Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 293788 (CVE-2009-3898) - <www-servers/nginx-0.7.64 WebDAV Directory traversal vulnerability (CVE-2009-3898)
Summary: <www-servers/nginx-0.7.64 WebDAV Directory traversal vulnerability (CVE-2009-...
Alias: CVE-2009-3898
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
Whiteboard: C1 [glsa]
: 286391 (view as bug list)
Depends on: 293785
  Show dependency tree
Reported: 2009-11-20 01:23 UTC by Stefan Behte (RETIRED)
Modified: 2014-12-09 23:52 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2009-11-20 01:23:08 UTC
Quoted from $URL:

A security issue has been discovered in nginx, which can be exploited by malicious people to bypass certain security restrictions.

The security issue is caused due to nginx not properly verifying the path for the WebDAV "MOVE" and "COPY" methods, which can be exploited to e.g. write to files outside the specified document root.

Successful exploitation requires that the server has been compiled with the http_dav_module and that the attacker is allowed to use the "MOVE" or "COPY" methods.

The security issue is reported in version 0.7.61 and confirmed in version 0.7.62. Other versions may also be affected."

The webdav USE-flag is not enabled by default.
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-26 08:25:39 UTC
CVE-2009-3898 (
  Directory traversal vulnerability in
  src/http/modules/ngx_http_dav_module.c in nginx (aka Engine X) before
  0.7.63, and 0.8.x before 0.8.17, allows remote authenticated users to
  create or overwrite arbitrary files via a .. (dot dot) in the
  Destination HTTP header for the WebDAV (1) COPY or (2) MOVE method.

Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2010-02-06 15:51:27 UTC
C1 needs a GLSA, request filed.
Comment 3 Dirkjan Ochtman gentoo-dev 2010-03-04 11:46:18 UTC
0.7.64 is in the stable trees, resolving.
Comment 4 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-03-04 11:56:07 UTC
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 17:56:26 UTC
Dirkjan, do not close security bugs, if you're not sure it's the right thing to close them.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-03-28 10:59:42 UTC
This issue was resolved and addressed in
 GLSA 201203-22 at
by GLSA coordinator Sean Amoss (ackle).
Comment 7 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-09 23:52:53 UTC
*** Bug 286391 has been marked as a duplicate of this bug. ***