Description of problem: RFC 959 [1] says: When the user-PI receives an acknowledgment to the PASV command, which includes the identity of the host and port being listened on, the user-PI then sends A's port, a, to B in a PORT command; a reply is returned. The user-PI may then send the corresponding service commands to A and B. Server B initiates the connection and the transfer proceeds. [1] ftp://ftp.rfc-editor.org/in-notes/rfc959.txt This makes in possible for a server to direct the client to connect to arbitrary IP/PORT, what can be misused for port scanning and service fingerprinting. Steps to Reproduce: The paper [2] explains how to reproduce and contains a reference to example reproducer FTP server. [2] http://bindshell.net/papers/ftppasv/ftp-client-pasv-manipulation.pdf Additional info: This is a documented behavior. Anyways, Mozilla is going to fix this, not sure about Konqueror. It is possible that other browsers we ship, including w3m, links or lynx contain the flaw, but I don't feel positive about urging to changing their behavior in any way, unless upstreams change it because according to the RFC the behavior is correct.
Official KDE security advisory with references to upstream patches: http://www.kde.org/info/security/advisory-20070326-1.txt
Reporter changed to security-response-team by request of Jay Turner.
This issue has been addressed in following products: Red Hat Linux Enterprise 4 Red Hat Linux Enterprise 4.5.z Red Hat Linux Enterprise 5 Via RHSA-2007:0909 https://rhn.redhat.com/errata/RHSA-2007-0909.html