WU-FTPD Development Group


A vulnerability has been found in the current versions of WU-FTPD up to 2.6.2. Information describing the vulnerability is available from

Please apply the realpath.patch patch to WU-FTPD 2.6.2.

This fixes an off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD. It may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO.

Additionally, applying the connect-dos.patch is advised for all systems.

This patch fixes a possible denial of service attack on systems that allow only one non-connected socket bound to the same local address.

Additionally, applying the skeychallenge.patch is advised strongly for systems using S/Key logins.

This patch fixes a stack overflow in the S/Key login handling.

The current version of WU-FTPD is 2.6.2 and is available from ftp.wu-ftpd.org. If you are running an earlier version, please update your copy. You might want to take a look at what has changed.

Before downloading, please check the list of wu-ftpd world-wide mirrors for a site in your region.

Additional information about WU-FTPD is available online:

There are a number of mailing lists for support questions or other discussions concerning WU-FTPD.

Archived WU-FTPD Group Announcements

This site currently being re-done, so come back occasionally.

Last updated: Tue Feb 18 06:24:29 CST 2003