Home » Mailing list archives » netbsd-announce » 2008 » October » 27

NetBSD Security Advisory 2008-014: Cross-site request forgery in ftpd(8)

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: NetBSD Security-Officer
Subject: NetBSD Security Advisory 2008-014: Cross-site request forgery in ftpd(8)
Date: Monday, October 27, 2008 - 3:46 pm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		 NetBSD Security Advisory 2008-014
		 =================================

Topic:		Cross-site request forgery in ftpd(8)

Version:	NetBSD-current:		affected
		NetBSD 4.0.*:		not affected
		NetBSD 4.0:		affected
		NetBSD 3.1.*:		affected
		NetBSD 3.1:		affected
		NetBSD 3.0.*:		affected
		NetBSD 3.0:		affected

Severity:	Cross-site request forgery

Fixed:		NetBSD-current:		September 13, 2008
		NetBSD-4-0 branch:	September 18, 2008
			(4.0.1 includes the fix)
		NetBSD-4 branch:	September 18, 2008
			(4.1 will include the fix)
		NetBSD-3-1 branch:	September 18, 2008
			(3.1.2 will include the fix)
		NetBSD-3-0 branch:	September 18, 2008
			(3.0.4 will include the fix)
		NetBSD-3 branch:	September 18, 2008
			(3.2 will include the fix)
		pkgsrc:			tnftpd-20081009 corrects the issue


Abstract
========

When accessing NetBSD servers running ftpd(8) certain commands can aide 
attackers in executing CSRF attacks when e.g. using a web browser to 
access ftp servers.

This vulnerability has been assigned CVE-2008-4247.


Technical Details
=================

When accessing NetBSD servers running ftpd(8) long commands are split
into multiple requests which can result in CSRF attacks.


Solutions and Workarounds
=========================

Only NetBSD systems with ftpd(8) enabled may be vulnerable to this issue.  
ftpd(8) is not enabled by default in NetBSD generic installations.
As a temporary workaround disable ftpd(8) from the base OS and use the
tnftpd-20081009 package from pkgsrc which contains a fix.

The following instructions describe how to upgrade your ftpd
binaries by updating your source tree and rebuilding and installing
a new version of ftpd.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2008-09-13
	should be upgraded to NetBSD-current dated 2008-09-14 or later.

	The following files/directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		libexec/ftpd

	To update from CVS, re-build, and re-install ipsec-tools:

		# cd src
		# cvs update -d -P libexec/ftpd
		# cd libexec/ftpd
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 4.*:

	Systems running NetBSD 4.* sources dated from before
	2008-09-18 should be upgraded from NetBSD 4.* sources dated
	2008-09-19 or later.

	The following files/directories need to be updated from the
	netbsd-4 or netbsd-4-0 branches:
		libexec/ftpd

	To update from CVS, re-build, and re-install ipsec-tools:

		# cd src
		# cvs update -r <branch_name> -d -P libexec/ftpd
		# cd libexec/ftpd
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 3.*:

	Systems running NetBSD 3.* sources dated from before
	2008-09-18 should be upgraded from NetBSD 3.* sources dated
	2008-09-19 or later.

	The following files/directories need to be updated from the
	netbsd-3, netbsd-3-0 or netbsd-3-1 branches:
		libexec/ftpd

	To update from CVS, re-build, and re-install ipsec-tools:

		# cd src
		# cvs update -r <branch_name> -d -P libexec/ftpd
		# cd libexec/ftpd
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


Thanks To
=========
Maksymilian Arciemowicz is credited with the discovery of this issue.
Luke Mewburn for supplying the fixes and testing.


Revision History
================

	2008-10-27	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-014.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2008, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2008-014.txt,v 1.4 2008/10/27 19:47:39 adrianp Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQCVAwUBSQYcLz5Ru2/4N2IFAQL2bwP+OH9WZ4nyrTK51+t/Xh1zgMi6dS6xu0hx
Cz8EtOKgOp062a0r87ZXk3fKBzKewsc4LHPXwsmL5wRJ6UqoosvZUFEOVXsnxR1I
7i212TLph2WKQ09aeu87Z5u6ABCoIvTqxPUfX8G+v4zg71dlkwr/2hpk6KSl5apc
qw1m1Cy1X7g=
=Motz
-----END PGP SIGNATURE-----
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
OpenBSD moderation removal, Christos Zoulas, (Tue Jul 30, 7:54 am)
NetBSD Security Advisory 2003-001: Encryption weakness in ..., NetBSD Security Officer, (Mon Mar 3, 11:31 pm)
Summary of Changes to the NetBSD Packages Collection in Ju ..., Alistair Crooks, (Sun Aug 31, 11:51 pm)
NetBSD Security Advisory 2004-003: OpenSSL 0.9.6 ASN.1 par ..., NetBSD Security-Officer, (Thu Feb 19, 6:36 am)
End of life for the NetBSD 1.5 branch, James Chacon, (Wed Jan 26, 9:04 pm)
NetBSD Security Advisory 2005-006: Multiple vulnerabilitie ..., NetBSD Security-Officer, (Mon Nov 7, 3:57 pm)
Announcing NetBSD and the Google &quot;Summer of Code&quot; Projects ..., Hubert Feyrer, (Thu May 25, 3:28 pm)
NetBSD Bugathon: Not quite dead, Elad Efrat, (Sun Sep 24, 4:45 pm)
NetBSD 4.0 Release Candidate 3 available for download, Pavel Cahyna, (Thu Oct 18, 11:51 pm)
NetBSD Security Advisory 2008-006: Integer overflow in str ..., NetBSD Security-Officer, (Mon Apr 21, 3:28 pm)
NetBSD Security Advisory 2008-014: Cross-site request forg ..., NetBSD Security-Officer, (Mon Oct 27, 3:46 pm)
NetBSD Security Advisory 2009-002: tcpdump multiple denial ..., NetBSD Security Officer, (Tue Jun 23, 1:59 pm)
Planned network outage for netbsd.org servers Sat Aug 8th ..., S.P.Zeidler, (Thu Aug 6, 12:21 am)