Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 293788 (CVE-2009-3898)

Summary: <www-servers/nginx-0.7.64 WebDAV Directory traversal vulnerability (CVE-2009-3898)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: trivial CC: cla, hollow, voxus
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: C1 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 293785    
Bug Blocks:    

Description Stefan Behte (RETIRED) gentoo-dev Security 2009-11-20 01:23:08 UTC
Quoted from $URL:

A security issue has been discovered in nginx, which can be exploited by malicious people to bypass certain security restrictions.

The security issue is caused due to nginx not properly verifying the path for the WebDAV "MOVE" and "COPY" methods, which can be exploited to e.g. write to files outside the specified document root.

Successful exploitation requires that the server has been compiled with the http_dav_module and that the attacker is allowed to use the "MOVE" or "COPY" methods.

The security issue is reported in version 0.7.61 and confirmed in version 0.7.62. Other versions may also be affected."

The webdav USE-flag is not enabled by default.
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-26 08:25:39 UTC
CVE-2009-3898 (
  Directory traversal vulnerability in
  src/http/modules/ngx_http_dav_module.c in nginx (aka Engine X) before
  0.7.63, and 0.8.x before 0.8.17, allows remote authenticated users to
  create or overwrite arbitrary files via a .. (dot dot) in the
  Destination HTTP header for the WebDAV (1) COPY or (2) MOVE method.

Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2010-02-06 15:51:27 UTC
C1 needs a GLSA, request filed.
Comment 3 Dirkjan Ochtman gentoo-dev 2010-03-04 11:46:18 UTC
0.7.64 is in the stable trees, resolving.
Comment 4 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-03-04 11:56:07 UTC
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 17:56:26 UTC
Dirkjan, do not close security bugs, if you're not sure it's the right thing to close them.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-03-28 10:59:42 UTC
This issue was resolved and addressed in
 GLSA 201203-22 at
by GLSA coordinator Sean Amoss (ackle).
Comment 7 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-09 23:52:53 UTC
*** Bug 286391 has been marked as a duplicate of this bug. ***