{
  "modified": "2025-08-09T19:01:28Z",
  "published": "2010-10-19T20:00:03Z",
  "id": "CVE-2009-5012",
  "details": "ftpserver.py in pyftpdlib before 0.5.2 does not require the l permission for the MLST command, which allows remote authenticated users to bypass intended access restrictions and list the root directory via an FTP session.",
  "references": [
    {
      "type": "WEB",
      "url": "http://code.google.com/p/pyftpdlib/issues/detail?id=114"
    },
    {
      "type": "WEB",
      "url": "http://code.google.com/p/pyftpdlib/source/browse/trunk/HISTORY"
    },
    {
      "type": "WEB",
      "url": "http://code.google.com/p/pyftpdlib/source/detail?r=596"
    },
    {
      "type": "WEB",
      "url": "http://code.google.com/p/pyftpdlib/source/diff?spec=svn596\u0026r=596\u0026format=side\u0026path=/trunk/pyftpdlib/ftpserver.py"
    }
  ]
}