CVE-2008-4242

Publication date 25 September 2008

Last updated 24 July 2024

ProFTPD 1.3.1 interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.

Read the notes from the security team

Status

Show unmaintained releases

No maintained releases are affected by this CVE.

Package	Ubuntu Release	Status
proftpd	8.04 LTS hardy	Not in release
	7.10 gutsy	Not in release
	7.04 feisty	Not in release
	6.06 LTS dapper	Not affected
proftpd-dfsg	8.04 LTS hardy	Not affected
	7.10 gutsy	Not affected
	7.04 feisty	Not affected
	6.06 LTS dapper	Not in release

Notes

stefanlsd

After discussion with Francesco Paolo Lovergine <frankie@debian.org> we concluded that this bug does not affect the Debian or Ubuntu versions of proftpd 1.3.1 or earlier. We believe the problems that this CVE affects were only introduced in the proftpd 1.3.2rc series. The exploit as found in the Bugs section was independently tested and shown to not apply.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
proftpd	Other: http://bugs.proftpd.org/attachment.cgi?id=2871&action=view

References

Other references

https://www.cve.org/CVERecord?id=CVE-2008-4242