|Summary:||<www-servers/nginx-0.7.64 WebDAV Directory traversal vulnerability (CVE-2009-3898)|
|Product:||Gentoo Security||Reporter:||Stefan Behte (RETIRED) <craig>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||trivial||CC:||cla, hollow, voxus|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||293785|
Description Stefan Behte (RETIRED) 2009-11-20 01:23:08 UTC
Quoted from $URL: "Description: A security issue has been discovered in nginx, which can be exploited by malicious people to bypass certain security restrictions. The security issue is caused due to nginx not properly verifying the path for the WebDAV "MOVE" and "COPY" methods, which can be exploited to e.g. write to files outside the specified document root. Successful exploitation requires that the server has been compiled with the http_dav_module and that the attacker is allowed to use the "MOVE" or "COPY" methods. The security issue is reported in version 0.7.61 and confirmed in version 0.7.62. Other versions may also be affected." The webdav USE-flag is not enabled by default.
Comment 1 Alex Legler (RETIRED) 2009-11-26 08:25:39 UTC
CVE-2009-3898 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3898): Directory traversal vulnerability in src/http/modules/ngx_http_dav_module.c in nginx (aka Engine X) before 0.7.63, and 0.8.x before 0.8.17, allows remote authenticated users to create or overwrite arbitrary files via a .. (dot dot) in the Destination HTTP header for the WebDAV (1) COPY or (2) MOVE method.
Comment 2 Stefan Behte (RETIRED) 2010-02-06 15:51:27 UTC
C1 needs a GLSA, request filed.
Comment 3 Dirkjan Ochtman 2010-03-04 11:46:18 UTC
0.7.64 is in the stable trees, resolving.
Comment 4 Alex Legler (RETIRED) 2010-03-04 11:56:07 UTC
Comment 5 Stefan Behte (RETIRED) 2010-03-06 17:56:26 UTC
Dirkjan, do not close security bugs, if you're not sure it's the right thing to close them.
Comment 6 GLSAMaker/CVETool Bot 2012-03-28 10:59:42 UTC
This issue was resolved and addressed in GLSA 201203-22 at http://security.gentoo.org/glsa/glsa-201203-22.xml by GLSA coordinator Sean Amoss (ackle).