CVE-2008-4247
published 2008-09-25CVE-2008-4247: ftpd in OpenBSD 4.3, FreeBSD 7.0, NetBSD 4.0, Solaris, and possibly other operating systems interprets long commands from an FTP client as multiple commands…
PriorityP341high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
4.04%
89.4th percentile
ftpd in OpenBSD 4.3, FreeBSD 7.0, NetBSD 4.0, Solaris, and possibly other operating systems interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | linux-ftpd | < linux-ftpd 0.17-29 (bookworm) | linux-ftpd 0.17-29 (bookworm) |
| debian | linux-ftpd-ssl | < linux-ftpd 0.17-29 (bookworm) | linux-ftpd 0.17-29 (bookworm) |
| freebsd | freebsd | — | — |
| linux-ftpd-ssl | linux-ftpd-ssl | >= 0 < 0.17.27+0.3-3 | 0.17.27+0.3-3 |
| linux-ftpd-ssl | linux-ftpd-ssl | >= 0 < 0.17.27+0.3-3 | 0.17.27+0.3-3 |
| linux-ftpd-ssl | linux-ftpd-ssl | >= 0 < 0.17.27+0.3-3 | 0.17.27+0.3-3 |
| netbsd | netbsd | — | — |
| openbsd | openbsd | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-px9q-8f7r-rv49: ftpd in OpenBSD 4
ghsa_unreviewed·2022-05-03
CVE-2008-4247 [HIGH] CWE-352 GHSA-px9q-8f7r-rv49: ftpd in OpenBSD 4
ftpd in OpenBSD 4.3, FreeBSD 7.0, NetBSD 4.0, Solaris, and possibly other operating systems interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.
OSV
CVE-2008-4247: ftpd in OpenBSD 4
osv·2008-09-25·CVSS 7.5
CVE-2008-4247 [HIGH] CVE-2008-4247: ftpd in OpenBSD 4
ftpd in OpenBSD 4.3, FreeBSD 7.0, NetBSD 4.0, Solaris, and possibly other operating systems interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.
BSD
FreeBSD-SA-09:01.lukemftpd: Cross-site request forgery in lukemftpd(8)
bsd_advisories·2009-01-07·CVSS 7.5
CVE-2008-4247 [HIGH] FreeBSD-SA-09:01.lukemftpd: Cross-site request forgery in lukemftpd(8)
FreeBSD-SA-09:01.lukemftpd Security Advisory
The FreeBSD Project
Topic: Cross-site request forgery in lukemftpd(8)
Category: core
Module: lukemftpd
Announced: 2009-01-07
Credits: Maksymilian Arciemowicz
Affects: All supported versions of FreeBSD.
Corrected: 2009-01-07 20:17:55 UTC (RELENG_7, 7.1-STABLE)
2009-01-07 20:17:55 UTC (RELENG_7_1, 7.1-RELEASE-p1)
2009-01-07 20:17:55 UTC (RELENG_7_0, 7.0-RELEASE-p8)
2009-01-07 20:17:55 UTC (RELENG_6, 6.4-STABLE)
2009-01-07 20:17:55 UTC (RELENG_6_4, 6.4-RELEASE-p2)
2009-01-07 20:17:55 UTC (RELENG_6_3, 6.3-RELEASE-p8)
CVE Name: CVE-2008-4247
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
lukemftpd(8) is a genera
BSD
FreeBSD-SA-08:12.ftpd: Cross-site request forgery in ftpd(8)
bsd_advisories·2008-12-23·CVSS 7.5
CVE-2008-4247 [HIGH] FreeBSD-SA-08:12.ftpd: Cross-site request forgery in ftpd(8)
FreeBSD-SA-08:12.ftpd Security Advisory
The FreeBSD Project
Topic: Cross-site request forgery in ftpd(8)
Category: core
Module: ftpd
Announced: 2008-12-23
Credits: Maksymilian Arciemowicz
Affects: All supported versions of FreeBSD.
Corrected: 2008-12-23 01:23:09 UTC (RELENG_7, 7.1-PRERELEASE)
2008-12-23 01:23:09 UTC (RELENG_7_1, 7.1-RC2)
2008-12-23 01:23:09 UTC (RELENG_7_0, 7.0-RELEASE-p7)
2008-12-23 01:23:09 UTC (RELENG_6, 6.4-STABLE)
2008-12-23 01:23:09 UTC (RELENG_6_4, 6.4-RELEASE-p1)
2008-12-23 01:23:09 UTC (RELENG_6_3, 6.3-RELEASE-p7)
CVE Name: CVE-2008-4247
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
ftpd(8) is a general-purpose implementatio
Debian
CVE-2008-4247: linux-ftpd - ftpd in OpenBSD 4.3, FreeBSD 7.0, NetBSD 4.0, Solaris, and possibly other operat...
vendor_debian·2008·CVSS 7.5
CVE-2008-4247 [HIGH] CVE-2008-4247: linux-ftpd - ftpd in OpenBSD 4.3, FreeBSD 7.0, NetBSD 4.0, Solaris, and possibly other operat...
ftpd in OpenBSD 4.3, FreeBSD 7.0, NetBSD 4.0, Solaris, and possibly other operating systems interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.
Scope: local
bookworm: resolved (fixed in 0.17-29)
bullseye: resolved (fixed in 0.17-29)
No detection rules found.
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-014.txt.aschttp://bugs.proftpd.org/show_bug.cgi?id=3115http://secunia.com/advisories/32068http://secunia.com/advisories/32070http://secunia.com/advisories/33341http://security.FreeBSD.org/advisories/FreeBSD-SA-08:12.ftpd.aschttp://securityreason.com/achievement_securityalert/56http://securityreason.com/securityalert/4313http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.yhttp://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y.diff?r1=1.51&r2=1.52&f=hhttp://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.chttp://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c.diff?r1=1.183&r2=1.184&f=hhttp://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.htmlhttp://www.securitytracker.com/id?1020946http://www.securitytracker.com/id?1021112ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-014.txt.aschttp://bugs.proftpd.org/show_bug.cgi?id=3115http://secunia.com/advisories/32068http://secunia.com/advisories/32070http://secunia.com/advisories/33341http://security.FreeBSD.org/advisories/FreeBSD-SA-08:12.ftpd.aschttp://securityreason.com/achievement_securityalert/56http://securityreason.com/securityalert/4313http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.yhttp://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y.diff?r1=1.51&r2=1.52&f=hhttp://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.chttp://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c.diff?r1=1.183&r2=1.184&f=hhttp://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.htmlhttp://www.securitytracker.com/id?1020946http://www.securitytracker.com/id?1021112
2008-09-25
Published