CVE-2008-4242 - Vulnerability Details - OpenCVE

ProFTPD 1.3.1 interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Proftpd Project	Proftpd

Configuration 1 [-]

cpe:2.3:a:proftpd_project:proftpd:1.3.1:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://bugs.proftpd.org/show_bug.cgi?id=3115
http://secunia.com/advisories/31930
http://secunia.com/advisories/33261
http://secunia.com/advisories/33413
http://securityreason.com/achievement_securityalert/56
http://securityreason.com/securityalert/4313
http://www.debian.org/security/2008/dsa-1689
http://www.mandriva.com/security/advisories?name=MDVSA-2009:061
http://www.securityfocus.com/bid/31289
http://www.securitytracker.com/id?1020945
https://exchange.xforce.ibmcloud.com/vulnerabilities/45274
https://www.cve.org/CVERecord?id=CVE-2008-4242
https://www.redhat.com/archives/fedora-package-announce/2009-January/msg00078.html
https://www.redhat.com/archives/fedora-package-announce/2009-January/msg00245.html

History

Wed, 28 May 2025 14:45:00 +0000

Type	Values Removed	Values Added
References		https://www.cve.org/CVERecord?id=CVE-2008-4242

Thu, 22 May 2025 04:30:00 +0000

Type	Values Removed	Values Added
References	https://nvd.nist.gov/vuln/detail/CVE-2008-4242 https://www.cve.org/CVERecord?id=CVE-2008-4242

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2008-09-25T19:00:00

Updated: 2024-08-07T10:08:34.954Z

Reserved: 2008-09-25T00:00:00

Link: CVE-2008-4242

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2008-09-25T19:25:18.693

Modified: 2025-04-09T00:30:58.490

Link: CVE-2008-4242

Redhat

Severity : Moderate

Publid Date: 2008-09-25T00:00:00Z

Links: CVE-2008-4242 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-09-20T00:00:00", "descriptions": [{"lang": "en", "value": "ProFTPD 1.3.1 interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-07T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "31289", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/31289"}, {"name": "20080926 multiple vendor ftpd - Cross-site request forgery", "tags": ["third-party-advisory", "x_refsource_SREASONRES"], "url": "http://securityreason.com/achievement_securityalert/56"}, {"name": "MDVSA-2009:061", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:061"}, {"name": "1020945", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id?1020945"}, {"name": "31930", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/31930"}, {"name": "FEDORA-2009-0195", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-January/msg00245.html"}, {"name": "33261", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/33261"}, {"name": "33413", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/33413"}, {"name": "4313", "tags": ["third-party-advisory", "x_refsource_SREASON"], "url": "http://securityreason.com/securityalert/4313"}, {"name": "FEDORA-2009-0064", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-January/msg00078.html"}, {"name": "DSA-1689", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2008/dsa-1689"}, {"name": "proftpd-url-csrf(45274)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45274"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://bugs.proftpd.org/show_bug.cgi?id=3115"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2008-4242", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "ProFTPD 1.3.1 interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "31289", "refsource": "BID", "url": "http://www.securityfocus.com/bid/31289"}, {"name": "20080926 multiple vendor ftpd - Cross-site request forgery", "refsource": "SREASONRES", "url": "http://securityreason.com/achievement_securityalert/56"}, {"name": "MDVSA-2009:061", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:061"}, {"name": "1020945", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1020945"}, {"name": "31930", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/31930"}, {"name": "FEDORA-2009-0195", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-January/msg00245.html"}, {"name": "33261", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/33261"}, {"name": "33413", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/33413"}, {"name": "4313", "refsource": "SREASON", "url": "http://securityreason.com/securityalert/4313"}, {"name": "FEDORA-2009-0064", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-January/msg00078.html"}, {"name": "DSA-1689", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2008/dsa-1689"}, {"name": "proftpd-url-csrf(45274)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45274"}, {"name": "http://bugs.proftpd.org/show_bug.cgi?id=3115", "refsource": "CONFIRM", "url": "http://bugs.proftpd.org/show_bug.cgi?id=3115"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T10:08:34.954Z"}, "title": "CVE Program Container", "references": [{"name": "31289", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/31289"}, {"name": "20080926 multiple vendor ftpd - Cross-site request forgery", "tags": ["third-party-advisory", "x_refsource_SREASONRES", "x_transferred"], "url": "http://securityreason.com/achievement_securityalert/56"}, {"name": "MDVSA-2009:061", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:061"}, {"name": "1020945", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id?1020945"}, {"name": "31930", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/31930"}, {"name": "FEDORA-2009-0195", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-January/msg00245.html"}, {"name": "33261", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/33261"}, {"name": "33413", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/33413"}, {"name": "4313", "tags": ["third-party-advisory", "x_refsource_SREASON", "x_transferred"], "url": "http://securityreason.com/securityalert/4313"}, {"name": "FEDORA-2009-0064", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-January/msg00078.html"}, {"name": "DSA-1689", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2008/dsa-1689"}, {"name": "proftpd-url-csrf(45274)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45274"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://bugs.proftpd.org/show_bug.cgi?id=3115"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2008-4242", "datePublished": "2008-09-25T19:00:00", "dateReserved": "2008-09-25T00:00:00", "dateUpdated": "2024-08-07T10:08:34.954Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:proftpd_project:proftpd:1.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "71965620-399A-450C-95A5-5B327438768A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ProFTPD 1.3.1 interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser."}, {"lang": "es", "value": "ProFTPD v1.3.1 interpreta como m\u00faltiples comandos los comandos largos de un cliente FTP, lo que permite a atacantes remotos llevar a cabo ataques de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSFR) y ejecutar comdos FTP de su elecci\u00f3n a trav\u00e9s de una URI ftp:// larga que aprovecha la sesi\u00f3n existente en la implementaci\u00f3n de cliente FTP en un navegador web."}], "id": "CVE-2008-4242", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2008-09-25T19:25:18.693", "references": [{"source": "cve@mitre.org", "url": "http://bugs.proftpd.org/show_bug.cgi?id=3115"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/31930"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/33261"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/33413"}, {"source": "cve@mitre.org", "url": "http://securityreason.com/achievement_securityalert/56"}, {"source": "cve@mitre.org", "url": "http://securityreason.com/securityalert/4313"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2008/dsa-1689"}, {"source": "cve@mitre.org", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:061"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/31289"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id?1020945"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45274"}, {"source": "cve@mitre.org", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-January/msg00078.html"}, {"source": "cve@mitre.org", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-January/msg00245.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://bugs.proftpd.org/show_bug.cgi?id=3115"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/31930"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/33261"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/33413"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://securityreason.com/achievement_securityalert/56"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://securityreason.com/securityalert/4313"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2008/dsa-1689"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:061"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/31289"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id?1020945"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45274"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-January/msg00078.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-January/msg00245.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}