CVE-2008-4247

NameCVE-2008-4247
Descriptionftpd in OpenBSD 4.3, FreeBSD 7.0, NetBSD 4.0, Solaris, and possibly other operating systems interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs500278, 500518

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
linux-ftpd (PTS)jessie0.17-34fixed
stretch0.17-36fixed
bullseye0.17-36.2fixed
bookworm0.17-37fixed
linux-ftpd-ssl (PTS)jessie0.17.33+0.3-1+deb8u1fixed
stretch0.17.36+0.3-2fixed
bullseye0.17.36+0.3-2.2fixed
bookworm0.17.36+really0.17-2fixed
sid0.17.36+really0.17-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
linux-ftpdsource(unstable)0.17-29500278
linux-ftpd-sslsourceetch0.17.18+0.3-6etch1
linux-ftpd-sslsource(unstable)0.17.27+0.3-3500518

Notes

[etch] - linux-ftpd <no-dsa> (Minor issue)

Search for package or bug name: Reporting problems