CVE-2008-4242
published 2008-09-25CVE-2008-4242: ProFTPD 1.3.1 interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF)…
PriorityP433medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
7.07%
93.4th percentile
ProFTPD 1.3.1 interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | proftpd-dfsg | < proftpd-dfsg 1.3.1-15 (bookworm) | proftpd-dfsg 1.3.1-15 (bookworm) |
| proftpd_project | proftpd | — | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8LOW
vendor_redhat6.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hvr6-6w44-9wq6: ProFTPD 1
ghsa_unreviewed·2022-05-02
CVE-2008-4242 [MEDIUM] CWE-352 GHSA-hvr6-6w44-9wq6: ProFTPD 1
ProFTPD 1.3.1 interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.
OSV
CVE-2008-4242: ProFTPD 1
osv·2008-09-25·CVSS 6.8
CVE-2008-4242 [MEDIUM] CVE-2008-4242: ProFTPD 1
ProFTPD 1.3.1 interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.
Red Hat
proftpd CSRF attack
vendor_redhat·2008-09-25·CVSS 6.8
CVE-2008-4242 [MEDIUM] CWE-352 proftpd CSRF attack
proftpd CSRF attack
ProFTPD 1.3.1 interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.
Debian
CVE-2008-4242: proftpd-dfsg - ProFTPD 1.3.1 interprets long commands from an FTP client as multiple commands, ...
vendor_debian·2008·CVSS 6.8
CVE-2008-4242 [MEDIUM] CVE-2008-4242: proftpd-dfsg - ProFTPD 1.3.1 interprets long commands from an FTP client as multiple commands, ...
ProFTPD 1.3.1 interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.
Scope: local
bookworm: resolved (fixed in 1.3.1-15)
bullseye: resolved (fixed in 1.3.1-15)
forky: resolved (fixed in 1.3.1-15)
sid: resolved (fixed in 1.3.1-15)
trixie: resolved (fixed in 1.3.1-15)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2008-4242 proftpd CSRF attack [F8]
bugzilla·2008-09-26·CVSS 6.8
CVE-2008-4242 [MEDIUM] CVE-2008-4242 proftpd CSRF attack [F8]
CVE-2008-4242 proftpd CSRF attack [F8]
F8 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
You can eventually use the following link to create the update request:
https://admin.fedoraproject.org/updates/new/request=Stabletype=securityrelease=Fedora%208&bugs=464128
---
This message is a reminder that Fedora 8 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 8. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '8'.
Package Maintainer: If you wish for this bug to remain open because yo
Bugzilla
CVE-2008-4242 proftpd CSRF attack
bugzilla·2008-09-26·CVSS 6.8
CVE-2008-4242 [MEDIUM] CVE-2008-4242 proftpd CSRF attack
CVE-2008-4242 proftpd CSRF attack
ProFTPD 1.3.1 interprets long commands from an FTP client as multiple
commands, which allows remote attackers to conduct cross-site request
forgery (CSRF) attacks and execute arbitrary FTP commands via a long
ftp:// URI that leverages an existing session from the FTP client
implementation in a web browser.
Reference:
CONFIRM:http://bugs.proftpd.org/show_bug.cgi?id=3115
Reference: BID:31289
Reference: URL:http://www.securityfocus.com/bid/31289
Reference: SECUNIA:31930
Reference: URL:http://secunia.com/advisories/31930
Reference: XF:proftpd-url-csrf(45274)
Reference: URL:http://xforce.iss.net/xforce/xfdb/45274
Discussion:
Upstream patches (as linked in upstream bug report referenced above):
http://bugs.proftpd.org/attachment.cgi?id=2871&action=view
Simp
Bugzilla
CVE-2008-4242 proftpd CSRF attack [epel-5]
bugzilla·2008-09-26·CVSS 6.8
CVE-2008-4242 [MEDIUM] CVE-2008-4242 proftpd CSRF attack [epel-5]
CVE-2008-4242 proftpd CSRF attack [epel-5]
epel-5 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
I see that proftpd-1.3.1-8.el5 has been pushed to testing updates, so closing.
Bugzilla
CVE-2008-4242 proftpd CSRF attack [F9]
bugzilla·2008-09-26·CVSS 6.8
CVE-2008-4242 [MEDIUM] CVE-2008-4242 proftpd CSRF attack [F9]
CVE-2008-4242 proftpd CSRF attack [F9]
F9 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
You can eventually use the following link to create the update request:
https://admin.fedoraproject.org/updates/new/request=Stabletype=securityrelease=Fedora%209&bugs=464129
---
proftpd-1.3.1-8.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/proftpd-1.3.1-8.fc9
---
proftpd-1.3.1-8.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Bugzilla
CVE-2008-4242 proftpd CSRF attack [F10]
bugzilla·2008-09-26·CVSS 6.8
CVE-2008-4242 [MEDIUM] CVE-2008-4242 proftpd CSRF attack [F10]
CVE-2008-4242 proftpd CSRF attack [F10]
Fdevel tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
---
proftpd-1.3.1-8.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Bugzilla
CVE-2008-4242 proftpd CSRF attack [epel-4]
bugzilla·2008-09-26·CVSS 6.8
CVE-2008-4242 [MEDIUM] CVE-2008-4242 proftpd CSRF attack [epel-4]
CVE-2008-4242 proftpd CSRF attack [epel-4]
epel-4 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
I see that proftpd-1.3.1-8.el4 has been pushed to testing updates, so closing.
http://bugs.proftpd.org/show_bug.cgi?id=3115http://secunia.com/advisories/31930http://secunia.com/advisories/33261http://secunia.com/advisories/33413http://securityreason.com/achievement_securityalert/56http://securityreason.com/securityalert/4313http://www.debian.org/security/2008/dsa-1689http://www.mandriva.com/security/advisories?name=MDVSA-2009:061http://www.securityfocus.com/bid/31289http://www.securitytracker.com/id?1020945https://exchange.xforce.ibmcloud.com/vulnerabilities/45274https://www.redhat.com/archives/fedora-package-announce/2009-January/msg00078.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-January/msg00245.htmlhttp://bugs.proftpd.org/show_bug.cgi?id=3115http://secunia.com/advisories/31930http://secunia.com/advisories/33261http://secunia.com/advisories/33413http://securityreason.com/achievement_securityalert/56http://securityreason.com/securityalert/4313http://www.debian.org/security/2008/dsa-1689http://www.mandriva.com/security/advisories?name=MDVSA-2009:061http://www.securityfocus.com/bid/31289http://www.securitytracker.com/id?1020945https://exchange.xforce.ibmcloud.com/vulnerabilities/45274https://www.redhat.com/archives/fedora-package-announce/2009-January/msg00078.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-January/msg00245.html
2008-09-25
Published