Hi, in case you haven't noticed yet, some new mod_proxy_ftp issues have been reported:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3094 The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13 allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3095 The mod_proxy_ftp module in the Apache HTTP Server allows remote attackers to bypass intended access restrictions and send arbitrary commands to an FTP server via vectors related to the embedding of these commands in the Authorization HTTP header, as demonstrated by a certain module in VulnDisco Pack Professional 8.11. The (untested) patch below should fix CVE-2009-3094. For CVE-2009-3095 there is only little information. But looking at the code, it seems the username and password sent by the browser are sent to the ftp server without sanitization (i.e. they can contain LF characters). Cheers, Stefan --- a/modules/proxy/mod_proxy_ftp.c +++ b/modules/proxy/mod_proxy_ftp.c @@ -1351,10 +1351,6 @@ static int proxy_ftp_handler(request_rec *r, proxy_worker *worker, connect = 1; } } - else { - /* and try the regular way */ - apr_socket_close(data_sock); - } } } @@ -1441,10 +1437,6 @@ static int proxy_ftp_handler(request_rec *r, proxy_worker *worker, connect = 1; } } - else { - /* and try the regular way */ - apr_socket_close(data_sock); - } } } /*bypass:*/
