[UNIX] Apache HTTP Server mod_proxy_ftp Wildcard Characters Cross-Site Scripting

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.

- - - - - - - - -

Apache HTTP Server mod_proxy_ftp Wildcard Characters Cross-Site Scripting


The mod_proxy_ftp module of the Apache HTTP Server is vulnerable to a
cross-site scripting vulnerability when handling requests with wildcard
characters (aka globbing characters).


Vulnerable Systems:
* Apache HTTP Server version 2.2.9 (and earlier 2.2.x versions)
* Apache HTTP Server version 2.0.63 (and earlier 2.0.x versions)

Immune Systems:
* Apache HTTP Server 1.3.x (because mod_proxy_ftp doesn't support
wildcard characters)

Vendor status and information:
The developers were notified of this vulnerability on July 28, 2008 via
the private security mailing list security@xxxxxxxxxxx They acknowledged
it within 12 hours. On July 29, they assigned it a CVE ID. On August 5,
the vulnerability was fixed in all SVN branches:

Commit to main trunk:

Commit to 2.2 branch:

Commit to 2.0 branch:

Detailed analysis:
When Apache HTTP Server is configured with proxy support ("ProxyRequests
On" in the configuration file), and when mod_proxy_ftp is enabled to
support FTP-over-HTTP, requests containing wildcard characters (asterisk,
tilde, opening square bracket, etc) such as:
GET ftp://host/*<foo> HTTP/1.0

lead to cross-site scripting in the response returned by mod_proxy_ftp:
<h2>Directory of <a href="/">ftp://host</a>/*<foo></h2>

To exploit this vulnerability, 'host' must be running an FTP server, and
the last directory component of the path (the XSS payload) must be
composed of at least 1 wildcard character and must not contain any forward
slashes. In practice, this last requirement is not an obstacle at all to
develop working exploits, example:

Upgrade to Apache HTTP Server 2.2.10 or 2.0.64 (as of August 6, these have
not been released yet), or apply the patch from SVN commit r682868.

CVE Information:


The information has been provided by <mailto:marc_bevand@xxxxxxxxxx> Marc
The original article can be found at:


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.