OpenBSD Journal

Cross-site request forgery via ftpd(8)

Contributed by jason on from the one-more-reason-to-use-sftp dept.

Stefan writes:

A cross-site request forgery attack on ftpd was discovered by SecurityReason's Maksymilian Arciemowic, affecting all the BSDs. The OpenBSD team was first to have fixes for it (see extern.h, ftpcmd.y, and ftpd.c).

The commit can also be found in the archives.

(Comments are closed)


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]