Stefan Fritsch wrote: > Hi, > > in case you haven't noticed yet, some new mod_proxy_ftp issues have > been reported: > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3094 > > The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the > mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13 > allows remote FTP servers to cause a denial of service (NULL pointer > dereference and child process crash) via a malformed reply to an EPSV > command.
The security list is discussing this issue. > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3095 > > The mod_proxy_ftp module in the Apache HTTP Server allows remote > attackers to bypass intended access restrictions and send arbitrary > commands to an FTP server via vectors related to the embedding of > these commands in the Authorization HTTP header, as demonstrated by a > certain module in VulnDisco Pack Professional 8.11. > > > The (untested) patch below should fix CVE-2009-3094. For CVE-2009-3095 > there is only little information. But looking at the code, it seems > the username and password sent by the browser are sent to the ftp > server without sanitization (i.e. they can contain LF characters). While we should fix this, this is likely to be a FTP bug; FTP commands must be <CR><LF> terminated, as spelled out in RFC854, RFC959 and later clarified further by RFC1123. If we transliterate <LF> to <CR><LF> then this is an httpd mod_proxy_ftp issue, of course, and we should sanitize the data. As these are already disclosed, the final patches will simply be committed and discussion will move to this list.
