Critical Vulnerability Information Vulnerability Name: WinSCP < 4.04 url protocol handler flaw Date: 2007.09.19 Risk Level: Medium CVE ID: CVE-2007-4909 CWE ID: CWE-264 CVSS Base Score: 9.3/10 Impact Subscore: 10/10 Exploitability Subscore: 8.6/10 Affected Products WinSCP 4.03 and earlier versions Vulnerability Details By default, WinSCP installs URL protocol handlers for and protocols. These handlers can be exploited by malicious web content to automatically upload any file from the local system to a remote server, or to automatically download files from a remote server to the local system. Starting from version 3.8.2, WinSCP provides some level of protection against this, but it does not fully prevent all types of attacks. Proof of Concept (PoC) Set up an account on a machine you control that supports only SCP, with username "scp" and any password. Place the following code on a website: When a user with an affected WinSCP installation visits this page, the code will upload the specified file to the server. Similarly, downloading files from the server to any location writable by the current user is also possible. Test Environment Verified to work on IE6 & IE7. Works on Firefox (FF) versions above 2.0.0.5. Firefox 2.0.0.5 and later versions display a confirmation dialog before executing WinSCP. Solution Upgrade to version 4.04 or later. Download link: http://winscp.net/download.php Incident Timeline 2007-07-24: Vulnerability reported to Martin Prikryl 2007-07-25: Patch suggestion proposed to Martin 2007-07-31: Martin responded 2007-08-01: Martin confirmed fix 2007-09-02: New version released 2007-09-06: WinSCP 4.04 released