By exploiting a buffer overflow condition in the processing of the CWD command, it is possible for a remote user to execute arbitrary commands on the server running WFTPD. Unless the anonymous account is enabled, an attacker would need to know a valid user name and password in order to exploit the vulnerability.
WFTPD Pro 3.00 prior to release 4 is affected by this vulnerability.
6/1/01
A buffer overflow in the processing of path names could allow an
attacker to crash the service or execute arbitrary code by listing
a directory which, together with a file name in the directory,
contains a very large path name. Unless the anonymous account
is enabled, an attacker would need to know a valid user name and
password in order to exploit the vulnerability.
WFTPD Pro 3.00 R5 and earlier are affected by this vulnerability.
The long path name vulnerability was reported in Vuln-Dev.