Current-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
NetBSD Security Advisory 2008-014: Cross-site request forgery in ftpd(8)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2008-014
=================================
Topic: Cross-site request forgery in ftpd(8)
Version: NetBSD-current: affected
NetBSD 4.0.*: not affected
NetBSD 4.0: affected
NetBSD 3.1.*: affected
NetBSD 3.1: affected
NetBSD 3.0.*: affected
NetBSD 3.0: affected
Severity: Cross-site request forgery
Fixed: NetBSD-current: September 13, 2008
NetBSD-4-0 branch: September 18, 2008
(4.0.1 includes the fix)
NetBSD-4 branch: September 18, 2008
(4.1 will include the fix)
NetBSD-3-1 branch: September 18, 2008
(3.1.2 will include the fix)
NetBSD-3-0 branch: September 18, 2008
(3.0.4 will include the fix)
NetBSD-3 branch: September 18, 2008
(3.2 will include the fix)
pkgsrc: tnftpd-20081009 corrects the issue
Abstract
========
When accessing NetBSD servers running ftpd(8) certain commands can aide
attackers in executing CSRF attacks when e.g. using a web browser to
access ftp servers.
This vulnerability has been assigned CVE-2008-4247.
Technical Details
=================
When accessing NetBSD servers running ftpd(8) long commands are split
into multiple requests which can result in CSRF attacks.
Solutions and Workarounds
=========================
Only NetBSD systems with ftpd(8) enabled may be vulnerable to this issue.
ftpd(8) is not enabled by default in NetBSD generic installations.
As a temporary workaround disable ftpd(8) from the base OS and use the
tnftpd-20081009 package from pkgsrc which contains a fix.
The following instructions describe how to upgrade your ftpd
binaries by updating your source tree and rebuilding and installing
a new version of ftpd.
* NetBSD-current:
Systems running NetBSD-current dated from before 2008-09-13
should be upgraded to NetBSD-current dated 2008-09-14 or later.
The following files/directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
libexec/ftpd
To update from CVS, re-build, and re-install ipsec-tools:
# cd src
# cvs update -d -P libexec/ftpd
# cd libexec/ftpd
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 4.*:
Systems running NetBSD 4.* sources dated from before
2008-09-18 should be upgraded from NetBSD 4.* sources dated
2008-09-19 or later.
The following files/directories need to be updated from the
netbsd-4 or netbsd-4-0 branches:
libexec/ftpd
To update from CVS, re-build, and re-install ipsec-tools:
# cd src
# cvs update -r <branch_name> -d -P libexec/ftpd
# cd libexec/ftpd
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 3.*:
Systems running NetBSD 3.* sources dated from before
2008-09-18 should be upgraded from NetBSD 3.* sources dated
2008-09-19 or later.
The following files/directories need to be updated from the
netbsd-3, netbsd-3-0 or netbsd-3-1 branches:
libexec/ftpd
To update from CVS, re-build, and re-install ipsec-tools:
# cd src
# cvs update -r <branch_name> -d -P libexec/ftpd
# cd libexec/ftpd
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
Thanks To
=========
Maksymilian Arciemowicz is credited with the discovery of this issue.
Luke Mewburn for supplying the fixes and testing.
Revision History
================
2008-10-27 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-014.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2008, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2008-014.txt,v 1.4 2008/10/27 19:47:39 adrianp Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)
iQCVAwUBSQYcLz5Ru2/4N2IFAQL2bwP+OH9WZ4nyrTK51+t/Xh1zgMi6dS6xu0hx
Cz8EtOKgOp062a0r87ZXk3fKBzKewsc4LHPXwsmL5wRJ6UqoosvZUFEOVXsnxR1I
7i212TLph2WKQ09aeu87Z5u6ABCoIvTqxPUfX8G+v4zg71dlkwr/2hpk6KSl5apc
qw1m1Cy1X7g=
=Motz
-----END PGP SIGNATURE-----
Home |
Main Index |
Thread Index |
Old Index