-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2008-014 ================================= Topic: Cross-site request forgery in ftpd(8) Version: NetBSD-current: affected NetBSD 4.0.*: not affected NetBSD 4.0: affected NetBSD 3.1.*: affected NetBSD 3.1: affected NetBSD 3.0.*: affected NetBSD 3.0: affected Severity: Cross-site request forgery Fixed: NetBSD-current: September 13, 2008 NetBSD-4-0 branch: September 18, 2008 (4.0.1 includes the fix) NetBSD-4 branch: September 18, 2008 (4.1 will include the fix) NetBSD-3-1 branch: September 18, 2008 (3.1.2 will include the fix) NetBSD-3-0 branch: September 18, 2008 (3.0.4 will include the fix) NetBSD-3 branch: September 18, 2008 (3.2 will include the fix) pkgsrc: tnftpd-20081009 corrects the issue Abstract ======== When accessing NetBSD servers running ftpd(8) certain commands can aide attackers in executing CSRF attacks when e.g. using a web browser to access ftp servers. This vulnerability has been assigned CVE-2008-4247. Technical Details ================= When accessing NetBSD servers running ftpd(8) long commands are split into multiple requests which can result in CSRF attacks. Solutions and Workarounds ========================= Only NetBSD systems with ftpd(8) enabled may be vulnerable to this issue. ftpd(8) is not enabled by default in NetBSD generic installations. As a temporary workaround disable ftpd(8) from the base OS and use the tnftpd-20081009 package from pkgsrc which contains a fix. The following instructions describe how to upgrade your ftpd binaries by updating your source tree and rebuilding and installing a new version of ftpd. * NetBSD-current: Systems running NetBSD-current dated from before 2008-09-13 should be upgraded to NetBSD-current dated 2008-09-14 or later. The following files/directories need to be updated from the netbsd-current CVS branch (aka HEAD): libexec/ftpd To update from CVS, re-build, and re-install ftpd: # cd src # cvs update -d -P libexec/ftpd # cd libexec/ftpd # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 4.*: Systems running NetBSD 4.* sources dated from before 2008-09-18 should be upgraded from NetBSD 4.* sources dated 2008-09-19 or later. The following files/directories need to be updated from the netbsd-4 or netbsd-4-0 branches: libexec/ftpd To update from CVS, re-build, and re-install ftpd: # cd src # cvs update -r -d -P libexec/ftpd # cd libexec/ftpd # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 3.*: Systems running NetBSD 3.* sources dated from before 2008-09-18 should be upgraded from NetBSD 3.* sources dated 2008-09-19 or later. The following files/directories need to be updated from the netbsd-3, netbsd-3-0 or netbsd-3-1 branches: libexec/ftpd To update from CVS, re-build, and re-install ftpd: # cd src # cvs update -r -d -P libexec/ftpd # cd libexec/ftpd # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To ========= Maksymilian Arciemowicz is credited with the discovery of this issue. Luke Mewburn for supplying the fixes and testing. Revision History ================ 2008-10-27 Initial release 2008-10-28 Fix a typo in the update instructions More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-014.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2008, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2008-014.txt,v 1.6 2008/10/28 09:17:36 adrianp Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (NetBSD) iQCVAwUBSQbYtj5Ru2/4N2IFAQKgoQP/R9cRa5QO7W9L/P2pVmcFcJ2goK4l7ui+ jPe7NMnYH9wCaRENQXCS7Omzkg8r+3HHrEA/ziFX+STHRyhmVe1xDx4n/ymRowOU 0V8HNRoSaR8J1VQLCcBnqg+aGB/VlPJ4TOA/aLnkP60aIn1OvzWT28TRiWJBxn3j LN2gs9rkYb4= =1FS7 -----END PGP SIGNATURE-----