 allows remote attackers to perform arbitrary file transfers with a remote server via file-transfer commands in the final portion of a (1) scp, and possibly a (2) sftp or (3) ftp, URL, as demonstrated by a URL specifying login to the remote server with a username of scp, which is interpreted as an HTTP scheme name by the protocol handler in a web browser, but is interpreted as a username by WinSCP. NOTE: this is related to an incomplete fix for CVE-2006-3015."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://winscp.cvs.sourceforge.net/winscp/winscp3/core/SessionData.cpp?r1=1.29&r2=1.30", "refsource": "MISC", "url": "http://winscp.cvs.sourceforge.net/winscp/winscp3/core/SessionData.cpp?r1=1.29&r2=1.30"}, {"name": "winscp-scpsftp-command-execution(36591)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36591"}, {"name": "3141", "refsource": "SREASON", "url": "http://securityreason.com/securityalert/3141"}, {"name": "25655", "refsource": "BID", "url": "http://www.securityfocus.com/bid/25655"}, {"name": "http://winscp.net/eng/docs/history/", "refsource": "CONFIRM", "url": "http://winscp.net/eng/docs/history/"}, {"name": "26820", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/26820"}, {"name": "1018697", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1018697"}, {"name": "20070913 WinSCP < 4.04 url protocol handler flaw", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/479298/100/0/threaded"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T15:08:33.919Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://winscp.cvs.sourceforge.net/winscp/winscp3/core/SessionData.cpp?r1=1.29&r2=1.30"}, {"name": "winscp-scpsftp-command-execution(36591)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36591"}, {"name": "3141", "tags": ["third-party-advisory", "x_refsource_SREASON", "x_transferred"], "url": "http://securityreason.com/securityalert/3141"}, {"name": "25655", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/25655"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://winscp.net/eng/docs/history/"}, {"name": "26820", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/26820"}, {"name": "1018697", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id?1018697"}, {"name": "20070913 WinSCP < 4.04 url protocol handler flaw", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/479298/100/0/threaded"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2007-4909", "datePublished": "2007-09-17T17:00:00", "dateReserved": "2007-09-17T00:00:00", "dateUpdated": "2024-08-07T15:08:33.919Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:winscp:winscp:2.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "833B5B6D-9A6B-4F25-81B0-F27D82940F8D", "vulnerable": true}, {"criteria": "cpe:2.3:a:winscp:winscp:3.5.5_beta:*:*:*:*:*:*:*", "matchCriteriaId": "1441C593-8BA8-4D10-BE13-4D4D01B5ACB9", "vulnerable": true}, {"criteria": "cpe:2.3:a:winscp:winscp:3.5.6:*:*:*:*:*:*:*", "matchCriteriaId": "9FEE92BE-F80D-481E-95DF-2C33E8DE3D3B", "vulnerable": true}, {"criteria": "cpe:2.3:a:winscp:winscp:3.6:*:*:*:*:*:*:*", "matchCriteriaId": "61A75DF1-1A3E-4898-B7A6-750F9FA8D1A6", "vulnerable": true}, {"criteria": "cpe:2.3:a:winscp:winscp:3.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "79C692ED-9C28-4CAA-B72A-4CCC78AE8680", "vulnerable": true}, {"criteria": "cpe:2.3:a:winscp:winscp:3.6.5_beta:*:*:*:*:*:*:*", "matchCriteriaId": "D214F458-12B5-4280-AF10-33426933992E", "vulnerable": true}, {"criteria": "cpe:2.3:a:winscp:winscp:3.6.6:*:*:*:*:*:*:*", "matchCriteriaId": "BD7FE4B2-2433-4B7F-BFA2-DCDEC32F329E", "vulnerable": true}, {"criteria": "cpe:2.3:a:winscp:winscp:3.6.7:*:*:*:*:*:*:*", "matchCriteriaId": "B57BACA5-6820-48BB-906F-6AA010429F18", "vulnerable": true}, {"criteria": "cpe:2.3:a:winscp:winscp:3.8.1:*:*:*:*:*:*:*", "matchCriteriaId": "FA9F9BEF-14B6-429B-915F-45958C568F76", "vulnerable": true}, {"criteria": "cpe:2.3:a:winscp:winscp:3.8.2:*:*:*:*:*:*:*", "matchCriteriaId": "89254511-B715-4515-AA6F-86133A2182CD", "vulnerable": true}, {"criteria": "cpe:2.3:a:winscp:winscp:4.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "FDD786A3-A146-4E4B-90C4-D9F8A2E7D986", "vulnerable": true}, {"criteria": "cpe:2.3:a:winscp:winscp:4.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "200669EB-F6A1-4C6F-9939-EB3ADB472161", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Interpretation conflict in WinSCP before 4.0.4 allows remote attackers to perform arbitrary file transfers with a remote server via file-transfer commands in the final portion of a (1) scp, and possibly a (2) sftp or (3) ftp, URL, as demonstrated by a URL specifying login to the remote server with a username of scp, which is interpreted as an HTTP scheme name by the protocol handler in a web browser, but is interpreted as a username by WinSCP. NOTE: this is related to an incomplete fix for CVE-2006-3015."}, {"lang": "es", "value": "Conflicto de interpretaci\u00f3n en WinSCP anterior a 4.0.4 permite a atacantes remotos llevar a cabo transferencias de archvios de su elecci\u00f3n con un servidor remoto a trav\u00e9s de comandos de transferencia de archivos en la porci\u00f3n final de un (1) scp, y posiblemente un (2)sftp o (3) ftp, URL, tal y como se demostr\u00f3 con la validaci\u00f3n de una URL espec\u00edfica en un servidor remoto con un nombre de usuario de scp, el cual es interpretado como un nombre de esquema HTTP a trav\u00e9s del manejador de protocolo del navegador web, pero este es interpretado como un nombre de usuario por WinSCP. NOTA: esto est\u00e1 relacionado con un parche incompleto para CVE-2006-3015."}], "id": "CVE-2007-4909", "lastModified": "2018-10-15T21:38:46.207", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": true, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2007-09-17T17:17:00.000", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://secunia.com/advisories/26820"}, {"source": "cve@mitre.org", "url": "http://securityreason.com/securityalert/3141"}, {"source": "cve@mitre.org", "url": "http://winscp.cvs.sourceforge.net/winscp/winscp3/core/SessionData.cpp?r1=1.29&r2=1.30"}, {"source": "cve@mitre.org", "url": "http://winscp.net/eng/docs/history/"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/479298/100/0/threaded"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/25655"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id?1018697"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36591"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}