A vulnerability in OpenBSD ftpd has reported, which can be exploited by malicious people to conduct cross-site request forgery attacks.

A vulnerability in OpenBSD ftpd has reported, which can be exploited by malicious people to conduct cross-site request forgery attacks.

The vulnerability is caused due to the application truncating an overly long FTP command, and improperly interpreting the remainder string as a new FTP command. This can be exploited to execute arbitrary FTP commands with the privileges of another user by e.g. tricking the user into following a malicious link.

Fixed in the CVS repository.
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c?rev=1.184&content-type=text/x-cvsweb-markup