CVE-2009-3898

Name of the Vulnerable Software and Affected Versions nginx versions 0.7.0 through 0.7.62 nginx versions 0.8.0 through 0.8.16

Description A directory traversal issue allows remote authenticated users to create or overwrite arbitrary files via a .. (dot dot) in the Destination HTTP header for the WebDAV (1) COPY or (2) MOVE method. This is due to a vulnerability in the ngx http dav module.c file.

Recommendations For versions 0.7.0 through 0.7.62, update to version 0.7.63 or later. For versions 0.8.0 through 0.8.16, update to version 0.8.17 or later. As a temporary workaround, consider restricting access to the WebDAV COPY and MOVE methods until a patch is available.