Launchpad.net

CVE 2008-4247

ftpd in OpenBSD 4.3, FreeBSD 7.0, NetBSD 4.0, Solaris, and possibly other operating systems interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.

Related bugs and status

CVE-2008-4247 (Candidate) is related to these bugs:

Bug #310949: ProFTPD in Hardy vulnerable to CVE-2008-4242

		In	Importance	Status
310949	ProFTPD in Hardy vulnerable to CVE-2008-4242	proftpd-dfsg (Ubuntu)	Undecided	Fix Released
310949	ProFTPD in Hardy vulnerable to CVE-2008-4242	proftpd-dfsg (Ubuntu Hardy)	Undecided	Won't Fix
310949	ProFTPD in Hardy vulnerable to CVE-2008-4242	proftpd-dfsg (Ubuntu Jaunty)	Undecided	Fix Released
310949	ProFTPD in Hardy vulnerable to CVE-2008-4242	proftpd-dfsg (Ubuntu Intrepid)	Undecided	Invalid

Bug #602331: Sync linux-ftpd-ssl 0.17.31+0.3-1 (universe) from Debian unstable (main)

Summary				In	Importance	Status
	602331	Sync linux-ftpd-ssl 0.17.31+0.3-1 (universe) from Debian unstable (main)		linux-ftpd-ssl (Ubuntu)	Wishlist	Fix Released

See the

CVE page on Mitre.org for more details.

References

MISC: http://bugs.proftpd.or...
CONFIRM: http://www.openbsd.org...
CONFIRM: http://www.openbsd.org...
SECTRACK: 1020946
SECUNIA: 32068
SECUNIA: 32070
SREASONRES: 20080926 multiple vend...
NETBSD: NetBSD-SA2008-014
SECTRACK: 1021112
FREEBSD: FreeBSD-SA-08:12
SECUNIA: 33341
SREASON: 4313
CONFIRM: http://www.oracle.com/...
CONFIRM: http://www.openbsd.org...
CONFIRM: http://www.openbsd.org...