Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 261199

Summary: <net-ftp/tnftp-20081009 Cross-Site Request Forgery Vulnerability (CVE-2008-4247)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: minor CC: swegener
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-014.txt.asc
Whiteboard: B3 [ebuild]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2009-03-04 17:35:26 UTC
CVE-2008-4247 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4247):
  ftpd in OpenBSD 4.3, FreeBSD 7.0, and NetBSD 4.0 interprets long
  commands from an FTP client as multiple commands, which allows remote
  attackers to conduct cross-site request forgery (CSRF) attacks and
  execute arbitrary FTP commands via a long ftp:// URI that leverages
  an existing session from the FTP client implementation in a web
  browser.
Comment 1 Sven Wegener gentoo-dev 2009-03-05 20:44:17 UTC
net-ftp/tnftp is only the ftp client, we don't have tnftpd in the tree.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-03-06 01:48:24 UTC
oh, sorry I missed that.