Red Hat Bugzilla – Bug 233594
CVE-2007-1564 FTP protocol PASV design flaw affects konqueror
Last modified: 2007-12-20 11:02:03 EST
+++ This bug was initially created as a clone of Bug #233592 +++
Description of problem:
RFC 959  says:
When the user-PI receives an acknowledgment to the PASV command,
which includes the identity of the host and port being listened
on, the user-PI then sends A's port, a, to B in a PORT command; a
reply is returned. The user-PI may then send the corresponding
service commands to A and B. Server B initiates the connection
and the transfer proceeds.
This makes in possible for a server to direct the client to connect to
arbitrary IP/PORT, what can be misused for port scanning and service
Steps to Reproduce:
The paper  explains how to reproduce and contains a reference to
example reproducer FTP server.
This is a documented behavior. Anyways, Mozilla is going to fix this,
not sure about Konqueror. It is possible that other browsers we ship,
including w3m, links or lynx contain the flaw, but I don't feel positive
about urging to changing their behavior in any way, unless upstreams
change it because according to the RFC the behavior is correct.
It seems like they patched it:
Currently supported Fedora versions user upstream version with fix included.
Fedora Core 6 KDE packages were also updated to fixed version 3.5.7 before FC6
was EOLed. Closing this bug.