CVE-2009-3095

Published: Sep 8, 2009Modified: Apr 23, 2026

5.0

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability: 10.0 / Impact: 2.9

Source: NVD

Description

The mod_proxy_ftp module in the Apache HTTP Server allows remote attackers to bypass intended access restrictions and send arbitrary commands to an FTP server via vectors related to the embedding of these commands in the Authorization HTTP header, as demonstrated by a certain module in VulnDisco Pack Professional 8.11.

Affected (15)

Products: Apache: Http Server · Fedoraproject: Fedora · Debian: Debian Linux · +3 more

Show all products

Apache: Http Server · Fedoraproject: Fedora · Debian: Debian Linux · Opensuse: Opensuse · Suse: Linux Enterprise Desktop, Linux Enterprise Server · Apple: Mac Os X

1 product

1 product

1 product

1 product

2 products

Linux Enterprise Desktop

Linux Enterprise Server

Apple

1 product

Mac Os X

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Apache Http Server	From 2.0.35 to 2.0.64
Apache Http Server	From 2.2.0 to 2.2.14

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 10
Fedoraproject Fedora	Version 12

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 4.0

Configuration D

9 vulnerable

Vulnerable Software	Affected Versions
Opensuse Opensuse	Version 10.3
Opensuse Opensuse	Version 11.0
Opensuse Opensuse	Version 11.1
Suse Linux Enterprise Desktop	Version 10 sp2
Suse Linux Enterprise Desktop	Version 10 sp3
Suse Linux Enterprise Server	Version 10 sp2
Suse Linux Enterprise Server	Version 10 sp3
Suse Linux Enterprise Server	Version 11
Suse Linux Enterprise Server	Version 9

Configuration E

1 vulnerable

Vulnerable Software	Affected Versions
Apple Mac Os X	Before 10.6.3

References (78)

http://intevydis.com/vd-list.shtml

Source: cve@mitre.org

Broken Link

http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00006.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://marc.info/?l=bugtraq&m=126998684522511&w=2

Source: cve@mitre.org

Issue TrackingMailing ListThird Party Advisory

http://marc.info/?l=bugtraq&m=127557640302499&w=2

Source: cve@mitre.org

Issue TrackingMailing ListThird Party Advisory

http://marc.info/?l=bugtraq&m=130497311408250&w=2

Source: cve@mitre.org

Not ApplicableThird Party Advisory

http://marc.info/?l=bugtraq&m=133355494609819&w=2

Source: cve@mitre.org

Issue TrackingMailing ListThird Party Advisory

http://secunia.com/advisories/37152

Source: cve@mitre.org

Not ApplicableThird Party Advisory

http://support.apple.com/kb/HT4077

Source: cve@mitre.org

Third Party Advisory

http://wiki.rpath.com/Advisories:rPSA-2009-0155

Source: cve@mitre.org

Broken Link

http://www.debian.org/security/2009/dsa-1934

Source: cve@mitre.org

Third Party Advisory

http://www.securityfocus.com/archive/1/508075/100/0/threaded

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://bugzilla.redhat.com/show_bug.cgi?id=522209

Source: cve@mitre.org

Issue TrackingThird Party Advisory

https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r2295080a257bad27ea68ca0af12fc715577f9e84801eae116a33107e%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r5f9c22f9c28adbd9f00556059edc7b03a5d5bb71d4bb80257c0d34e4%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rad2acee3ab838b52c04a0698b1728a9a43467bf365bd481c993c535d%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rb9c9f42dafa25d2f669dac2a536a03f2575bc5ec1be6f480618aee10%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/reb7c64aeea604bf948467d9d1cab8ff23fa7d002be1964bcc275aae7%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E

Source: cve@mitre.org

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8662

Source: cve@mitre.org

Third Party Advisory

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9363

Source: cve@mitre.org

Third Party Advisory

https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00645.html

Source: cve@mitre.org

Third Party Advisory

https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00944.html

Source: cve@mitre.org

Third Party Advisory

http://intevydis.com/vd-list.shtml