CVE-2008-4247

ftpd in OpenBSD 4.3, FreeBSD 7.0, NetBSD 4.0, Solaris, and possibly other operating systems interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.
References
Link Resource
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-014.txt.asc
http://bugs.proftpd.org/show_bug.cgi?id=3115
http://secunia.com/advisories/32068
http://secunia.com/advisories/32070
http://secunia.com/advisories/33341
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:12.ftpd.asc
http://securityreason.com/achievement_securityalert/56
http://securityreason.com/securityalert/4313
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y.diff?r1=1.51&r2=1.52&f=h Exploit
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c.diff?r1=1.183&r2=1.184&f=h Exploit
http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
http://www.securitytracker.com/id?1020946
http://www.securitytracker.com/id?1021112
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-014.txt.asc
http://bugs.proftpd.org/show_bug.cgi?id=3115
http://secunia.com/advisories/32068
http://secunia.com/advisories/32070
http://secunia.com/advisories/33341
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:12.ftpd.asc
http://securityreason.com/achievement_securityalert/56
http://securityreason.com/securityalert/4313
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y.diff?r1=1.51&r2=1.52&f=h Exploit
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c.diff?r1=1.183&r2=1.184&f=h Exploit
http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
http://www.securitytracker.com/id?1020946
http://www.securitytracker.com/id?1021112
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:freebsd:freebsd:7.0:*:*:*:*:*:*:*
cpe:2.3:o:netbsd:netbsd:4.0:*:*:*:*:*:*:*
cpe:2.3:o:openbsd:openbsd:4.3:*:*:*:*:*:*:*

History

21 Nov 2024, 00:51

Type Values Removed Values Added
References () ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-014.txt.asc - () ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-014.txt.asc -
References () http://bugs.proftpd.org/show_bug.cgi?id=3115 - () http://bugs.proftpd.org/show_bug.cgi?id=3115 -
References () http://secunia.com/advisories/32068 - () http://secunia.com/advisories/32068 -
References () http://secunia.com/advisories/32070 - () http://secunia.com/advisories/32070 -
References () http://secunia.com/advisories/33341 - () http://secunia.com/advisories/33341 -
References () http://security.FreeBSD.org/advisories/FreeBSD-SA-08:12.ftpd.asc - () http://security.FreeBSD.org/advisories/FreeBSD-SA-08:12.ftpd.asc -
References () http://securityreason.com/achievement_securityalert/56 - () http://securityreason.com/achievement_securityalert/56 -
References () http://securityreason.com/securityalert/4313 - () http://securityreason.com/securityalert/4313 -
References () http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y - () http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y -
References () http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y.diff?r1=1.51&r2=1.52&f=h - Exploit () http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y.diff?r1=1.51&r2=1.52&f=h - Exploit
References () http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c - () http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c -
References () http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c.diff?r1=1.183&r2=1.184&f=h - Exploit () http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c.diff?r1=1.183&r2=1.184&f=h - Exploit
References () http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html - () http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html -
References () http://www.securitytracker.com/id?1020946 - () http://www.securitytracker.com/id?1020946 -
References () http://www.securitytracker.com/id?1021112 - () http://www.securitytracker.com/id?1021112 -

Information

Published : 2008-09-25 19:25

Updated : 2024-11-21 00:51


NVD link : CVE-2008-4247

Mitre link : CVE-2008-4247

CVE.ORG link : CVE-2008-4247


JSON object : View

Products Affected

openbsd

  • openbsd

netbsd

  • netbsd

freebsd

  • freebsd
CWE
CWE-352

Cross-Site Request Forgery (CSRF)