Summary: | www-servers/apache[apache2_modules_proxy_ftp] before 2.2.14: NULL pointer deref DoS ,access restriction bypass (CVE-2009-{3094,3095}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | apache-bugs |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.intevydis.com/blog/?p=59 | ||
Whiteboard: | C3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Alex Legler (RETIRED)
2009-09-05 08:23:07 UTC
The Secunia advisory indicates that there is no patch yet. CVE-2009-3094 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3094): The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13 allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command. CVE-2009-3095 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3095): The mod_proxy_ftp module in the Apache HTTP Server allows remote attackers to bypass intended access restrictions and send arbitrary commands to an FTP server via vectors related to the embedding of these commands in the Authorization HTTP header, as demonstrated by a certain module in VulnDisco Pack Professional 8.11. NOTE: as of 20090903, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes. 2.2.14 is out with fix: http://www.apache.org/dist/httpd/CHANGES_2.2.14 2.2.14 in cvs 2.2.14-r1 is already stable. proxy_ftp is not enabled by default, if I see it correctly, thus I re-rate C3, and voting is needed. Vote: NO. NO too, closing. |