+++ This bug was initially created as a clone of Bug #233592 +++ Description of problem: RFC 959 [1] says: When the user-PI receives an acknowledgment to the PASV command, which includes the identity of the host and port being listened on, the user-PI then sends A's port, a, to B in a PORT command; a reply is returned. The user-PI may then send the corresponding service commands to A and B. Server B initiates the connection and the transfer proceeds. [1] ftp://ftp.rfc-editor.org/in-notes/rfc959.txt This makes in possible for a server to direct the client to connect to arbitrary IP/PORT, what can be misused for port scanning and service fingerprinting. Steps to Reproduce: The paper [2] explains how to reproduce and contains a reference to example reproducer FTP server. [2] http://bindshell.net/papers/ftppasv/ftp-client-pasv-manipulation.pdf Additional info: This is a documented behavior. Anyways, Mozilla is going to fix this, not sure about Konqueror. It is possible that other browsers we ship, including w3m, links or lynx contain the flaw, but I don't feel positive about urging to changing their behavior in any way, unless upstreams change it because according to the RFC the behavior is correct.
It seems like they patched it: ftp://ftp.kde.org/pub/kde/security_patches/CVE-2007-1564-kdelibs-3.5.6.diff ftp://ftp.kde.org/pub/kde/security_patches/CVE-2007-1564-kdelibs-3.4.3.diff
Currently supported Fedora versions user upstream version with fix included. Fedora Core 6 KDE packages were also updated to fixed version 3.5.7 before FC6 was EOLed. Closing this bug.