Security Database IT Watching - Alert Detail - CVE-2008-4247

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

INFORMATION

Name	:	CVE-2008-4247	First Publication	:	2008-09-25
Severity	:	High	Last Modification	:	2010-07-22

SCORING CVSS v2

Cvss Base Score	:	7.5	Attack Range	:	Network
Cvss Impact Score	:	6.4	Attack Complexity	:	Low
Cvss Expoit Score	:	10	Authentification	:	None Required
Calculate full CVSS 2.0 Vectors scores

DETAIL

ftpd in OpenBSD 4.3, FreeBSD 7.0, NetBSD 4.0, Solaris, and possibly other operating systems interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.

CWE COMMON WEAKNESS ENUMERATION

CWE-352 - Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25)

CPE COMMON PLATFORM ENUMERATION

OPEN SOURCE VULNERABILTY DATABASE (OSVDB)

51371 : tnftpd FTP Command Handling CSRF.

50963 : FreeBSD ftpd / lukemftpd FTP Command Handling CSRF.

48616 : NetBSD ftpd FTP Command Handling CSRF.

48612 : OpenBSD ftpd FTP Command Handling CSRF.

SECONDARY(S) SOURCE(S)

Source : CONFIRM
Url : http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y
Url : http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y.diff?r1=1.51&r2=1.52&f=h
Url : http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c
Url : http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c.diff?r1=1.183&r2=1.184&f=h
Url : http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html

Source : FREEBSD
Url : http://security.FreeBSD.org/advisories/FreeBSD-SA-08:12.ftpd.asc

Source : MISC
Url : http://bugs.proftpd.org/show_bug.cgi?id=3115

Source : NETBSD
Url : ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-014.txt.asc

Source : SECTRACK
Url : http://www.securitytracker.com/id?1020946
Url : http://www.securitytracker.com/id?1021112

Source : SECUNIA
Url : http://secunia.com/advisories/32068
Url : http://secunia.com/advisories/32070
Url : http://secunia.com/advisories/33341

Source : SREASON
Url : http://securityreason.com/securityalert/4313

Source : SREASONRES
Url : http://securityreason.com/achievement_securityalert/56