httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: CVE-2009-3094, CVE-2009-3095: mod_proxy_ftp issues
Date Fri, 11 Sep 2009 20:51:11 GMT


On 09/11/2009 04:52 PM, Joe Orton wrote:
> On Thu, Sep 10, 2009 at 07:02:01PM +0200, Stefan Fritsch wrote:
>> The (untested) patch below should fix CVE-2009-3094. For CVE-2009-3095 
>> there is only little information. But looking at the code, it seems 
>> the username and password sent by the browser are sent to the ftp 
>> server without sanitization (i.e. they can contain LF characters).
> 
> Spot on, good catch.
> 
> using "Authorization: Basic RkVBVApGRUFUCg==" results in:
> 
> read(11, "220 (vsFTPd 2.0.6)\r\n", 8000) = 20
> write(2, "[Fri Sep 11 15:46:18 2009] [debu"..., 88) = 88
> writev(11, [{"USER FEAT\nFEAT\n\r\n", 17}], 1) = 17
> write(2, "[Fri Sep 11 15:46:18 2009] [debu"..., 87) = 87
> 
> I think this should be sufficient - any other characters it's worth 
> filtering for?

Seems sufficient to me. Don't we need to this as well a few lines
below for username and password fetched from the URL?

   else if ((user = r->parsed_uri.user) != NULL) {
        user = apr_pstrdup(p, user);
        decodeenc(user);
        if ((password = r->parsed_uri.password) != NULL) {
            char *tmp = apr_pstrdup(p, password);
            decodeenc(tmp);
            password = tmp;
        }
    }

Couldn't the username / password part of the URL contain %0A / %OD?

Regards

RĂ¼diger


Mime
View raw message