« Paper: Feasibility and Real-World Implications of Web BrowserHistory Detection | Main | Why publishing exploit code is *generally* a bad idea if you're paid to protect »

A reminder that CSRF affects more than websites

Maksymilian Arciemowicz has published an advisory outlining how one can perform CSRF attacks against FTP services, in this case Sun Solaris 10 ftpd. An attacker could embed a payload such as the following to execute commands on ftpd.

    <img src="ftp://.....////SITE%20CHMOD%20777%20FILENAME";>

The NetBSD team addressed this issue by failing on large commands. The interesting thing here is that since CSRF tokens are not available in FTP, the developers were forced to remove functionality in order to mitigate this. Makes you wonder what other features may disappear from non web services in the future, to mitigate attacks launched from websites....

Full Advisory: http://seclists.org/bugtraq/2010/May/218


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!