A flaw was found in the mod_proxy_ftp module. In a reverse proxy configuration, a remote attacker could use this flaw to bypass intended access restrictions by creating a carefully-crafted HTTP Authorization header, allowing the attacker to send arbitrary commands to the FTP server.
Unitrends is not vulnerable. Unitrends does not enable or configure an FTP server, and also does not load any mod_proxy modules for HTTP.
- CentOS6 systems come with httpd-2.2.15-30 which contains the fix.
- For CentOS5, httpd-2.2.3-31.el5_4.2 or later has this fix.
- Upstream Apache httpd 2.2.14