CVE-2004-2318

Vulnerability

The administrative interface (surgeftpmgr.cgi) in SurgeFTP Server versions 1.0b through 2.2k1 is vulnerable to a denial-of-service condition. Sending a request with two percent (%) signs in the CMD parameter triggers a crash of the CGI process, temporarily disrupting the administrative interface [1].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by sending a crafted HTTP request to the administrative interface. The attacker only needs network access to the server and does not require any prior authentication or user interaction. The request must include two % characters in the CMD parameter, which causes the CGI script to crash [1].

Impact

Successful exploitation results in a temporary denial of service (crash) of the administrative interface. The crash does not lead to data loss, privilege escalation, or persistent compromise; however, it prevents legitimate administrators from accessing the management console until the service is restarted [1].

Mitigation

No specific mitigation or patch information is provided in the available reference [1]. As the affected versions are legacy, upgrading to a later, unsupported version or replacing the software may be necessary. No workaround is documented.