Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-4247

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2008-4247
Last Modified 22 Oct 2012 10:53:50
Published 25 Sep 2008 03:25:18
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2008-4247

Summary

ftpd in OpenBSD 4.3, FreeBSD 7.0, NetBSD 4.0, Solaris, and possibly other operating systems interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.

Vulnerable Systems

Operating System

  • Freebsd 7.0

  • Netbsd 4.0

  • Openbsd 4.3


References

SECTRACK - 1021112

SECTRACK - 1020946

CONFIRM - http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html

CONFIRM - http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c.diff?r1=1.183&r2=1.184&f=h

CONFIRM - http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c

CONFIRM - http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y.diff?r1=1.51&r2=1.52&f=h

CONFIRM - http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y

SREASON - 4313

SREASONRES - 20080926 multiple vendor ftpd - Cross-site request forgery

FREEBSD - FreeBSD-SA-08:12

SECUNIA - 33341

SECUNIA - 32070

SECUNIA - 32068

MISC - http://bugs.proftpd.org/show_bug.cgi?id=3115

NETBSD - NetBSD-SA2008-014

CONFIRM - http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html


Last Updated: 27 May 2016 10:49:42