Topics
Tags
Favorite Links
Translate
Pick Your Language
Security Books
Archives
Recent entries...
Twitter
Sponsored Ads
Popular Pages
Sponsored Ads
The Web Security Mailing List

« Paper: Feasibility and Real-World Implications of Web BrowserHistory Detection | Main | Why publishing exploit code is *generally* a bad idea if you're paid to protect »

A reminder that CSRF affects more than websites

Maksymilian Arciemowicz has published an advisory outlining how one can perform CSRF attacks against FTP services, in this case Sun Solaris 10 ftpd. An attacker could embed a payload such as the following to execute commands on ftpd.



    <img src="ftp://.....////SITE%20CHMOD%20777%20FILENAME";>



The NetBSD team addressed this issue by failing on large commands. The interesting thing here is that since CSRF tokens are not available in FTP, the developers were forced to remove functionality in order to mitigate this. Makes you wonder what other features may disappear from non web services in the future, to mitigate attacks launched from websites....


Full Advisory: http://seclists.org/bugtraq/2010/May/218

Posted by Robert A. on 05/26/2010 in Commentary , CSRF , IndustryNews , Research , Vulns | Permalink | Reddit

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.


All Comments are Moderated and will be delayed!


Post a comment







Remember personal info?


Copyright 2000-2009 CGISecurity.com | Privacy Policy| java mailing list| resolve ip| Mailing Lists | Sony deals