|Summary:||CVE-2007-1564 FTP protocol PASV design flaw affects konqueror|
|Product:||[Fedora] Fedora||Reporter:||Lubomir Kundrak <lkundrak>|
|Component:||kdebase||Assignee:||Ngo Than <than>|
|Status:||CLOSED ERRATA||QA Contact:||Ben Levenson <benl>|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2007-12-20 16:02:03 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Lubomir Kundrak 2007-03-23 12:11:54 UTC
+++ This bug was initially created as a clone of Bug #233592 +++ Description of problem: RFC 959  says: When the user-PI receives an acknowledgment to the PASV command, which includes the identity of the host and port being listened on, the user-PI then sends A's port, a, to B in a PORT command; a reply is returned. The user-PI may then send the corresponding service commands to A and B. Server B initiates the connection and the transfer proceeds.  ftp://ftp.rfc-editor.org/in-notes/rfc959.txt This makes in possible for a server to direct the client to connect to arbitrary IP/PORT, what can be misused for port scanning and service fingerprinting. Steps to Reproduce: The paper  explains how to reproduce and contains a reference to example reproducer FTP server.  http://bindshell.net/papers/ftppasv/ftp-client-pasv-manipulation.pdf Additional info: This is a documented behavior. Anyways, Mozilla is going to fix this, not sure about Konqueror. It is possible that other browsers we ship, including w3m, links or lynx contain the flaw, but I don't feel positive about urging to changing their behavior in any way, unless upstreams change it because according to the RFC the behavior is correct.
Comment 1 Stefan Cornelius 2007-05-30 19:32:51 UTC
Comment 2 Tomas Hoger 2007-12-20 16:02:03 UTC
Currently supported Fedora versions user upstream version with fix included. Fedora Core 6 KDE packages were also updated to fixed version 3.5.7 before FC6 was EOLed. Closing this bug.