httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: CVE-2009-3094, CVE-2009-3095: mod_proxy_ftp issues
Date Fri, 11 Sep 2009 14:52:12 GMT
On Thu, Sep 10, 2009 at 07:02:01PM +0200, Stefan Fritsch wrote:
> The (untested) patch below should fix CVE-2009-3094. For CVE-2009-3095 
> there is only little information. But looking at the code, it seems 
> the username and password sent by the browser are sent to the ftp 
> server without sanitization (i.e. they can contain LF characters).

Spot on, good catch.

using "Authorization: Basic RkVBVApGRUFUCg==" results in:

read(11, "220 (vsFTPd 2.0.6)\r\n", 8000) = 20
write(2, "[Fri Sep 11 15:46:18 2009] [debu"..., 88) = 88
writev(11, [{"USER FEAT\nFEAT\n\r\n", 17}], 1) = 17
write(2, "[Fri Sep 11 15:46:18 2009] [debu"..., 87) = 87

I think this should be sufficient - any other characters it's worth 
filtering for?

--- mod_proxy_ftp.c	(revision 813335)
+++ mod_proxy_ftp.c	(working copy)
@@ -974,6 +974,10 @@
          * allocations are temporary and can be tossed away any time.
          */
         user = ap_getword_nulls(r->connection->pool, &password, ':');
+        if (ap_strchr(user, '\r') || ap_strchr(user, '\n')) {
+            return ap_proxyerror(r, HTTP_BAD_REQUEST, 
+                                 "user credentials included embedded newline");
+        }
         r->ap_auth_type = "Basic";
         r->user = r->parsed_uri.user = user;
     }

Mime
View raw message