-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:         SYSS-2014-002
Product:             FTP Rush
Vendor:              Wing FTP Software
Affected Version(s): v2.1.8
Tested Version(s):   v2.1.8 (Windows 7 32 bit and Windows 8.1 64 bit)
Vulnerability Type:  X.509 validation
Risk Level:          Medium
Solution Status:
Vendor Notification: 2014-04-04
Solution Date:
Public Disclosure:   2014-05-19
CVE Reference:       Not assigned, (but similiar to CVE-2012-6606)
Author of Advisory:  Micha Borrmann (SySS GmbH)

Overview:
FTP Rush does not validating X.509 certificates, if FTP with TLS is used

Vulnerability Details:
A user can not recognize an easy to perform
man-in-the-middle attack, because the client is not validate the X.509
certificate from the FTP server. In an untrusted networking
environment (like a Wifi hotspot), the current FTP AUTH TLS connection
with FTP Rush should be classified as not encrypted.

Proof of Concept (PoC): not needed

Solution: use another client for FTP with AUTH TLS

Disclosure Timeline:
April 3, 2014 - Vulnerability discovered
April 4, 2014 - Vulnerability reported to vendor
May  19, 2014 - Vulnerability disclosure, after a period of 45 days for
a responsible disclosure

Credits:
Security vulnerability found by Micha Borrmann of the SySS GmbH.

Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory
may be updated in order to provide as accurate information as
possible. The latest version of this security advisory is available on
the SySS web site
(https://www.syss.de/aktuelles/advisories/advisory-ftp-rush/)

Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJTefx8AAoJEPxn66kbURKKFw8P/R1/D7b8GoZTQtPe2Rj/w6Sx
KakOOZ5IOEgbZP9pl6vOQBCCOWfipJFgVCSoF9BYUOJ9k/fM7inQZl7e4BRBIfGR
2bJveIe+VScTnDQ+yt56TKo6jSMvdszwcBrNTTI+cTn1CvlWBJiDAjHj6SWDCWRe
47tT7LMtOCL8bA/EAacfxWxAJFv2Zu45rkSqGXvKxz987Ss1CuuMUHQ6BzyggcCS
GvvfojwvNDOK77C+uYAdnqcyaWmepX++T9FmQbvjOulrysN4LamvdfpzlOt1ZxTe
Mcw03Y/ERTrEZkNfahk98LwklceImp0ZozJWazmFaBwEUuKGXJNeBniq+RE7PORq
e1cZ5zBsD4xiO3OoFwzV/GvP/2/O/I4hPI9WbfhjaZ2A1bGEv3hofy4HWPUKk8w3
aclr7pyY8CqhwY6ZPzV1euhpM2sVzfUTdf2NcNVY6Ra3dbj+QkqgYI6xyRtXSEvS
cLElul4ihD9fd0asY6Iczl6bXLUj5tWAHlYR0hz59NJiJBFlWgf+bf44SqmCel+x
qh1P66/CbFWjWvit60FmYL+nPYxjXc2ygo7bYu84uwzs06z/zcuVVlJSpSuUl2WG
dbr9dTL+aQys7zAbLCsh5DnqRmWiMNM4z/V+CRiZuZLRaPVlclPJTeBAxSeZpOuP
MwOf6Izjw169Ih5Dw1dT
=pJ3c
-----END PGP SIGNATURE-----