Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 29 Sep 2008 15:54:55 +0200
From: Robert Buchholz <rbu@...too.org>
To: oss-security@...ts.openwall.com
Cc: Steffen Joeris <steffen.joeris@...lelinux.de>
Subject: Re: CVE id request: ftpd

On Monday 29 September 2008, Steffen Joeris wrote:
> Hi
>
> There seems to be a Cross-site request forgery[0] in ftpd.

There have been two CVEs assigned, one for proftpd and one for 
netkit-ftpd:

CVE-2008-4242 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4242):
  ProFTPD 1.3.1 interprets long commands from an FTP client as multiple
  commands, which allows remote attackers to conduct cross-site request
  forgery (CSRF) attacks and execute arbitrary FTP commands via a long
  ftp:// URI that leverages an existing session from the FTP client
  implementation in a web browser.

CVE-2008-4247 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4247):
  ftpd in OpenBSD 4.3, FreeBSD 7.0, and NetBSD 4.0 interprets long
  commands from an FTP client as multiple commands, which allows remote
  attackers to conduct cross-site request forgery (CSRF) attacks and
  execute arbitrary FTP commands via a long ftp:// URI that leverages
  an existing session from the FTP client implementation in a web
  browser.


Robert

Download attachment "signature.asc " of type "application/pgp-signature" (836 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.