ID CVE-2003-0132
Summary A memory leak in Apache 2.0 through 2.0.44 allows remote attackers to cause a denial of service (memory consumption) via large chunks of linefeed characters, which causes Apache to allocate 80 bytes for each linefeed.
References
Vulnerable Configurations
  • Apache Software Foundation Apache HTTP Server 2.0
    cpe:2.3:a:apache:http_server:2.0
  • Apache Software Foundation Apache HTTP Server 2.0.9a
    cpe:2.3:a:apache:http_server:2.0.9
  • Apache Software Foundation Apache HTTP Server 2.0.28
    cpe:2.3:a:apache:http_server:2.0.28
  • Apache Software Foundation Apache HTTP Server 2.0.32
    cpe:2.3:a:apache:http_server:2.0.32
  • Apache Software Foundation Apache HTTP Server 2.0.35
    cpe:2.3:a:apache:http_server:2.0.35
  • Apache Software Foundation Apache HTTP Server 2.0.36
    cpe:2.3:a:apache:http_server:2.0.36
  • Apache Software Foundation Apache HTTP Server 2.0.37
    cpe:2.3:a:apache:http_server:2.0.37
  • Apache Software Foundation Apache HTTP Server 2.0.38
    cpe:2.3:a:apache:http_server:2.0.38
  • Apache Software Foundation Apache HTTP Server 2.0.39
    cpe:2.3:a:apache:http_server:2.0.39
  • Apache Software Foundation Apache HTTP Server 2.0.40
    cpe:2.3:a:apache:http_server:2.0.40
  • Apache Software Foundation Apache HTTP Server 2.0.41
    cpe:2.3:a:apache:http_server:2.0.41
  • Apache Software Foundation Apache HTTP Server 2.0.42
    cpe:2.3:a:apache:http_server:2.0.42
  • Apache Software Foundation Apache HTTP Server 2.0.43
    cpe:2.3:a:apache:http_server:2.0.43
  • Apache Software Foundation Apache HTTP Server 2.0.44
    cpe:2.3:a:apache:http_server:2.0.44
CVSS
Base: 5.0 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
exploit-db via4
  • description Apache <= 2.0.44 Linux Remote Denial of Service Exploit. CVE-2003-0132. Dos exploit for linux platform
    id EDB-ID:11
    last seen 2016-01-31
    modified 2003-04-11
    published 2003-04-11
    reporter Daniel Nystram
    source https://www.exploit-db.com/download/11/
    title Apache <= 2.0.44 Linux - Remote Denial of Service Exploit
  • description Apache HTTP Server 2.x Memory Leak Exploit. CVE-2003-0132. Dos exploit for windows platform
    id EDB-ID:9
    last seen 2016-01-31
    modified 2003-04-09
    published 2003-04-09
    reporter Matthew Murphy
    source https://www.exploit-db.com/download/9/
    title Apache HTTP Server 2.x Memory Leak Exploit
nessus via4
  • NASL family Web Servers
    NASL id APACHE_2_0_45.NASL
    description The remote host is running a version of Apache 2.0.x that is prior to 2.0.45. It is, therefore, reportedly affected by multiple vulnerabilities : - There is a denial of service attack that could allow an attacker to disable this server remotely. - The httpd process leaks file descriptors to child processes, such as CGI scripts. An attacker who has the ability to execute arbitrary CGI scripts on this server (including PHP code) would be able to write arbitrary data in the file pointed to (in particular, the log files).
    last seen 2019-01-16
    modified 2018-06-29
    plugin id 11507
    published 2003-04-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=11507
    title Apache 2.0.x < 2.0.45 Multiple Vulnerabilities (DoS, File Write)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2003-050.NASL
    description A memory leak was discovered in Apache 2.0 through 2.0.44 that can allow a remote attacker to cause a significant denial of service (DoS) by sending requests containing a lot of linefeed characters to the server. As well, Apache does not filter terminal escape sequences from its log files, which could make it easy for an attacker to insert those sequences into the error and access logs, which could possibly be viewed by certain terminal emulators with vulnerabilities related to escape sequences. After upgrading these packages, be sure to restart the httpd server by executing : service httpd restart
    last seen 2019-01-16
    modified 2018-07-19
    plugin id 14034
    published 2004-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14034
    title Mandrake Linux Security Advisory : apache2 (MDKSA-2003:050)
oval via4
accepted 2010-09-20T04:00:14.769-04:00
class vulnerability
contributors
  • name Jay Beale
    organization Bastille Linux
  • name Jay Beale
    organization Bastille Linux
  • name Thomas R. Jones
    organization Maitreya Security
  • name Jonathan Baker
    organization The MITRE Corporation
description A memory leak in Apache 2.0 through 2.0.44 allows remote attackers to cause a denial of service (memory consumption) via large chunks of linefeed characters, which causes Apache to allocate 80 bytes for each linefeed.
family unix
id oval:org.mitre.oval:def:156
status accepted
submitted 2003-08-17T12:00:00.000-04:00
title Apache Linefeed Allocation Vulnerability
version 37
redhat via4
advisories
rhsa
id RHSA-2003:139
refmap via4
bugtraq
  • 20030402 [ANNOUNCE] Apache 2.0.45 Released
  • 20030408 Exploit Code Released for Apache 2.x Memory Leak
  • 20030408 iDEFENSE Security Advisory 04.08.03: Denial of Service in Apache HTTP Server 2.x
  • 20030409 GLSA: apache (200304-01)
  • 20030410 working apache <= 2.0.44 DoS exploit for linux.
  • 20030411 PATCH: [CAN-2003-0132] Apache 2.0.44 Denial of Service
cert-vn VU#206537
confirm http://lists.apple.com/mhonarc/security-announce/msg00028.html
misc
secunia
  • 34920
  • 8499
vupen ADV-2009-1233
statements via4
contributor Mark J Cox
lastmodified 2008-07-02
organization Apache
statement Fixed in Apache HTTP Server 2.0.45: http://httpd.apache.org/security/vulnerabilities_20.html
Last major update 17-10-2016 - 22:29
Published 11-04-2003 - 00:00
Last modified 10-10-2017 - 21:29
Back to Top