Vigil@nce: Apache httpd, sending FTP commands via mod_proxy_ftp
September 2009 by Marc Jacob
An authenticated attacker can use mod_proxy_ftp to send FTP
commands to a remote FTP server.
Severity: 1/4
Consequences: user access/rights
Provenance: user account
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: medium (2/3)
Creation date: 22/09/2009
IMPACTED PRODUCTS
– Apache httpd
– Mandriva Corporate
– Mandriva Enterprise Server
– Mandriva Linux
– Mandriva Multi Network Firewall
DESCRIPTION OF THE VULNERABILITY
The Apache server contains a "mod_proxy_ftp" module which can be
used to manage FTP requests in proxy mode ("ProxyRequests On" in
the configuration file).
To authenticate on a remote FTP server, the proxy user can:
– add "user:pass" in the url, or
– add an Authorization header containing "Basic base64(user:pass)"
The proxy_ftp_handler() function of the modules/proxy/mod_proxy_ftp.c
file extracts the login and the password. However, it does not
check if the password coming from the Authorization header
contains line feeds.
An attacker can for example use:
Authorization: Basic base64(user:pass\r\ncwd /)
in order to change the current directory.
An authenticated attacker can thus use mod_proxy_ftp to send FTP
commands to a remote FTP server.
CHARACTERISTICS
Identifiers: CVE-2009-3095, MDVSA-2009:240, VIGILANCE-VUL-9038
Pointed by: VIGILANCE-VUL-9000
http://vigilance.fr/vulnerability/Apache-httpd-sending-FTP-commands-via-mod-proxy-ftp-9038