CVE-2020-8634: 
Wing FTP Server vulnerability analysis and mitigation

Wing FTP Server v6.2.3 for Linux, macOS, and Solaris contains a vulnerability where files modified within the HTTP file management interface are set with insecure permissions. This vulnerability, identified as CVE-2020-8634, was disclosed on March 7, 2020, and affects the server's file permission handling mechanism (NVD, AttackerKB).

The vulnerability stems from Wing FTP Server utilizing an unsafe umask when modifying files through the HTTP(S) interface. While the default permissions are set to "644" in the administrator interface, files modified via HTTP are saved with world-readable and world-writable permissions ("666"). This occurs when files are modified through the web interface, resulting in the owner and group being changed to root with permissions set to "666" (Hooper Labs).

The vulnerability's impact is significant as it allows any files modified through the HTTP interface to become world-readable and world-writable. If sensitive system files are edited this way, it could lead to unauthorized access to critical system files and potential privilege escalation to root. The CVSS base score of 7.8 indicates a high severity level (AttackerKB).

Users should upgrade to a patched version of Wing FTP Server that properly handles file permissions. Additionally, administrators should review and restrict access to the HTTP file management interface and regularly monitor for unauthorized file modifications (Hooper Labs).