ID CVE-2004-0009
Summary Apache-SSL 1.3.28+1.52 and earlier, with SSLVerifyClient set to 1 or 3 and SSLFakeBasicAuth enabled, allows remote attackers to forge a client certificate by using basic authentication with the "one-line DN" of the target user.
References
Vulnerable Configurations
  • cpe:2.3:a:apache-ssl:apache-ssl:1.3.28_1.52
    cpe:2.3:a:apache-ssl:apache-ssl:1.3.28_1.52
CVSS
Base: 7.5 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
NASL family Web Servers
NASL id APACHE_SSL_CERTIFICATE_FORGING.NASL
description The remote host is running a version of ApacheSSL that is older than 1.3.29/1.53. Such versions are reportedly vulnerable to a flaw that could allow an attacker to make the remote server forge a client certificate.
last seen 2019-02-21
modified 2018-11-15
plugin id 12046
published 2004-02-06
reporter Tenable
source https://www.tenable.com/plugins/index.php?view=single&id=12046
title Apache-SSL SSLVerifyClient SSLFakeBasicAuth Client Certificate Forgery
refmap via4
bid 9590
bugtraq 20040206 Apache-SSL security advisory - apache_1.3.28+ssl_1.52 and prior
confirm http://www.apache-ssl.org/advisory-20040206.txt
fulldisc 20040206 [apache-ssl] Apache-SSL security advisory - apache_1.3.28+ssl_1.52 and prior
osvdb 3877
xf apachessl-default-password(15065)
Last major update 17-10-2016 - 22:39
Published 03-03-2004 - 00:00
Last modified 09-10-2017 - 21:30
Back to Top