httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject CVE-2009-3094, CVE-2009-3095: mod_proxy_ftp issues
Date Thu, 10 Sep 2009 17:02:01 GMT
Hi,

in case you haven't noticed yet, some new mod_proxy_ftp issues have 
been reported:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3094

The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the 
mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13 
allows remote FTP servers to cause a denial of service (NULL pointer 
dereference and child process crash) via a malformed reply to an EPSV 
command.


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3095

The mod_proxy_ftp module in the Apache HTTP Server allows remote 
attackers to bypass intended access restrictions and send arbitrary 
commands to an FTP server via vectors related to the embedding of 
these commands in the Authorization HTTP header, as demonstrated by a 
certain module in VulnDisco Pack Professional 8.11.


The (untested) patch below should fix CVE-2009-3094. For CVE-2009-3095 
there is only little information. But looking at the code, it seems 
the username and password sent by the browser are sent to the ftp 
server without sanitization (i.e. they can contain LF characters).

Cheers,
Stefan

--- a/modules/proxy/mod_proxy_ftp.c
+++ b/modules/proxy/mod_proxy_ftp.c
@@ -1351,10 +1351,6 @@ static int proxy_ftp_handler(request_rec *r, 
proxy_worker *worker,
                     connect = 1;
                 }
             }
-            else {
-                /* and try the regular way */
-                apr_socket_close(data_sock);
-            }
         }
     }

@@ -1441,10 +1437,6 @@ static int proxy_ftp_handler(request_rec *r, 
proxy_worker *worker,
                     connect = 1;
                 }
             }
-            else {
-                /* and try the regular way */
-                apr_socket_close(data_sock);
-            }
         }
     }
 /*bypass:*/



Mime
View raw message