A flaw was found in the mod_proxy_ftp module. In a reverse proxy configuration, a remote attacker could use this flaw to bypass intended access restrictions by creating a carefully-crafted HTTP Authorization header, allowing the attacker to send arbitrary commands to the FTP server.
Unitrends is not vulnerable. Unitrends does not enable or configure an FTP server, and also does not load any mod_proxy modules for HTTP.
To update to the new version with the fix, either do 'yum update httpd’ from the command line, or perform an update from the UI.
- CentOS6 systems come with httpd-2.2.15-30 which contains the fix.
- For CentOS5, httpd-2.2.3-31.el5_4.2 or later has this fix.
- Upstream Apache httpd 2.2.14
LINK TO ADVISORIES