Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

martin

Re: Denial of Service via FTP

Thanks for testing this! Yes, you can publish it.
mx61tt

Re: Denial of Service via FTP

Great! Now the bug it was fixed.

I would like to know if now I can publish this bug as CVE.
martin

Re: Denial of Service via FTP

This bug has been added to the tracker:
https://winscp.net/tracker/1924

I'm sending you an email with a development version of WinSCP to the address you have used to register on this forum.
mx61tt

Re: Denial of Service via FTP

OK, I'll be waiting for publication of the vulnerability with the intention of CVE.
Thank you.
martin

Re: Denial of Service via FTP

Thanks. I'm able to reproduce the problem on Windows 7. I'll look at it and I'll come back to you.
mx61tt

Re: Denial of Service via FTP

I was able to crash with the debug version too. Anyway, I'm attaching the log that I got after the crash. Note that if you execute in Windows 10, won't crash. Hope that helps you.

For the crash you need execute in Windows 7.
martin

Re: Denial of Service via FTP

Thanks for your report. Though I cannot reproduce the problem. I get the listing in GUI without a crash.
I have sent you an email with a debug version of WinSCP to the address you have used to register on this forum.
mx61tt

Denial of Service via FTP

Simulating a malicious server, it was possible to crash the application after preparing a response to the listing of modified content for a large number of characters.

I used a Kali machine to execute a poc and simulate a server.

Version of WinSCP: 5.17.8
Version of OS: Windows 7 SP1 x64