Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 283729 (CVE-2009-3094) - www-servers/apache[apache2_modules_proxy_ftp] before 2.2.14: NULL pointer deref DoS ,access restriction bypass (CVE-2009-{3094,3095})
Summary: www-servers/apache[apache2_modules_proxy_ftp] before 2.2.14: NULL pointer der...
Alias: CVE-2009-3094
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: C3 [noglsa]
Depends on:
Reported: 2009-09-05 08:23 UTC by Alex Legler (RETIRED)
Modified: 2010-08-14 14:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-05 08:23:07 UTC
From Secunia (

A vulnerability has been discovered in the Apache mod_proxy_ftp module, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in mod_proxy_ftp when processing responses received from FTP servers. This can be exploited to trigger a NULL-pointer dereference and crash an Apache child process via a malformed EPSV response.

Successful exploitation requires that a threaded Multi-Processing Module is used and that the mod_proxy_ftp module is enabled.

The vulnerability is confirmed in Apache versions 2.0.63 and 2.2.13. Other versions may also be affected.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-05 08:23:51 UTC
The Secunia advisory indicates that there is no patch yet.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-10 09:53:24 UTC
CVE-2009-3094 (
  The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the
  mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13
  allows remote FTP servers to cause a denial of service (NULL pointer
  dereference and child process crash) via a malformed reply to an EPSV

Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-09-14 22:49:02 UTC
CVE-2009-3095 (
  The mod_proxy_ftp module in the Apache HTTP Server allows remote
  attackers to bypass intended access restrictions and send arbitrary
  commands to an FTP server via vectors related to the embedding of
  these commands in the Authorization HTTP header, as demonstrated by a
  certain module in VulnDisco Pack Professional 8.11.  NOTE: as of
  20090903, this disclosure has no actionable information. However,
  because the VulnDisco Pack author is a reliable researcher, the issue
  is being assigned a CVE identifier for tracking purposes.

Comment 4 Hanno Böck gentoo-dev 2009-10-06 10:28:33 UTC
2.2.14 is out with fix:
Comment 5 Benedikt Böhm (RETIRED) gentoo-dev 2009-10-06 12:44:27 UTC
2.2.14 in cvs
Comment 6 Benedikt Böhm (RETIRED) gentoo-dev 2010-01-11 08:07:12 UTC
2.2.14-r1 is already stable.
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 16:16:23 UTC
proxy_ftp is not enabled by default, if I see it correctly, thus I re-rate C3, and voting is needed.

Vote: NO.
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2010-08-14 14:28:04 UTC
NO too, closing.