239047 – (CVE-2008-4247) net-ftp/netkit-ftpd Cross-Site Request Forgery Vulnerability (CVE-2008-4247)

Bug 239047 (CVE-2008-4247) - net-ftp/netkit-ftpd Cross-Site Request Forgery Vulnerability (CVE-2008-4247)

Summary: net-ftp/netkit-ftpd Cross-Site Request Forgery Vulnerability (CVE-2008-4247)

Status:	RESOLVED FIXED

Alias:	CVE-2008-4247

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://securitytracker.com/alerts/200...
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2008-09-29 13:59 UTC by Robert Buchholz (RETIRED)
Modified:	2008-11-26 22:30 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
netkit-ftpd-0.17-CVE-2008-4247.patch (netkit-ftpd-0.17-CVE-2008-4247.patch,3.13 KB, patch) 2008-10-22 20:31 UTC, Robert Buchholz (RETIRED)	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2008-09-29 13:59:13 UTC

CVE-2008-4247 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4247):
  ftpd in OpenBSD 4.3, FreeBSD 7.0, and NetBSD 4.0 interprets long
  commands from an FTP client as multiple commands, which allows remote
  attackers to conduct cross-site request forgery (CSRF) attacks and
  execute arbitrary FTP commands via a long ftp:// URI that leverages
  an existing session from the FTP client implementation in a web
  browser.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2008-09-29 14:00:50 UTC

http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c.diff?r1=1.183&r2=1.184&f=h
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y.diff?r1=1.51&r2=1.52&f=h
http://securitytracker.com/alerts/2008/Sep/1020945.html

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2008-10-22 20:31:32 UTC

Created attachment 169490 [details, diff]
netkit-ftpd-0.17-CVE-2008-4247.patch

CVS commits backported to netkit

Comment 3 SpanKY gentoo-dev

2008-10-26 05:43:36 UTC

added with netkit-ftpd-0.17-r8

Comment 4 Robert Buchholz (RETIRED) gentoo-dev

2008-10-26 09:15:02 UTC

Arches, please test and mark stable:
=net-ftp/netkit-ftpd-0.17-r8
Target keywords : "alpha amd64 arm ia64 ppc s390 sh sparc x86"

Comment 5 Markus Meier gentoo-dev

2008-10-26 18:39:52 UTC

amd64/x86 stable

Comment 6 Raúl Porcel (RETIRED) gentoo-dev

2008-10-28 10:32:53 UTC

alpha/ia64/sparc stable

Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev

2008-10-30 19:09:41 UTC

ppc stable

Comment 8 Tobias Heinlein (RETIRED) gentoo-dev

2008-10-31 21:33:15 UTC

Ready for vote, I vote YES.

Comment 9 Robert Buchholz (RETIRED) gentoo-dev

2008-11-26 18:57:32 UTC

I vote NO on this issue, exploit scenarios are unlikely.

Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-11-26 22:30:30 UTC

voting NO too, and closing.