CVE-2008-4247

NameCVE-2008-4247
Descriptionftpd in OpenBSD 4.3, FreeBSD 7.0, NetBSD 4.0, Solaris, and possibly other operating systems interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh
Debian Bugs500278, 500518

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
linux-ftpd (PTS)jessie0.17-34fixed
stretch0.17-36fixed
bullseye, sid0.17-36.2fixed
linux-ftpd-ssl (PTS)jessie0.17.33+0.3-1+deb8u1fixed
stretch0.17.36+0.3-2fixed
bullseye, sid0.17.36+0.3-2.2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
linux-ftpdsource(unstable)0.17-29500278
linux-ftpd-sslsource(unstable)0.17.27+0.3-3500518
linux-ftpd-sslsourceetch0.17.18+0.3-6etch1

Notes

[etch] - linux-ftpd <no-dsa> (Minor issue)

Search for package or bug name: Reporting problems