On Thu, Sep 10, 2009 at 07:02:01PM +0200, Stefan Fritsch wrote:
> The (untested) patch below should fix CVE-2009-3094. For CVE-2009-3095
> there is only little information. But looking at the code, it seems
> the username and password sent by the browser are sent to the ftp
> server without sanitization (i.e. they can contain LF characters).
Spot on, good catch.
using "Authorization: Basic RkVBVApGRUFUCg==" results in:
read(11, "220 (vsFTPd 2.0.6)\r\n", 8000) = 20
write(2, "[Fri Sep 11 15:46:18 2009] [debu"..., 88) = 88
writev(11, [{"USER FEAT\nFEAT\n\r\n", 17}], 1) = 17
write(2, "[Fri Sep 11 15:46:18 2009] [debu"..., 87) = 87
I think this should be sufficient - any other characters it's worth
filtering for?
--- mod_proxy_ftp.c (revision 813335)
+++ mod_proxy_ftp.c (working copy)
@@ -974,6 +974,10 @@
* allocations are temporary and can be tossed away any time.
*/
user = ap_getword_nulls(r->connection->pool, &password, ':');
+ if (ap_strchr(user, '\r') || ap_strchr(user, '\n')) {
+ return ap_proxyerror(r, HTTP_BAD_REQUEST,
+ "user credentials included embedded newline");
+ }
r->ap_auth_type = "Basic";
r->user = r->parsed_uri.user = user;
}
