CVE-2008-4247
Multiple Vendor FTP Server - Long Command Handling Security
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
3Exploited in Wild
-Decision
Descriptions
ftpd in OpenBSD 4.3, FreeBSD 7.0, NetBSD 4.0, Solaris, and possibly other operating systems interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.
ftpd en OpenBSD 4.3, FreeBSD 7.0, y NetBSD 4.0 interpreta como múltiples comandos los comandos largos desde un cliente FTP, lo que permite a atacantes remotos llevar a cabo ataques de falsificación de petición en sitios cruzados (CSFR) y ejecutar comandos FTP de su elección a través de una URI ftp:// larga que aprovecha una sesión FTP existente en la implementación de un cliente FTP en un navegador web.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2008-09-20 First Exploit
- 2008-09-25 CVE Reserved
- 2008-09-25 CVE Published
- 2024-05-11 EPSS Updated
- 2024-08-07 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
References (16)
| URL | Tag | Source |
|---|---|---|
| http://bugs.proftpd.org/show_bug.cgi?id=3115 | X_refsource_misc | |
| http://secunia.com/advisories/32068 | Third Party Advisory | |
| http://secunia.com/advisories/32070 | Third Party Advisory | |
| http://secunia.com/advisories/33341 | Third Party Advisory | |
| http://securityreason.com/achievement_securityalert/56 | Third Party Advisory | |
| http://securityreason.com/securityalert/4313 | Third Party Advisory | |
| http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y | X_refsource_confirm | |
| http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c | X_refsource_confirm | |
| http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html | X_refsource_confirm |
|
| http://www.securitytracker.com/id?1020946 | Vdb Entry | |
| http://www.securitytracker.com/id?1021112 | Vdb Entry |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-014.txt.asc | 2012-10-23 | |
| http://security.FreeBSD.org/advisories/FreeBSD-SA-08:12.ftpd.asc | 2012-10-23 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Freebsd Search vendor "Freebsd" | Freebsd Search vendor "Freebsd" for product "Freebsd" | 7.0 Search vendor "Freebsd" for product "Freebsd" and version "7.0" | - |
Affected
| ||||||
| Netbsd Search vendor "Netbsd" | Netbsd Search vendor "Netbsd" for product "Netbsd" | 4.0 Search vendor "Netbsd" for product "Netbsd" and version "4.0" | - |
Affected
| ||||||
| Openbsd Search vendor "Openbsd" | Openbsd Search vendor "Openbsd" for product "Openbsd" | 4.3 Search vendor "Openbsd" for product "Openbsd" and version "4.3" | - |
Affected
| ||||||