Synopsis: WS_FTP 2007 Professional SCP handling format string vulnerability Product: WS_FTP 2007 Professional Vendor: Ipswitch I. Background "[..]Transfer files anywhere, anytime, with complete security. * Lightning fast transfer speeds * Industry leading security * Time saving features include schedule, backup, and email notifications[..]" II. Problem Description Remote code execution is possible. III. Details SCP handling module is vulnerable to format string vulnerability. Opening a specially crafted SCP file with WS_FTP 2007 script handler might lead to arbitrary code execution. The specially crafted file uses the WS_FTP script command "SHELL" and executes the file with the specially crafted name. The file is access using "file://". Kind regards, Michal Bucko (sapheal)