Hi,

in case you haven't noticed yet, some new mod_proxy_ftp issues have
been reported:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3094

The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the
mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13
allows remote FTP servers to cause a denial of service (NULL pointer
dereference and child process crash) via a malformed reply to an EPSV
command.


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3095

The mod_proxy_ftp module in the Apache HTTP Server allows remote
attackers to bypass intended access restrictions and send arbitrary
commands to an FTP server via vectors related to the embedding of
these commands in the Authorization HTTP header, as demonstrated by a
certain module in VulnDisco Pack Professional 8.11.


The (untested) patch below should fix CVE-2009-3094. For CVE-2009-3095
there is only little information. But looking at the code, it seems
the username and password sent by the browser are sent to the ftp
server without sanitization (i.e. they can contain LF characters).

Cheers,
Stefan

--- a/modules/proxy/mod_proxy_ftp.c
+++ b/modules/proxy/mod_proxy_ftp.c
@@ -1351,10 +1351,6 @@ static int proxy_ftp_handler(request_rec *r,
proxy_worker *worker,
                     connect = 1;
                 }
             }
-            else {
-                /* and try the regular way */
-                apr_socket_close(data_sock);
-            }
         }
     }

@@ -1441,10 +1437,6 @@ static int proxy_ftp_handler(request_rec *r,
proxy_worker *worker,
                     connect = 1;
                 }
             }
-            else {
-                /* and try the regular way */
-                apr_socket_close(data_sock);
-            }
         }
     }
/*bypass:*/