CVE-2009-3095: Apache httpd mod_proxy_ftp FTP command injection

CVE ID

CVE-2009-3095

DESCRIPTION

A flaw was found in the mod_proxy_ftp module. In a reverse proxy configuration, a remote attacker could use this flaw to bypass intended access restrictions by creating a carefully-crafted HTTP Authorization header, allowing the attacker to send arbitrary commands to the FTP server.

Severity: low

Unitrends is not vulnerable. Unitrends does not enable or configure an FTP server, and also does not load any mod_proxy modules for HTTP.

RESOLUTION

Fixed in:

  • CentOS6 systems come with httpd-2.2.15-30 which contains the fix.
  • For CentOS5, httpd-2.2.3-31.el5_4.2 or later has this fix.
  • Upstream Apache httpd 2.2.14
To update to the new version with the fix, either do 'yum update httpd’ from the command line, or perform an update from the UI.

LINK TO ADVISORIES

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us