Notified:  May 25, 2006 Updated: May 31, 2006

Status

Affected

Vendor Statement

We are fully aware of this issue, but have no plans to update our software at this time. In our opinion this vulnerability note does not affect wodSFTP's security or strength - it only explains that wodSFTP can be used by malicious software. Trying to remove 'safe for scripting' flag would affect wodSFTP's functionality and it wouldn't be usable in certain environments at all.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We believe the wodSFTP control be be vulnerable because it does not follow Microsoft's "Designing Secure ActiveX Controls" guidelines. If you do not need to use the wodSFTP control in a web page, we recommend setting the kill bit for the control, as specified in VU#378604.