httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: CVE-2009-3094, CVE-2009-3095: mod_proxy_ftp issues
Date Thu, 10 Sep 2009 17:24:24 GMT
Stefan Fritsch wrote:
> Hi,
> in case you haven't noticed yet, some new mod_proxy_ftp issues have 
> been reported:
> The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the 
> mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13 
> allows remote FTP servers to cause a denial of service (NULL pointer 
> dereference and child process crash) via a malformed reply to an EPSV 
> command.

The security list is discussing this issue.

> The mod_proxy_ftp module in the Apache HTTP Server allows remote 
> attackers to bypass intended access restrictions and send arbitrary 
> commands to an FTP server via vectors related to the embedding of 
> these commands in the Authorization HTTP header, as demonstrated by a 
> certain module in VulnDisco Pack Professional 8.11.
> The (untested) patch below should fix CVE-2009-3094. For CVE-2009-3095 
> there is only little information. But looking at the code, it seems 
> the username and password sent by the browser are sent to the ftp 
> server without sanitization (i.e. they can contain LF characters).

While we should fix this, this is likely to be a FTP bug; FTP commands
must be <CR><LF> terminated, as spelled out in RFC854, RFC959 and later
clarified further by RFC1123.

If we transliterate <LF> to <CR><LF> then this is an httpd mod_proxy_ftp
issue, of course, and we should sanitize the data.

As these are already disclosed, the final patches will simply be committed
and discussion will move to this list.

View raw message