ProFTPD 1.3.1 interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser. Reference: CONFIRM:http://bugs.proftpd.org/show_bug.cgi?id=3115 Reference: BID:31289 Reference: URL:http://www.securityfocus.com/bid/31289 Reference: SECUNIA:31930 Reference: URL:http://secunia.com/advisories/31930 Reference: XF:proftpd-url-csrf(45274) Reference: URL:http://xforce.iss.net/xforce/xfdb/45274
Upstream patches (as linked in upstream bug report referenced above): http://bugs.proftpd.org/attachment.cgi?id=2871&action=view Simple PoC available in Debian BTS: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502674#5 $ perl -e 'print "A"x1022,"QUIT\n"' | nc localhost 21
proftpd-1.3.1-8.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
proftpd-1.3.1-8.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
proftpd-1.3.1-8.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
All packages have been pushed to the stable updates, so closing.