FileZilla 2.2.30a closes security holes
Version 2.2.30a of the FileZilla Open Source FTP client closes a few security holes that attackers could exploit to provoke buffer overflows. The developers advise users to update their software even though the holes are not considered critical.
One vulnerability concerns the display of transfer queues. The values displayed, such as download speeds and the remaining time, are copied into variables for display without any check of length. Specially prepared path and file names on the FTP server, for instance, can then cause one of the variables to overflow. It may then be possible to inject and execute code, though the developers do not say what the effects would be.
Another flaw is found in the routines that read out settings from the registry. Here, a variable that indicates the size of the buffer might contain a value that is too low. However, attackers apparently must have local access to the computer to exploit this error. The current version 2.2.30a can be downloaded from the Sourceforge website. FileZilla users are advised to switch to the new version when they get a chance.