ID CVE-2002-0653
Summary Off-by-one buffer overflow in the ssl_compat_directive function, as called by the rewrite_command hook for mod_ssl Apache module 2.8.9 and earlier, allows local users to execute arbitrary code as the Apache server user via .htaccess files with long entries.
References
Vulnerable Configurations
  • cpe:2.3:a:mod_ssl:mod_ssl:2.8.9
    cpe:2.3:a:mod_ssl:mod_ssl:2.8.9
CVSS
Base: 4.6 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
description Mod_SSL 2.8.x Off-By-One HTAccess Buffer Overflow Vulnerability. CVE-2002-0653. Dos exploits for multiple platform
id EDB-ID:21575
last seen 2016-02-02
modified 2002-06-22
published 2002-06-22
reporter Frank DENIS
source https://www.exploit-db.com/download/21575/
title Mod_SSL 2.8.x Off-By-One HTAccess Buffer Overflow Vulnerability
nessus via4
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_18706.NASL
    description Several security updates are now available for Slackware 8.1, including updated packages for Apache, glibc, mod_ssl, openssh, openssl, and php.
    last seen 2016-09-26
    modified 2013-01-25
    plugin id 18706
    published 2005-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18706
    title SSA-18706 Security updates for Slackware 8.1
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-135.NASL
    description The libapache-mod-ssl package provides SSL capability to the apache webserver. Recently, a problem has been found in the handling of .htaccess files, allowing arbitrary code execution as the web server user (regardless of ExecCGI / suexec settings), DoS attacks (killing off apache children), and allowing someone to take control of apache child processes - all through specially crafted .htaccess files.
    last seen 2019-01-16
    modified 2018-07-20
    plugin id 14972
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14972
    title Debian DSA-135-1 : libapache-mod-ssl - buffer overflow / DoS
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2002-048.NASL
    description Frank Denis discovered an off-by-one error in mod_ssl dealing with the handling of older configuration directorives (the rewrite_command hook). A malicious user could use a specially crafted .htaccess file to execute arbitrary commands as the apache user or execute a DoS against the apache child processes. This vulnerability is fixed in mod_ssl 2.8.10; patches have been applied to correct this problem in these packages.
    last seen 2019-01-16
    modified 2018-07-19
    plugin id 13951
    published 2004-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13951
    title Mandrake Linux Security Advisory : mod_ssl (MDKSA-2002:048)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2002-136.NASL
    description Updated mod_ssl packages are now available for Red Hat Advanced Server. These updates incorporate a fix for an incorrect bounds check in versions of mod_ssl up to and including version 2.8.9. The mod_ssl module provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. Versions of mod_ssl prior to 2.8.10 are subject to a single NULL overflow that can cause arbitrary code execution. In order to exploit this vulnerability, the Apache Web server has to be configured to allow overriding of configuration settings on a per-directory basis, and untrusted local users must be able to modify a directory in which the server is configured to allow overriding. The local attacker may then become the user that Apache is running as (usually 'www' or 'nobody'). Note that regardless of this bug, local users can obtain the same privileges if the server is configured to allow them to create CGI scripts which run as the Web server user, or if PHP is enabled but not configured in 'safe mode'. The errata packages contain versions of mod_ssl that have been patched and are not vulnerable to this issue. Please note that you must restart the httpd daemon to use the updated module. For instructions on doing this, see the bottom of the Solutions section below.
    last seen 2019-01-16
    modified 2018-11-27
    plugin id 12310
    published 2004-07-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=12310
    title RHEL 2.1 : mod_ssl (RHSA-2002:136)
  • NASL family Web Servers
    NASL id MOD_SSL_OFFBY1.NASL
    description The remote host is using a version of mod_ssl that is older than 2.8.10. This version is vulnerable to an off-by-one buffer overflow that could allow a user with write access to .htaccess files to execute arbitrary code on the system with permissions of the web server. *** Note that several Linux distributions (such as RedHat) *** patched the old version of this module. Therefore, this *** might be a false positive. Please check with your vendor *** to determine if you really are vulnerable to this flaw
    last seen 2019-01-16
    modified 2018-11-15
    plugin id 11039
    published 2002-07-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=11039
    title Apache mod_ssl ssl_compat_directive Function Overflow
redhat via4
advisories
  • rhsa
    id RHSA-2002:134
  • rhsa
    id RHSA-2002:135
  • rhsa
    id RHSA-2002:136
  • rhsa
    id RHSA-2002:146
  • rhsa
    id RHSA-2002:164
  • rhsa
    id RHSA-2003:106
refmap via4
bid 5084
bugtraq
  • 20020624 Apache mod_ssl off-by-one vulnerability
  • 20020628 TSL-2002-0058 - apache/mod_ssl
caldera CSSA-2002-031.0
conectiva CLA-2002:504
debian DSA-135
engarde ESA-20020702-017
hp HPSBTL0207-052
mandrake MDKSA-2002:048
suse SuSE-SA:2002:028
vuln-dev 20020622 Another flaw in Apache?
xf apache-modssl-htaccess-bo(9415)
Last major update 17-10-2016 - 22:21
Published 11-07-2002 - 00:00
Back to Top