261199 – <net-ftp/tnftp-20081009 Cross-Site Request Forgery Vulnerability (CVE-2008-4247)

Bug 261199 - <net-ftp/tnftp-20081009 Cross-Site Request Forgery Vulnerability (CVE-2008-4247)

Summary: <net-ftp/tnftp-20081009 Cross-Site Request Forgery Vulnerability (CVE-2008-4247)

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	ftp://ftp.netbsd.org/pub/NetBSD/secur...
Whiteboard:	B3 [ebuild]
Keywords:

Depends on:
Blocks:

Reported:	2009-03-04 17:35 UTC by Robert Buchholz (RETIRED)
Modified:	2009-03-06 01:48 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2009-03-04 17:35:26 UTC

CVE-2008-4247 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4247):
  ftpd in OpenBSD 4.3, FreeBSD 7.0, and NetBSD 4.0 interprets long
  commands from an FTP client as multiple commands, which allows remote
  attackers to conduct cross-site request forgery (CSRF) attacks and
  execute arbitrary FTP commands via a long ftp:// URI that leverages
  an existing session from the FTP client implementation in a web
  browser.

Comment 1 Sven Wegener gentoo-dev

2009-03-05 20:44:17 UTC

net-ftp/tnftp is only the ftp client, we don't have tnftpd in the tree.

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2009-03-06 01:48:24 UTC

oh, sorry I missed that.