Description of problem:
RFC 959  says:
When the user-PI receives an acknowledgment to the PASV command,
which includes the identity of the host and port being listened
on, the user-PI then sends A's port, a, to B in a PORT command; a
reply is returned. The user-PI may then send the corresponding
service commands to A and B. Server B initiates the connection
and the transfer proceeds.
This makes in possible for a server to direct the client to connect to
arbitrary IP/PORT, what can be misused for port scanning and service
Steps to Reproduce:
The paper  explains how to reproduce and contains a reference to
example reproducer FTP server.
This is a documented behavior. Anyways, Mozilla is going to fix this,
not sure about Konqueror. It is possible that other browsers we ship,
including w3m, links or lynx contain the flaw, but I don't feel positive
about urging to changing their behavior in any way, unless upstreams
change it because according to the RFC the behavior is correct.
Official KDE security advisory with references to upstream patches:
Reporter changed to firstname.lastname@example.org by request of Jay Turner.
This issue has been addressed in following products:
Red Hat Linux Enterprise 4
Red Hat Linux Enterprise 4.5.z
Red Hat Linux Enterprise 5
Via RHSA-2007:0909 https://rhn.redhat.com/errata/RHSA-2007-0909.html