Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 233594 - CVE-2007-1564 FTP protocol PASV design flaw affects konqueror
Summary: CVE-2007-1564 FTP protocol PASV design flaw affects konqueror
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: kdebase
Version: 6
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Ngo Than
QA Contact: Ben Levenson
URL: http://bindshell.net/papers/ftppasv/f...
Whiteboard: impact=low,source=cve,reported=200703...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-03-23 12:11 UTC by Lubomir Kundrak
Modified: 2007-12-20 16:02 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-12-20 16:02:03 UTC


Attachments (Terms of Use)

Description Lubomir Kundrak 2007-03-23 12:11:54 UTC
+++ This bug was initially created as a clone of Bug #233592 +++

Description of problem:

RFC 959 [1] says:

      When the user-PI receives an acknowledgment to the PASV command,
      which includes the identity of the host and port being listened
      on, the user-PI then sends A's port, a, to B in a PORT command; a
      reply is returned.  The user-PI may then send the corresponding
      service commands to A and B.  Server B initiates the connection
      and the transfer proceeds.

[1] ftp://ftp.rfc-editor.org/in-notes/rfc959.txt

This makes in possible for a server to direct the client to connect to
arbitrary IP/PORT, what can be misused for port scanning and service
fingerprinting.

Steps to Reproduce:

The paper [2] explains how to reproduce and contains a reference to
example reproducer FTP server.

[2] http://bindshell.net/papers/ftppasv/ftp-client-pasv-manipulation.pdf

Additional info:

This is a documented behavior. Anyways, Mozilla is going to fix this,
not sure about Konqueror. It is possible that other browsers we ship,
including w3m, links or lynx contain the flaw, but I don't feel positive
about urging to changing their behavior in any way, unless upstreams
change it because according to the RFC the behavior is correct.

Comment 2 Tomas Hoger 2007-12-20 16:02:03 UTC
Currently supported Fedora versions user upstream version with fix included. 
Fedora Core 6 KDE packages were also updated to fixed version 3.5.7 before FC6
was EOLed.  Closing this bug.


Note You need to log in before you can comment on or make changes to this bug.