ID CVE-2008-0456
Summary CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.
References
Vulnerable Configurations
CVSS
Base: 2.6 (as of 25-01-2008 - 10:13)
Impact:
Exploitability:
CWE CWE-94
CAPEC
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Access
VectorComplexityAuthentication
NETWORK HIGH NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
  • NASL family Misc.
    NASL id JUNIPER_NSM_JSA10685.NASL
    description The remote host is running a version of NSM (Network and Security Manager) Server that is prior to 2012.2R9. It is, therefore, affected by multiple vulnerabilities in the bundled version of Apache HTTP Server : - A flaw exists due to improper escaping of filenames in 406 and 300 HTTP responses. A remote attacker can exploit this, by uploading a file with a specially crafted name, to inject arbitrary HTTP headers or conduct cross-site scripting attacks. (CVE-2008-0456) - Multiple cross-site scripting vulnerabilities exist in the mod_negotiation module due to improper sanitization of input passed via filenames. An attacker can exploit this to execute arbitrary script code in a user's browser. (CVE-2012-2687) - Multiple cross-site scripting vulnerabilities exist in the mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp modules due to improper validation of input passed via the URL or hostnames. An attacker can exploit this to execute arbitrary script code in a user's browser. (CVE-2012-3499) - A cross-site scripting vulnerability exists in the mod_proxy_balancer module due to improper validation of input passed via the URL or hostnames. An attacker can exploit this to execute arbitrary script code in a user's browser. (CVE-2012-4558) - A flaw exists in the do_rewritelog() function due to improper sanitization of escape sequences written to log files. A remote attacker can exploit this, via a specially crafted HTTP request, to execute arbitrary commands. (CVE-2013-1862) - A denial of service vulnerability exists in mod_dav.c due to improper validation to determine if DAV is enabled for a URI. A remote attacker can exploit this, via a specially crafted MERGE request, to cause a segmentation fault, resulting in a denial of service condition. (CVE-2013-1896) - A denial of service vulnerability exists in the dav_xml_get_cdata() function due to improper removal of whitespace characters from CDATA sections. A remote attacker can exploit this, via a specially crafted DAV WRITE request, to cause a daemon crash, resulting in a denial of service condition. (CVE-2013-6438) - A flaw exists in log_cookie() function due to the logging of cookies with an unassigned value. A remote attacker can exploit this, via a specially crafted request, to cause a segmentation fault, resulting in a denial of service condition. (CVE-2014-0098) - A flaw exists in the deflate_in_filter() function when request body decompression is configured. A remote attacker can exploit this, via a specially crafted request, to exhaust available memory and CPU resources, resulting in a denial of service condition. (CVE-2014-0118) - A race condition exists in the mod_status module due to improper validation of user-supplied input when handling the scoreboard. A remote attacker can exploit this, via a crafted request, to cause a heap-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2014-0226) - A flaw exists in the mod_cgid module due to the lack of a timeout mechanism. A remote attacker can exploit this, via a request to a CGI script that does not read from its stdin file descriptor, to cause a denial of service condition. (CVE-2014-0231)
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 84877
    published 2015-07-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84877
    title Juniper NSM < 2012.2R9 Apache HTTP Server Multiple Vulnerabilities (JSA10685)
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL17189.NASL
    description CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) '406 Not Acceptable' or (2) '300 Multiple Choices' HTTP response when the extension is omitted in a request for the file.
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 85697
    published 2015-08-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85697
    title F5 Networks BIG-IP : Apache HTTP server vulnerability (SOL17189)
  • NASL family Web Servers
    NASL id APACHE_MOD_NEGOTIATION_XSS.NASL
    description According to its banner, the version of Apache running on the remote host does not properly escape filenames in 406 responses. A remote attacker can exploit this to inject arbitrary HTTP headers or conduct cross-site scripting attacks by uploading a file with a specially crafted name. Note that the remote web server may not actually be affected by these vulnerabilities as Nessus has relied solely on the version number in the server's banner.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 17692
    published 2011-11-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17692
    title Apache mod_negotiation Multi-Line Filename Upload Vulnerabilities
  • NASL family Misc.
    NASL id JUNIPER_NSM_JSA10685_CRED.NASL
    description The remote host is running a version of NSM (Network and Security Manager) Server that is prior to 2012.2R9. It is, therefore, affected by multiple vulnerabilities in the bundled version of Apache HTTP Server : - A flaw exists due to improper escaping of filenames in 406 and 300 HTTP responses. A remote attacker can exploit this, by uploading a file with a specially crafted name, to inject arbitrary HTTP headers or conduct cross-site scripting attacks. (CVE-2008-0456) - Multiple cross-site scripting vulnerabilities exist in the mod_negotiation module due to improper sanitization of input passed via filenames. An attacker can exploit this to execute arbitrary script code in a user's browser. (CVE-2012-2687) - Multiple cross-site scripting vulnerabilities exist in the mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp modules due to improper validation of input passed via the URL or hostnames. An attacker can exploit this to execute arbitrary script code in a user's browser. (CVE-2012-3499) - A cross-site scripting vulnerability exists in the mod_proxy_balancer module due to improper validation of input passed via the URL or hostnames. An attacker can exploit this to execute arbitrary script code in a user's browser. (CVE-2012-4558) - A flaw exists in the do_rewritelog() function due to improper sanitization of escape sequences written to log files. A remote attacker can exploit this, via a specially crafted HTTP request, to execute arbitrary commands. (CVE-2013-1862) - A denial of service vulnerability exists in mod_dav.c due to improper validation to determine if DAV is enabled for a URI. A remote attacker can exploit this, via a specially crafted MERGE request, to cause a segmentation fault, resulting in a denial of service condition. (CVE-2013-1896) - A denial of service vulnerability exists in the dav_xml_get_cdata() function due to improper removal of whitespace characters from CDATA sections. A remote attacker can exploit this, via a specially crafted DAV WRITE request, to cause a daemon crash, resulting in a denial of service condition. (CVE-2013-6438) - A flaw exists in log_cookie() function due to the logging of cookies with an unassigned value. A remote attacker can exploit this, via a specially crafted request, to cause a segmentation fault, resulting in a denial of service condition. (CVE-2014-0098) - A flaw exists in the deflate_in_filter() function when request body decompression is configured. A remote attacker can exploit this, via a specially crafted request, to exhaust available memory and CPU resources, resulting in a denial of service condition. (CVE-2014-0118) - A race condition exists in the mod_status module due to improper validation of user-supplied input when handling the scoreboard. A remote attacker can exploit this, via a crafted request, to cause a heap-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2014-0226) - A flaw exists in the mod_cgid module due to the lack of a timeout mechanism. A remote attacker can exploit this, via a request to a CGI script that does not read from its stdin file descriptor, to cause a denial of service condition. (CVE-2014-0231)
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 84878
    published 2015-07-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84878
    title Juniper NSM < 2012.2R9 Apache HTTP Server Multiple Vulnerabilities (JSA10685) (credentialed check)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200803-19.NASL
    description The remote host is affected by the vulnerability described in GLSA-200803-19 (Apache: Multiple vulnerabilities) Adrian Pastor and Amir Azam (ProCheckUp) reported that the HTTP Method specifier header is not properly sanitized when the HTTP return code is '413 Request Entity too large' (CVE-2007-6203). The mod_proxy_balancer module does not properly check the balancer name before using it (CVE-2007-6422). The mod_proxy_ftp does not define a charset in its answers (CVE-2008-0005). Stefano Di Paola (Minded Security) reported that filenames are not properly sanitized within the mod_negotiation module (CVE-2008-0455, CVE-2008-0456). Impact : A remote attacker could entice a user to visit a malicious URL or send specially crafted HTTP requests (i.e using Adobe Flash) to perform Cross-Site Scripting and HTTP response splitting attacks, or conduct a Denial of Service attack on the vulnerable web server. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 31445
    published 2008-03-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31445
    title GLSA-200803-19 : Apache: Multiple vulnerabilities
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_5_7.NASL
    description The remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.7. Mac OS X 10.5.7 contains security fixes for the following products : - Apache - ATS - BIND - CFNetwork - CoreGraphics - Cscope - CUPS - Disk Images - enscript - Flash Player plug-in - Help Viewer - iChat - International Components for Unicode - IPSec - Kerberos - Kernel - Launch Services - libxml - Net-SNMP - Network Time - Networking - OpenSSL - PHP - QuickDraw Manager - ruby - Safari - Spotlight - system_cmds - telnet - Terminal - WebKit - X11
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 38744
    published 2009-05-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38744
    title Mac OS X 10.5.x < 10.5.7 Multiple Vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-0130.NASL
    description Updated httpd packages that fix multiple security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The httpd packages contain the Apache HTTP Server (httpd), which is the namesake project of The Apache Software Foundation. Input sanitization flaws were found in the mod_negotiation module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use these flaws to conduct cross-site scripting and HTTP response splitting attacks against users visiting the site. (CVE-2008-0455, CVE-2008-0456, CVE-2012-2687) Bug fixes : * Previously, no check was made to see if the /etc/pki/tls/private/localhost.key file was a valid key prior to running the '%post' script for the 'mod_ssl' package. Consequently, when /etc/pki/tls/certs/localhost.crt did not exist and 'localhost.key' was present but invalid, upgrading the Apache HTTP Server daemon (httpd) with mod_ssl failed. The '%post' script has been fixed to test for an existing SSL key. As a result, upgrading httpd with mod_ssl now proceeds as expected. (BZ#752618) * The 'mod_ssl' module did not support operation under FIPS mode. Consequently, when operating Red Hat Enterprise Linux 5 with FIPS mode enabled, httpd failed to start. An upstream patch has been applied to disable non-FIPS functionality if operating under FIPS mode and httpd now starts as expected. (BZ#773473) * Prior to this update, httpd exit status codes were not Linux Standard Base (LSB) compliant. When the command 'service httpd reload' was run and httpd failed, the exit status code returned was '0' and not in the range 1 to 6 as expected. A patch has been applied to the init script and httpd now returns '1' as an exit status code. (BZ#783242) * Chunked Transfer Coding is described in RFC 2616. Previously, the Apache server did not correctly handle a chunked encoded POST request with a 'chunk-size' or 'chunk-extension' value of 32 bytes or more. Consequently, when such a POST request was made the server did not respond. An upstream patch has been applied and the problem no longer occurs. (BZ#840845) * Due to a regression, when mod_cache received a non-cacheable 304 response, the headers were served incorrectly. Consequently, compressed data could be returned to the client without the cached headers to indicate the data was compressed. An upstream patch has been applied to merge response and cached headers before data from the cache is served to the client. As a result, cached data is now correctly interpreted by the client. (BZ#845532) * In a proxy configuration, certain response-line strings were not handled correctly. If a response-line without a 'description' string was received from the origin server, for a non-standard status code, such as the '450' status code, a '500 Internal Server Error' would be returned to the client. This bug has been fixed so that the original response line is returned to the client. (BZ#853128) Enhancements : * The configuration directive 'LDAPReferrals' is now supported in addition to the previously introduced 'LDAPChaseReferrals'. (BZ#727342) * The AJP support module for 'mod_proxy', 'mod_proxy_ajp', now supports the 'ProxyErrorOverride' directive. Consequently, it is now possible to configure customized error pages for web applications running on a backend server accessed via AJP. (BZ#767890) * The '%posttrans' scriptlet which automatically restarts the httpd service after a package upgrade can now be disabled. If the file /etc/sysconfig/httpd-disable-posttrans exists, the scriptlet will not restart the daemon. (BZ#833042) * The output of 'httpd -S' now includes configured alias names for each virtual host. (BZ#833043) * New certificate variable names are now exposed by 'mod_ssl' using the '_DN_userID' suffix, such as 'SSL_CLIENT_S_DN_userID', which use the commonly used object identifier (OID) definition of 'userID', OID 0.9.2342.19200300.100.1.1. (BZ#840036) All users of httpd are advised to upgrade to these updated packages, which fix these issues and add these enhancements.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 63411
    published 2013-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63411
    title RHEL 5 : httpd (RHSA-2013:0130)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-0130.NASL
    description From Red Hat Security Advisory 2013:0130 : Updated httpd packages that fix multiple security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The httpd packages contain the Apache HTTP Server (httpd), which is the namesake project of The Apache Software Foundation. Input sanitization flaws were found in the mod_negotiation module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use these flaws to conduct cross-site scripting and HTTP response splitting attacks against users visiting the site. (CVE-2008-0455, CVE-2008-0456, CVE-2012-2687) Bug fixes : * Previously, no check was made to see if the /etc/pki/tls/private/localhost.key file was a valid key prior to running the '%post' script for the 'mod_ssl' package. Consequently, when /etc/pki/tls/certs/localhost.crt did not exist and 'localhost.key' was present but invalid, upgrading the Apache HTTP Server daemon (httpd) with mod_ssl failed. The '%post' script has been fixed to test for an existing SSL key. As a result, upgrading httpd with mod_ssl now proceeds as expected. (BZ#752618) * The 'mod_ssl' module did not support operation under FIPS mode. Consequently, when operating Red Hat Enterprise Linux 5 with FIPS mode enabled, httpd failed to start. An upstream patch has been applied to disable non-FIPS functionality if operating under FIPS mode and httpd now starts as expected. (BZ#773473) * Prior to this update, httpd exit status codes were not Linux Standard Base (LSB) compliant. When the command 'service httpd reload' was run and httpd failed, the exit status code returned was '0' and not in the range 1 to 6 as expected. A patch has been applied to the init script and httpd now returns '1' as an exit status code. (BZ#783242) * Chunked Transfer Coding is described in RFC 2616. Previously, the Apache server did not correctly handle a chunked encoded POST request with a 'chunk-size' or 'chunk-extension' value of 32 bytes or more. Consequently, when such a POST request was made the server did not respond. An upstream patch has been applied and the problem no longer occurs. (BZ#840845) * Due to a regression, when mod_cache received a non-cacheable 304 response, the headers were served incorrectly. Consequently, compressed data could be returned to the client without the cached headers to indicate the data was compressed. An upstream patch has been applied to merge response and cached headers before data from the cache is served to the client. As a result, cached data is now correctly interpreted by the client. (BZ#845532) * In a proxy configuration, certain response-line strings were not handled correctly. If a response-line without a 'description' string was received from the origin server, for a non-standard status code, such as the '450' status code, a '500 Internal Server Error' would be returned to the client. This bug has been fixed so that the original response line is returned to the client. (BZ#853128) Enhancements : * The configuration directive 'LDAPReferrals' is now supported in addition to the previously introduced 'LDAPChaseReferrals'. (BZ#727342) * The AJP support module for 'mod_proxy', 'mod_proxy_ajp', now supports the 'ProxyErrorOverride' directive. Consequently, it is now possible to configure customized error pages for web applications running on a backend server accessed via AJP. (BZ#767890) * The '%posttrans' scriptlet which automatically restarts the httpd service after a package upgrade can now be disabled. If the file /etc/sysconfig/httpd-disable-posttrans exists, the scriptlet will not restart the daemon. (BZ#833042) * The output of 'httpd -S' now includes configured alias names for each virtual host. (BZ#833043) * New certificate variable names are now exposed by 'mod_ssl' using the '_DN_userID' suffix, such as 'SSL_CLIENT_S_DN_userID', which use the commonly used object identifier (OID) definition of 'userID', OID 0.9.2342.19200300.100.1.1. (BZ#840036) All users of httpd are advised to upgrade to these updated packages, which fix these issues and add these enhancements.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68701
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68701
    title Oracle Linux 5 : httpd (ELSA-2013-0130)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20130108_HTTPD_ON_SL5_X.NASL
    description Input sanitization flaws were found in the mod_negotiation module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use these flaws to conduct cross-site scripting and HTTP response splitting attacks against users visiting the site. (CVE-2008-0455, CVE-2008-0456, CVE-2012-2687) Bug fixes : - Previously, no check was made to see if the /etc/pki/tls/private/localhost.key file was a valid key prior to running the '%post' script for the 'mod_ssl' package. Consequently, when /etc/pki/tls/certs/localhost.crt did not exist and 'localhost.key' was present but invalid, upgrading the Apache HTTP Server daemon (httpd) with mod_ssl failed. The '%post' script has been fixed to test for an existing SSL key. As a result, upgrading httpd with mod_ssl now proceeds as expected. - The 'mod_ssl' module did not support operation under FIPS mode. Consequently, when operating Scientific Linux 5 with FIPS mode enabled, httpd failed to start. An upstream patch has been applied to disable non-FIPS functionality if operating under FIPS mode and httpd now starts as expected. - Prior to this update, httpd exit status codes were not Linux Standard Base (LSB) compliant. When the command 'service httpd reload' was run and httpd failed, the exit status code returned was '0' and not in the range 1 to 6 as expected. A patch has been applied to the init script and httpd now returns '1' as an exit status code. - Chunked Transfer Coding is described in RFC 2616. Previously, the Apache server did not correctly handle a chunked encoded POST request with a 'chunk- size' or 'chunk-extension' value of 32 bytes or more. Consequently, when such a POST request was made the server did not respond. An upstream patch has been applied and the problem no longer occurs. - Due to a regression, when mod_cache received a non-cacheable 304 response, the headers were served incorrectly. Consequently, compressed data could be returned to the client without the cached headers to indicate the data was compressed. An upstream patch has been applied to merge response and cached headers before data from the cache is served to the client. As a result, cached data is now correctly interpreted by the client. - In a proxy configuration, certain response-line strings were not handled correctly. If a response-line without a 'description' string was received from the origin server, for a non-standard status code, such as the '450' status code, a '500 Internal Server Error' would be returned to the client. This bug has been fixed so that the original response line is returned to the client. Enhancements : - The configuration directive 'LDAPReferrals' is now supported in addition to the previously introduced 'LDAPChaseReferrals'. - The AJP support module for 'mod_proxy', 'mod_proxy_ajp', now supports the 'ProxyErrorOverride' directive. Consequently, it is now possible to configure customized error pages for web applications running on a backend server accessed via AJP. - The '%posttrans' scriptlet which automatically restarts the httpd service after a package upgrade can now be disabled. If the file /etc/sysconfig/httpd- disable-posttrans exists, the scriptlet will not restart the daemon. - The output of 'httpd -S' now includes configured alias names for each virtual host. - New certificate variable names are now exposed by 'mod_ssl' using the '_DN_userID' suffix, such as 'SSL_CLIENT_S_DN_userID', which use the commonly used object identifier (OID) definition of 'userID', OID 0.9.2342.19200300.100.1.1.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 63597
    published 2013-01-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63597
    title Scientific Linux Security Update : httpd on SL5.x i386/x86_64
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2013-0130.NASL
    description Updated httpd packages that fix multiple security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The httpd packages contain the Apache HTTP Server (httpd), which is the namesake project of The Apache Software Foundation. Input sanitization flaws were found in the mod_negotiation module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use these flaws to conduct cross-site scripting and HTTP response splitting attacks against users visiting the site. (CVE-2008-0455, CVE-2008-0456, CVE-2012-2687) Bug fixes : * Previously, no check was made to see if the /etc/pki/tls/private/localhost.key file was a valid key prior to running the '%post' script for the 'mod_ssl' package. Consequently, when /etc/pki/tls/certs/localhost.crt did not exist and 'localhost.key' was present but invalid, upgrading the Apache HTTP Server daemon (httpd) with mod_ssl failed. The '%post' script has been fixed to test for an existing SSL key. As a result, upgrading httpd with mod_ssl now proceeds as expected. (BZ#752618) * The 'mod_ssl' module did not support operation under FIPS mode. Consequently, when operating Red Hat Enterprise Linux 5 with FIPS mode enabled, httpd failed to start. An upstream patch has been applied to disable non-FIPS functionality if operating under FIPS mode and httpd now starts as expected. (BZ#773473) * Prior to this update, httpd exit status codes were not Linux Standard Base (LSB) compliant. When the command 'service httpd reload' was run and httpd failed, the exit status code returned was '0' and not in the range 1 to 6 as expected. A patch has been applied to the init script and httpd now returns '1' as an exit status code. (BZ#783242) * Chunked Transfer Coding is described in RFC 2616. Previously, the Apache server did not correctly handle a chunked encoded POST request with a 'chunk-size' or 'chunk-extension' value of 32 bytes or more. Consequently, when such a POST request was made the server did not respond. An upstream patch has been applied and the problem no longer occurs. (BZ#840845) * Due to a regression, when mod_cache received a non-cacheable 304 response, the headers were served incorrectly. Consequently, compressed data could be returned to the client without the cached headers to indicate the data was compressed. An upstream patch has been applied to merge response and cached headers before data from the cache is served to the client. As a result, cached data is now correctly interpreted by the client. (BZ#845532) * In a proxy configuration, certain response-line strings were not handled correctly. If a response-line without a 'description' string was received from the origin server, for a non-standard status code, such as the '450' status code, a '500 Internal Server Error' would be returned to the client. This bug has been fixed so that the original response line is returned to the client. (BZ#853128) Enhancements : * The configuration directive 'LDAPReferrals' is now supported in addition to the previously introduced 'LDAPChaseReferrals'. (BZ#727342) * The AJP support module for 'mod_proxy', 'mod_proxy_ajp', now supports the 'ProxyErrorOverride' directive. Consequently, it is now possible to configure customized error pages for web applications running on a backend server accessed via AJP. (BZ#767890) * The '%posttrans' scriptlet which automatically restarts the httpd service after a package upgrade can now be disabled. If the file /etc/sysconfig/httpd-disable-posttrans exists, the scriptlet will not restart the daemon. (BZ#833042) * The output of 'httpd -S' now includes configured alias names for each virtual host. (BZ#833043) * New certificate variable names are now exposed by 'mod_ssl' using the '_DN_userID' suffix, such as 'SSL_CLIENT_S_DN_userID', which use the commonly used object identifier (OID) definition of 'userID', OID 0.9.2342.19200300.100.1.1. (BZ#840036) All users of httpd are advised to upgrade to these updated packages, which fix these issues and add these enhancements.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 63575
    published 2013-01-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63575
    title CentOS 5 : httpd (CESA-2013:0130)
redhat via4
advisories
rhsa
id RHSA-2013:0130
rpms
  • httpd-0:2.2.3-74.el5
  • httpd-devel-0:2.2.3-74.el5
  • httpd-manual-0:2.2.3-74.el5
  • mod_ssl-0:2.2.3-74.el5
refmap via4
apple APPLE-SA-2009-05-12
bid 27409
bugtraq 20080122 Apache mod_negotiation Xss and Http Response Splitting
cert TA09-133A
confirm http://support.apple.com/kb/HT3549
gentoo GLSA-200803-19
misc http://www.mindedsecurity.com/MSA01150108.html
sectrack 1019256
secunia
  • 29348
  • 35074
sreason 3575
vupen ADV-2009-1297
xf apache-modnegotiation-response-splitting(39893)
statements via4
contributor Mark J Cox
lastmodified 2008-01-25
organization Red Hat
statement We do not consider this issue to be security sensitive. Untrusted users should not be permitted to upload files to the directories from where they can be directly served by the web server without prior careful sanitation of both contents and filename.
Last major update 06-02-2013 - 22:53
Published 24-01-2008 - 20:00
Last modified 31-10-2018 - 14:05
Back to Top