CVE-2008-4242
Published: 25 September 2008
ProFTPD 1.3.1 interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.
Notes
| Author | Note |
|---|---|
| stefanlsd | After discussion with Francesco Paolo Lovergine <frankie@debian.org> we concluded that this bug does not affect the Debian or Ubuntu versions of proftpd 1.3.1 or earlier. We believe the problems that this CVE affects were only introduced in the proftpd 1.3.2rc series. The exploit as found in the Bugs section was independently tested and shown to not apply. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
proftpd Launchpad, Ubuntu, Debian |
dapper |
Not vulnerable
|
| feisty |
Does not exist
|
|
| gutsy |
Does not exist
|
|
| hardy |
Does not exist
|
|
| upstream |
Released
(1.3.2)
|
|
|
Patches: other: http://bugs.proftpd.org/attachment.cgi?id=2871&action=view |
||
|
proftpd-dfsg Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| feisty |
Not vulnerable
|
|
| gutsy |
Not vulnerable
|
|
| hardy |
Not vulnerable
|
|
| upstream |
Not vulnerable
|
|