Launchpad.net

CVE 2008-4242

ProFTPD 1.3.1 interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.

Related bugs and status

CVE-2008-4242 (Candidate) is related to these bugs:

Bug #310949: ProFTPD in Hardy vulnerable to CVE-2008-4242

		In	Importance	Status
310949	ProFTPD in Hardy vulnerable to CVE-2008-4242	proftpd-dfsg (Ubuntu)	Undecided	Fix Released
310949	ProFTPD in Hardy vulnerable to CVE-2008-4242	proftpd-dfsg (Ubuntu Hardy)	Undecided	Won't Fix
310949	ProFTPD in Hardy vulnerable to CVE-2008-4242	proftpd-dfsg (Ubuntu Jaunty)	Undecided	Fix Released
310949	ProFTPD in Hardy vulnerable to CVE-2008-4242	proftpd-dfsg (Ubuntu Intrepid)	Undecided	Invalid

See the

CVE page on Mitre.org for more details.

References

CONFIRM: http://bugs.proftpd.or...
BID: 31289
SECUNIA: 31930
SREASONRES: 20080926 multiple vend...
SECTRACK: 1020945
DEBIAN: DSA-1689
SECUNIA: 33261
FEDORA: FEDORA-2009-0064
FEDORA: FEDORA-2009-0195
SECUNIA: 33413
SREASON: 4313
MANDRIVA: MDVSA-2009:061
XF: proftpd-url-csrf(45274)