VYPR
← All advisories
Critical severityNVD Advisory· Published Jan 26, 2021· Updated Aug 6, 2024

CVE-2013-2512

CVE-2013-2512

Description

The ftpd gem 0.2.1 for Ruby allows remote attackers to execute arbitrary OS commands via shell metacharacters in LIST or NLST command arguments.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The ftpd gem 0.2.1 for Ruby allows remote attackers to execute arbitrary OS commands via shell metacharacters in LIST or NLST command arguments.

Root

Cause

The vulnerability resides in the Ls module of disk_file_system.rb in ftpd 0.2.1. The module constructs a shell command by concatenating 'ls', user-supplied options, and the filename argument without sanitization, allowing shell metacharacters such as ; to inject arbitrary commands [4]. The code explicitly shells out to ls, making injection possible [2].

Exploitation

An attacker must first authenticate to the FTP server, but the default driver in the example allows any username/password [1]. Once authenticated, the attacker can issue LIST or NLST commands with a crafted argument containing shell metacharacters. For instance, ls adfasdf;id executed the id command on the server [4]. The server's file system driver must also have the specified file path existing (or a directory) to trigger the injection, but this is easily met.

Impact

Successful exploitation allows remote command execution with the privileges of the FTP server process. This can lead to full system compromise, data exfiltration, or further lateral movement within the network, depending on the server's environment.

Mitigation

The vulnerability was fixed in version 0.2.2 by disabling globbing in LIST and NLST and noting that the commands should not shell out to ls [2]. Users should upgrade to ftpd 0.2.2 or later. Additionally, the gem author cautions that the library was not designed for untrusted environments [1], so exposing it to the public internet is not recommended.

References
  1. GitHub - wconrad/ftpd: Ftpd is a pure Ruby FTP server library. It supports implicit and explicit TLS, IPV6, passive and active mode, and is unconditionally compliant per RFC-1123. It can be used as part of a test fixture or embedded in a program.
  2. Close code injection vulnerabilit in LIST and NLST. · wconrad/ftpd@828064f
  3. Larry Cashdollar Vulnerability

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ftpdRubyGems
< 0.2.20.2.2

Affected products

2
  • Ruby/ftpd gemdescription
  • ghsa-coords
    pkg:gem/ftpd
    Range: < 0.2.2

Patches

1
828064f1a0ab

Close code injection vulnerabilit in LIST and NLST.

https://github.com/wconrad/ftpdWayne ConradMar 2, 2013via ghsa
commit
7 files changed · +16 15
  • Changelog.md+4 1 modified
    @@ -1,4 +1,4 @@
-### dev
+### 0.2.2
 
 Bug fixes
 
@@ -8,6 +8,9 @@ Bug fixes
   PASS
 * Open PASV mode data connection on same local IP as control connection.
   This is required by RFC 1123.
+* Disabled globbing in LIST (for now) due to code injection
+  vulnerability.  This patch also disables globbing in NLST, but NLST
+  probably shouldn't do globbing.
 
 Enhancements
  • doc/rfc-compliance.md+2 2 modified
    @@ -29,7 +29,7 @@ Commands supported:
     CDUP    Yes    0.1.0    Change to parent directory    
     CWD     Yes    0.1.0    Change working directory    
     DELE    Yes    0.1.0    Delete file    
-    HELP    Yes     dev     Help
+    HELP    Yes    0.2.2    Help
     LIST    Yes    0.1.0    List directory    
     MKD     Yes    0.2.1    Make directory    
     MODE    Yes    0.1.0    Set transfer mode
@@ -52,7 +52,7 @@ Commands supported:
     SMNT    No      ---     Structure Mount    
     STAT    No      ---     Server status    
     STOR    Yes    0.1.0    Store file    
-    STOU    Yes     dev     Store with unique name    
+    STOU    Yes    0.2.2    Store with unique name    
     STRU    Yes    0.1.0    Set file structure
                             Supports "File" structure only. "Record" and
                             "Page" are not supported
  • features/ftp_server/list.feature+1 0 modified
    @@ -42,6 +42,7 @@ Feature: List
     And the file list should contain "foo"
 
   Scenario: Glob
+    Given PENDING "Disabled (for now) due to code injection vulnerability"
     Given a successful login
     And the server has file "foo"
     And the server has file "bar"
  • features/ftp_server/name_list.feature+0 9 modified
    @@ -41,15 +41,6 @@ Feature: Name List
     Then the file list should be in short form
     And the file list should contain "foo"
 
-  Scenario: Glob
-    Given a successful login
-    And the server has file "foo"
-    And the server has file "bar"
-    When the client successfully name-lists the directory "f*"
-    Then the file list should be in short form
-    And the file list should contain "foo"
-    And the file list should not contain "bar"
-
   Scenario: Passive
     Given a successful login
     And the server has file "foo"
  • lib/ftpd/disk_file_system.rb+4 3 modified
    @@ -206,6 +206,8 @@ class DiskFileSystem
 
     module Ls
 
+      include Shellwords
+
       def ls(ftp_path, option)
         path = expand_ftp_path(ftp_path)
         dirname = File.dirname(path)
@@ -214,11 +216,10 @@ def ls(ftp_path, option)
           'ls',
           option,
           filename,
-          '2>&1',
-        ].compact.join(' ')
+        ].compact
         if File.exists?(dirname)
           list = Dir.chdir(dirname) do
-            `#{command}`
+            `#{shelljoin(command)} 2>&1`
           end
         else
           list = ''
  • lib/ftpd.rb+1 0 modified
    @@ -2,6 +2,7 @@
 require 'memoizer'
 require 'openssl'
 require 'pathname'
+require 'shellwords'
 require 'socket'
 require 'tmpdir'
  • README.md+4 0 modified
    @@ -103,6 +103,10 @@ _and_ for advertising to the client which IP to connect to.  Binding
 to 0.0.0.0 will work fine, but when the client tries to connect to
 0.0.0.0, it won't get to the server.
 
+LIST doesn't accept globs.  It has other problems (it accepts
+arbitrary ls arguments!) and needs to be rewritten to not shell out to
+"ls".
+
 ## RUBY COMPATABILITY
 
 The tests pass with these Rubies:

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.