Unrated severityNVD Advisory· Published Sep 25, 2008· Updated Apr 23, 2026

CVE-2008-4247

Description

ftpd in OpenBSD 4.3, FreeBSD 7.0, NetBSD 4.0, Solaris, and possibly other operating systems interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.

Affected products

FreeBSD/FreeBSD
cpe:2.3:o:freebsd:freebsd:7.0:*:*:*:*:*:*:*
NetBSD/NetBSD
cpe:2.3:o:netbsd:netbsd:4.0:*:*:*:*:*:*:*
OpenBSD/OpenBSD
cpe:2.3:o:openbsd:openbsd:4.3:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y.diffnvdExploit
www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c.diffnvdExploit
ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-014.txt.ascnvd
bugs.proftpd.org/show_bug.cginvd
secunia.com/advisories/32068nvd
secunia.com/advisories/32070nvd
secunia.com/advisories/33341nvd
security.freebsd.org/advisories/FreeBSD-SA-08:12.ftpd.ascnvd
securityreason.com/achievement_securityalert/56nvd
securityreason.com/securityalert/4313nvd
www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.ynvd
www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.cnvd
www.oracle.com/technetwork/topics/security/cpuoct2010-175626.htmlnvd
www.securitytracker.com/idnvd
www.securitytracker.com/idnvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.010
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000