CVE-2004-0299 - SmallFTPD Remote Denial Of Service Vulnerability



Last modification



Buffer overflow in smallftpd 0.99 allows local users to cause a denial of service (crash) via an FTP request with a large number of "/" (slash) characters.


It has been reported that SmallFTPD is prone to a remote denial of service vulnerability. This issue is due to the application failing to properly validate user input. Successful exploitation of this issue may cause the affected server to crash, denying service to legitimate users. It has been conjectured that this issue may be due to a boundary management problem that may lead to arbitrary code execution, however this has yet to be verified.


Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: <>.


No exploit is required to leverage this issue. The following proof of concept has been provided:[464 and more "/" symbols]/../../../

Risk level (CVSS AV:L/AC:L/Au:N/C:N/I:N/A:P)



Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High


  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Affected Products

Vendor Product Versions
Smallftpd Smallftpd  1.0.3