CVE-2018-10916
Description
LFTP up to 4.8.3 fails to sanitize remote filenames, letting an attacker delete the victim's current working directory during reverse mirroring.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LFTP up to 4.8.3 fails to sanitize remote filenames, letting an attacker delete the victim's current working directory during reverse mirroring.
Vulnerability
LFTP versions up to and including 4.8.3 do not properly sanitize remote file names when performing reverse mirroring operations. The vulnerability exists in the mirror job code, where file names returned by an FTP server are used directly in rm and chmod commands, allowing a remote attacker to inject special file names (e.g., foobar/file:) that resolve to the current working directory [1][2][4]. The issue is triggered when a user runs lftp mirror --reverse --delete against an attacker-controlled FTP server, and the server returns a file name containing components such as file: that cause the local path to resolve to . (the current directory). The vulnerability is present in lftp before version 4.8.4 [1][3].
Exploitation
An attacker must operate a malicious FTP server that responds to directory listing requests with crafted file names (e.g., foobar/file:). The victim must connect to this server using lftp and execute a reverse mirror command with the --delete option, for example: lftp -c 'open -u user,pass attacker.com; mirror --reverse --delete /local/path /'. The attacker does not need any authentication on the victim's system, only the ability to lure the victim into running the reverse mirror command against the controlled server. The malicious file name triggers the deletion of the local current working directory, as demonstrated by the issue report [3].
Impact
Successful exploitation results in the removal of all files in the victim's current working directory (CWD) at the time the reverse mirror command is executed. This can lead to significant data loss if the victim operates in a critical directory (e.g., / when run as root). The CIA impact is primarily a loss of integrity (destruction of files) and availability (removal of accessible data). There is no disclosure of information or remote code execution; the attacker only achieves unauthorized file deletion within the scope of the victim's privileges and the current working directory [3][4].
Mitigation
The vulnerability is fixed in lftp version 4.8.4, as per the upstream commit that prepends ./ to filenames passed to rm and chmod commands, preventing URL-style path resolution [2]. Ubuntu released an update (USN-3731-2) for Ubuntu 12.04 ESM to address this issue [1]. Users are strongly advised to update lftp to version 4.8.4 or later. If upgrading is not immediately possible, users should avoid running lftp reverse mirror commands (mirror --reverse --delete) against untrusted FTP servers. The vulnerability is not known to be listed in CISA's KEV catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10- osv-coords9 versionspkg:rpm/opensuse/lftp&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/lftp&distro=openSUSE%20Tumbleweedpkg:rpm/suse/lftp&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/lftp&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/lftp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/lftp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/lftp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/lftp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/lftp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4
< 4.8.3-lp150.3.3.1+ 8 more
- (no CPE)range: < 4.8.3-lp150.3.3.1
- (no CPE)range: < 4.9.2-1.7
- (no CPE)range: < 4.7.4-3.6.1
- (no CPE)range: < 4.7.4-3.6.1
- (no CPE)range: < 4.8.3-4.3.1
- (no CPE)range: < 4.7.4-3.6.1
- (no CPE)range: < 4.7.4-3.6.1
- (no CPE)range: < 4.7.4-3.6.1
- (no CPE)range: < 4.7.4-3.6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"lftp does not properly sanitize remote file names when performing reverse mirroring, allowing attackers to trick users into deleting local files."
Attack vector
A remote attacker can set up a malicious FTP server. When a user attempts to reverse mirror this server using lftp, the attacker can provide specially crafted file names. These file names can cause lftp to execute commands that delete files in the user's current working directory on their local system [ref_id=1].
Affected code
The vulnerability exists within the `MirrorJob::Do()` function in lftp. Specifically, the code responsible for constructing `rm` and `chmod` commands was found to be susceptible to path manipulation when processing remote file names during reverse mirroring [ref_id=1].
What the fix does
The patch modifies the `MirrorJob::Do()` function to prepend './' to file names when constructing `rm` and `chmod` commands. This prevents the file names from being interpreted as URLs by the underlying command execution logic, thus mitigating the risk of unintended file deletion or modification [ref_id=1].
Preconditions
- networkThe victim must connect to an attacker-controlled FTP server.
- inputThe attacker must control the file names on the FTP server.
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- lists.opensuse.org/opensuse-security-announce/2019-03/msg00036.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-04/msg00010.htmlmitrevendor-advisoryx_refsource_SUSE
- usn.ubuntu.com/3731-2/mitrevendor-advisoryx_refsource_UBUNTU
- bugzilla.redhat.com/show_bug.cgimitrex_refsource_CONFIRM
- github.com/lavv17/lftp/commit/a27e07d90a4608ceaf928b1babb27d4d803e1992mitrex_refsource_CONFIRM
- github.com/lavv17/lftp/issues/452mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.