ID CVE-2007-3303
Summary Apache httpd 2.0.59 and 2.2.4, with the Prefork MPM module, allows local users to cause a denial of service via certain code sequences executed in a worker process that (1) stop request processing by killing all worker processes and preventing creation of replacements or (2) hang the system by forcing the master process to fork an arbitrarily large number of worker processes. NOTE: This might be an inherent design limitation of Apache with respect to worker processes in hosted environments.
References
Vulnerable Configurations
  • Apache Software Foundation HTTP Server 2.0.59
    cpe:2.3:a:apache:http_server:2.0.59
  • Apache Software Foundation Apache HTTP Server 2.2.4
    cpe:2.3:a:apache:http_server:2.2.4
CVSS
Base: 4.9 (as of 21-06-2007 - 16:16)
Impact:
Exploitability:
CWE CWE-94
CAPEC
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE COMPLETE
nessus via4
  • NASL family Web Servers
    NASL id APACHE_2_2_6.NASL
    description According to its banner, the version of Apache 2.2.x running on the remote host is prior to 2.2.6. It is, therefore, affected by the following vulnerabilities : - A denial of service vulnerability in mod_proxy. - A cross-site scripting vulnerability in mod_status. - A local denial of service vulnerability associated with the Prefork MPM module. - An information leak in mod_cache. - A denial of service vulnerability in mod_cache. In addition, it offers a workaround for a cross-site scripting issue in mod_autoindex. Note that the remote web server may not actually be affected by these vulnerabilities. Nessus did not try to determine whether any of the affected modules are in use on the remote server or to check for the issues themselves.
    last seen 2019-02-21
    modified 2018-06-29
    plugin id 26023
    published 2007-09-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=26023
    title Apache 2.2.x < 2.2.6 Multiple Vulnerabilities (DoS, XSS, Info Disc)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-499-1.NASL
    description Stefan Esser discovered that mod_status did not force a character set, which could result in browsers becoming vulnerable to XSS attacks when processing the output. If a user were tricked into viewing server status output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such as passwords), within the same domain. By default, mod_status is disabled in Ubuntu. (CVE-2006-5752) Niklas Edmundsson discovered that the mod_cache module could be made to crash using a specially crafted request. A remote user could use this to cause a denial of service if Apache was configured to use a threaded worker. By default, mod_cache is disabled in Ubuntu. (CVE-2007-1863) A flaw was discovered in the signal handling of Apache. A local attacker could trick Apache into sending SIGUSR1 to other processes. The vulnerable code was only present in Ubuntu Feisty. (CVE-2007-3304). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28102
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28102
    title Ubuntu 6.06 LTS / 6.10 / 7.04 : apache2 vulnerabilities (USN-499-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-140.NASL
    description A vulnerability was discovered in the the Apache mod_status module that could lead to a cross-site scripting attack on sites where the server-status page was publically accessible and ExtendedStatus was enabled (CVE-2006-5752). A vulnerability was found in the Apache mod_cache module that could cause the httpd server child process to crash if it was sent a carefully crafted request. This could lead to a denial of service if using a threaded MPM (CVE-2007-1863). The Apache server also did not verify that a process was an Apache child process before sending it signals. A local attacker with the ability to run scripts on the server could manipulate the scoreboard and cause arbitrary processes to be terminated (CVE-2007-3304). Updated packages have been patched to prevent the above issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 25670
    published 2007-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25670
    title Mandrake Linux Security Advisory : apache (MDKSA-2007:140)
refmap via4
bid 24215
bugtraq
  • 20070529 Apache httpd vulenrabilities
  • 20070619 Apache Prefork MPM vulnerabilities - Report
misc http://security.psnc.pl/files/apache_report.pdf
osvdb 37050
sreason 2814
statements via4
  • contributor Mark J Cox
    lastmodified 2008-07-02
    organization Apache
    statement In the security model used by Apache httpd, the less-privileged child processes completely handle the servicing of new connections. Any local user who is able to run arbitrary code in those children is therefore able to prevent new requests from being serviced, by design. Such users will also be able to "simulate" server load and force the parent to create children up to the configured limits, by design. A server with untrusted local users must be configured to use a solution like "suexec" if its required to allow the users to execute CGI (etc) scripts.
  • contributor Mark J Cox
    lastmodified 2007-06-26
    organization Red Hat
    statement Not a vulnerability. In the security model used by Apache httpd, the less-privileged child processes (running as the "apache" user) completely handle the servicing of new connections. Any local user who is able to run arbitrary code in those children is therefore able to prevent new requests from being serviced, by design. Such users will also be able to "simulate" server load and force the parent to create children up to the configured limits, by design.
Last major update 30-10-2012 - 22:38
Published 20-06-2007 - 18:30
Last modified 16-10-2018 - 12:48
Back to Top