Bug 233594 - CVE-2007-1564 FTP protocol PASV design flaw affects konqueror
Summary: CVE-2007-1564 FTP protocol PASV design flaw affects konqueror
Alias: None
Product: Fedora
Classification: Fedora
Component: kdebase
Version: 6
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Than Ngo
QA Contact: Ben Levenson
URL: http://bindshell.net/papers/ftppasv/f...
Whiteboard: impact=low,source=cve,reported=200703...
Depends On:
TreeView+ depends on / blocked
Reported: 2007-03-23 12:11 UTC by Lubomir Kundrak
Modified: 2007-12-20 16:02 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-12-20 16:02:03 UTC
Type: ---

Attachments (Terms of Use)

Description Lubomir Kundrak 2007-03-23 12:11:54 UTC
+++ This bug was initially created as a clone of Bug #233592 +++

Description of problem:

RFC 959 [1] says:

      When the user-PI receives an acknowledgment to the PASV command,
      which includes the identity of the host and port being listened
      on, the user-PI then sends A's port, a, to B in a PORT command; a
      reply is returned.  The user-PI may then send the corresponding
      service commands to A and B.  Server B initiates the connection
      and the transfer proceeds.

[1] ftp://ftp.rfc-editor.org/in-notes/rfc959.txt

This makes in possible for a server to direct the client to connect to
arbitrary IP/PORT, what can be misused for port scanning and service

Steps to Reproduce:

The paper [2] explains how to reproduce and contains a reference to
example reproducer FTP server.

[2] http://bindshell.net/papers/ftppasv/ftp-client-pasv-manipulation.pdf

Additional info:

This is a documented behavior. Anyways, Mozilla is going to fix this,
not sure about Konqueror. It is possible that other browsers we ship,
including w3m, links or lynx contain the flaw, but I don't feel positive
about urging to changing their behavior in any way, unless upstreams
change it because according to the RFC the behavior is correct.

Comment 2 Tomas Hoger 2007-12-20 16:02:03 UTC
Currently supported Fedora versions user upstream version with fix included. 
Fedora Core 6 KDE packages were also updated to fixed version 3.5.7 before FC6
was EOLed.  Closing this bug.

Note You need to log in before you can comment on or make changes to this bug.