FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2008-4247

This CVE name corresponds to:

Entered Topic
2009-01-05 FreeBSD -- Cross-site request forgery in ftpd(8)
2008-09-23 proftpd -- Long Command Processing Vulnerability

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

Details

Type Candidate
Name CVE-2008-4247
Phase Assigned(20080925)

Description

ftpd in OpenBSD 4.3, FreeBSD 7.0, NetBSD 4.0, Solaris, and possibly other operating systems interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.

References

Source Reference
SREASONRES 20080926 multiple vendor ftpd - Cross-site request forgery
MISC http://bugs.proftpd.org/show_bug.cgi?id=3115
CONFIRM http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y
CONFIRM http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y.diff?r1=1.51&r2=1.52&f=h
CONFIRM http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c
CONFIRM http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c.diff?r1=1.183&r2=1.184&f=h
CONFIRM http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
FREEBSD FreeBSD-SA-08:12
NETBSD NetBSD-SA2008-014
SECTRACK 1020946
SECTRACK 1021112
SECUNIA 32068
SECUNIA 32070
SECUNIA 33341
SREASON 4313