Stefan Fritsch wrote:
> in case you haven't noticed yet, some new mod_proxy_ftp issues have
> been reported:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3094 >
> The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the
> mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13
> allows remote FTP servers to cause a denial of service (NULL pointer
> dereference and child process crash) via a malformed reply to an EPSV
The security list is discussing this issue.
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3095 >
> The mod_proxy_ftp module in the Apache HTTP Server allows remote
> attackers to bypass intended access restrictions and send arbitrary
> commands to an FTP server via vectors related to the embedding of
> these commands in the Authorization HTTP header, as demonstrated by a
> certain module in VulnDisco Pack Professional 8.11.
> The (untested) patch below should fix CVE-2009-3094. For CVE-2009-3095
> there is only little information. But looking at the code, it seems
> the username and password sent by the browser are sent to the ftp
> server without sanitization (i.e. they can contain LF characters).
While we should fix this, this is likely to be a FTP bug; FTP commands
must be <CR><LF> terminated, as spelled out in RFC854, RFC959 and later
clarified further by RFC1123.
If we transliterate <LF> to <CR><LF> then this is an httpd mod_proxy_ftp
issue, of course, and we should sanitize the data.
As these are already disclosed, the final patches will simply be committed
and discussion will move to this list.