LFTP MirrorJob::HandleFile Arbitrary Command Injection Vulnerability

info
discussion
exploit
solution
references

LFTP MirrorJob::HandleFile Arbitrary Command Injection Vulnerability

LFTP is prone to an arbitrary-command-injection vulnerability because it fails to adequately sanitize user-supplied data.

An attacker can exploit this issue to execute arbitrary commands in the context of the user running the application.

Versions prior to LFTP 3.5.9 are vulnerable.