Bug 233594 - CVE-2007-1564 FTP protocol PASV design flaw affects konqueror
CVE-2007-1564 FTP protocol PASV design flaw affects konqueror
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: kdebase (Show other bugs)
6
All Linux
low Severity low
: ---
: ---
Assigned To: Ngo Than
Ben Levenson
http://bindshell.net/papers/ftppasv/f...
impact=low,source=cve,reported=200703...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-03-23 08:11 EDT by Lubomir Kundrak
Modified: 2007-12-20 11:02 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-12-20 11:02:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Lubomir Kundrak 2007-03-23 08:11:54 EDT
+++ This bug was initially created as a clone of Bug #233592 +++

Description of problem:

RFC 959 [1] says:

      When the user-PI receives an acknowledgment to the PASV command,
      which includes the identity of the host and port being listened
      on, the user-PI then sends A's port, a, to B in a PORT command; a
      reply is returned.  The user-PI may then send the corresponding
      service commands to A and B.  Server B initiates the connection
      and the transfer proceeds.

[1] ftp://ftp.rfc-editor.org/in-notes/rfc959.txt

This makes in possible for a server to direct the client to connect to
arbitrary IP/PORT, what can be misused for port scanning and service
fingerprinting.

Steps to Reproduce:

The paper [2] explains how to reproduce and contains a reference to
example reproducer FTP server.

[2] http://bindshell.net/papers/ftppasv/ftp-client-pasv-manipulation.pdf

Additional info:

This is a documented behavior. Anyways, Mozilla is going to fix this,
not sure about Konqueror. It is possible that other browsers we ship,
including w3m, links or lynx contain the flaw, but I don't feel positive
about urging to changing their behavior in any way, unless upstreams
change it because according to the RFC the behavior is correct.
Comment 2 Tomas Hoger 2007-12-20 11:02:03 EST
Currently supported Fedora versions user upstream version with fix included. 
Fedora Core 6 KDE packages were also updated to fixed version 3.5.7 before FC6
was EOLed.  Closing this bug.

Note You need to log in before you can comment on or make changes to this bug.