CVE-2008-4247: CSRF
First published: Thu Sep 25 2008(Updated: )
ftpd in OpenBSD 4.3, FreeBSD 7.0, NetBSD 4.0, Solaris, and possibly other operating systems interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| FreeBSD Kernel | =7.0 | |
| NetBSD current | =4.0 | |
| OpenBSD | =4.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y
- http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c
- http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c.diff?r1=1.183&r2=1.184&f=h
- http://bugs.proftpd.org/show_bug.cgi?id=3115
- http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y.diff?r1=1.51&r2=1.52&f=h
- http://www.securitytracker.com/id?1020946
- http://secunia.com/advisories/32070
- http://secunia.com/advisories/32068
- http://securityreason.com/achievement_securityalert/56
- http://www.securitytracker.com/id?1021112
- http://security.FreeBSD.org/advisories/FreeBSD-SA-08:12.ftpd.asc
- http://secunia.com/advisories/33341
- http://securityreason.com/securityalert/4313
- http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
Frequently Asked Questions
What is the severity of CVE-2008-4247?
CVE-2008-4247 is considered a medium severity vulnerability due to its potential for cross-site request forgery (CSRF) attacks.
How do I fix CVE-2008-4247?
To remediate CVE-2008-4247, users should update to a fixed version of the affected software, such as OpenBSD 4.3 or FreeBSD 7.0 that address this issue.
What systems are affected by CVE-2008-4247?
CVE-2008-4247 affects OpenBSD 4.3, FreeBSD 7.0, NetBSD 4.0, Solaris, and possibly other operating systems using vulnerable FTP daemons.
What type of attack does CVE-2008-4247 allow?
CVE-2008-4247 allows remote attackers to conduct cross-site request forgery (CSRF) attacks by manipulating long FTP commands.
Is CVE-2008-4247 still a concern for modern systems?
While CVE-2008-4247 primarily impacts older versions of FTP servers, any legacy systems still running these configurations may still be vulnerable.
- agent/references
- agent/type
- agent/severity
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/weakness
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- agent/softwarecombine
- agent/tags
- vendor/freebsd
- canonical/freebsd kernel
- version/freebsd kernel/7.0
- vendor/netbsd
- canonical/netbsd current
- version/netbsd current/4.0
- vendor/openbsd
- canonical/openbsd
- version/openbsd/4.3