insecure LD_LIBRARY_PATH handling

Return-Path: X-Original-To: apmail-httpd-cvs-archive@www.apache.org Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4D4D79099 for ; Sun, 6 May 2012 13:16:26 +0000 (UTC) Received: (qmail 77961 invoked by uid 500); 6 May 2012 13:16:26 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 77876 invoked by uid 500); 6 May 2012 13:16:25 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 77812 invoked by uid 99); 6 May 2012 13:16:25 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 06 May 2012 13:16:25 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 06 May 2012 13:16:18 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id BBA7A2388C7E; Sun, 6 May 2012 13:14:59 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1334622 [24/29] - in /httpd/site/trunk: cgi-bin/ content/ content/apreq/ content/apreq/docs/ content/apreq/docs/libapreq2/ content/contributors/ content/css/ content/dev/ content/dev/images/ content/dev/whiteboard/ content/docs-project/ co... Date: Sun, 06 May 2012 13:14:50 -0000 To: cvs@httpd.apache.org From: humbedooh@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20120506131459.BBA7A2388C7E@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Added: httpd/site/trunk/content/security/vulnerabilities-httpd.xml URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/security/vulnerabilities-httpd.xml?rev=1334622&view=auto ============================================================================== --- httpd/site/trunk/content/security/vulnerabilities-httpd.xml (added) +++ httpd/site/trunk/content/security/vulnerabilities-httpd.xml Sun May 6 13:14:42 2012 @@ -0,0 +1,4073 @@ + + + + +low +insecure LD_LIBRARY_PATH handling +

+Insecure handling of LD_LIBRARY_PATH was found that could +lead to the current working directory to be searched for DSOs. +This could allow a local user to execute code as root if an +administrator runs apachectl from an untrusted directory. +

+ + + + + + +low +mod_setenvif .htaccess privilege escalation +

+An integer overflow flaw was found which, when the mod_setenvif module +is enabled, could allow local users to gain privileges via a .htaccess +file. +

+ + +This issue was reported by halfdog + + + + + + + + + + + + + + + + + + + + + + + + + +moderate +mod_proxy reverse proxy exposure +

+An additional exposure was found when using mod_proxy in reverse proxy +mode. In certain configurations using RewriteRule with proxy flag or +ProxyPassMatch, a remote attacker could cause the reverse proxy to +connect to an arbitrary server, possibly disclosing sensitive +information from internal web servers not directly accessible to +attacker. +

+ + +This issue was reported by Prutha Parikh of Qualys + + + + + + + + + + + + + + + + + + + + + + + + + +low +mod_log_config crash +

+A flaw was found in mod_log_config. If the '%{cookiename}C' log format string +is in use, a remote attacker could send a specific cookie causing a crash. +This crash would only be a denial of service if using a threaded MPM. +

+ + + + + + + + + + +low +scoreboard parent DoS +

+A flaw was found in the handling of the scoreboard. An +unprivileged child process could cause the parent process to crash at +shutdown rather than terminate cleanly. +

+ + +This issue was reported by halfdog + + + + + + + + + + + + + + + + + + + + + + + + + +moderate +error responses can expose cookies +

+A flaw was found in the default error response for status code 400. This flaw could +be used by an attacker to expose "httpOnly" cookies +when no custom ErrorDocument is specified. +

+ + +This issue was reported by Norman Hippert + + + + + + + + + + + + + + + + + + + + + + + + + +moderate +mod_proxy reverse proxy exposure +

+An exposure was found when using mod_proxy in reverse proxy mode. +In certain configurations using RewriteRule with proxy flag or +ProxyPassMatch, a remote attacker could cause the reverse proxy to +connect to an arbitrary server, possibly disclosing sensitive +information from internal web servers not directly accessible to +attacker.

+ + +This issue was reported by Context Information Security Ltd + + + + + + + + + + + + + + + + + + + + + + + + + +moderate +mod_proxy reverse proxy exposure +

+ + +This issue was reported by Context Information Security Ltd + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +moderate +mod_proxy reverse proxy exposure +

+An exposure was found when using mod_proxy in reverse proxy mode. +In certain configurations using RewriteRule with proxy flag, +a remote attacker could cause the reverse proxy to +connect to an arbitrary server, possibly disclosing sensitive +information from internal web servers not directly accessible to +attacker.

No update of 1.3 will be released. Patches will be published to +http://archive.apache.org/dist/httpd/patches/apply_to_1.3.42/

+ + +This issue was reported by Context Information Security Ltd + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +moderate +mod_proxy_ajp remote DoS +

+A flaw was found when mod_proxy_ajp is used together with +mod_proxy_balancer. Given a specific configuration, a remote attacker +could send certain malformed HTTP requests, putting a backend server +into an error state until the retry timeout expired. +This could lead to a temporary denial of service.

+ + + + + + + + + + + + + + +important +Range header remote DoS +

+A flaw was found in the way the Apache HTTP Server handled Range HTTP +headers. A remote attacker could use this flaw to cause httpd to use +an excessive amount of memory and CPU time via HTTP requests with a +specially-crafted Range header. This could be used in a denial of +service attack.

+Advisory: CVE-2011-3192.txt +

+ + + + + + + + + + + + + + + + + + + + + + + +important +Range header remote DoS +

+Advisory: CVE-2011-3192.txt +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +moderate +apr_fnmatch flaw leads to mod_autoindex remote DoS +

+A flaw was found in the apr_fnmatch() function of the bundled APR +library. Where mod_autoindex is enabled, and a directory indexed by +mod_autoindex contained files with sufficiently long names, a +remote attacker could send a carefully crafted request which would +cause excessive CPU usage. This could be used in a denial of service +attack. +

+Workaround: Setting the 'IgnoreClient' option to the 'IndexOptions' +directive disables processing of the client-supplied request query +arguments, preventing this attack. +

+Resolution: Update APR to release 1.4.5 (bundled with httpd 2.2.19) +

+ + +This issue was reported by Maksymilian Arciemowicz + + + + + + + + + + + + + + + + + + + + + + +moderate +apr_fnmatch flaw leads to mod_autoindex remote DoS +

+Workaround: Setting the 'IgnoreClient' option to the 'IndexOptions' +directive disables processing of the client-supplied request query +arguments, preventing this attack. +

+Resolution: Update APR to release 0.9.20 (to be bundled with httpd 2.0.65) +

+ + +This issue was reported by Maksymilian Arciemowicz + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +low +expat DoS +

+A buffer over-read flaw was found in the bundled expat +library. An attacker who is able to get Apache to parse +an untrused XML document (for example through mod_dav) may +be able to cause a crash. This crash would only +be a denial of service if using the worker MPM. +

+ + + + + + + + + + + + + + + + + + + + +low +expat DoS +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +low +expat DoS +

+ + + + + + + + + + + + + + + + + + + + +low +expat DoS +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +low +apr_bridage_split_line DoS +

+A flaw was found in the apr_brigade_split_line() function of the bundled +APR-util library, used to process non-SSL requests. A remote attacker +could send requests, carefully crafting the timing of individual bytes, +which would slowly consume memory, potentially leading to a denial of +service. +

+ + + + + + + + + + + + + + + + + + + + +low +apr_bridage_split_line DoS +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +low +mod_cache and mod_dav DoS +

+A flaw was found in the handling of requests by mod_cache and mod_dav. +A malicious remote attacker could send a carefully crafted request and +cause a httpd child process to crash. This crash would only +be a denial of service if using the worker MPM. This issue is further +mitigated as mod_dav is only affected by requests that are most likely +to be authenticated, and mod_cache is only affected if the uncommon +"CacheIgnoreURLSessionIdentifiers" directive, introduced in +version 2.2.14, is used. +

+ + +This issue was reported by Mark Drayton. + + + + + + + + + + + + + + + + + + + + +low +mod_dav DoS +

+A flaw was found in the handling of requests by mod_dav. A malicious remote +attacker could send a carefully crafted request and cause a httpd child process +to crash. This crash would only be a denial of service if using the worker MPM. +This issue is further mitigated as mod_dav is only affected by requests that are +most likely to be authenticated. +

+ + +This issue was reported by Mark Drayton. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +important +Timeout detection flaw (mod_proxy_http) +

+An information disclosure flaw was found in mod_proxy_http in versions +2.2.9 through 2.2.15, 2.3.4-alpha and 2.3.5-alpha. Under certain timeout +conditions, the server could return a response intended for another user. +Only Windows, Netware and OS2 operating systems are affected. Only those +configurations which trigger the use of proxy worker pools are affected. +There was no vulnerability on earlier versions, as proxy pools were not +yet introduced. The simplest workaround is to globally configure;

SetEnv proxy-nokeepalive 1

Source code patches are at;

Binary replacement modules are at

http://www.apache.org/dist/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip

+ + +We would like to thank Loren Anderson for the detailed analysis and +reporting of this issue. + + + + + + + + + + + + + + + +low +Subrequest handling of request headers (mod_headers) +

+A flaw in the core subrequest process code was fixed, to always provide a shallow copy of the headers_in +array to the subrequest, instead of a pointer to the parent request's array +as it had for requests without request bodies. This meant all modules such +as mod_headers which may manipulate the input headers for a subrequest would +poison the parent request in two ways, one by modifying the parent request, +which might not be intended, and second by leaving pointers to modified header +fields in memory allocated to the subrequest scope, which could be freed +before the main request processing was finished, resulting in a segfault or +in revealing data from another request on threaded servers, such as the worker +or winnt MPMs. +

+ +We would like to thank Philip Pickett of VMware for reporting and proposing a +fix for this issue. + + + + + + + + + + + + + + + + + + +important +mod_isapi module unload flaw +

+A flaw was found with within mod_isapi which would attempt to unload the ISAPI dll when it +encountered various error states. This could leave the callbacks in an +undefined state and result in a segfault. On Windows platforms using mod_isapi, a +remote attacker could send a malicious request to trigger this issue, and as win32 MPM runs only one +process, this would result in a denial of service, and potentially allow +arbitrary code execution. +

+ +We would like to thank Brett Gervasoni of Sense of Security for reporting and +proposing a patch fix for this issue. + + + + + + + + + + + + + + + + + + +moderate +mod_proxy_ajp DoS +

+mod_proxy_ajp would return the wrong status code if it encountered +an error, causing a backend server to be put into an error state until +the retry timeout expired. A remote attacker could send malicious requests +to trigger this issue, resulting in denial of service. +

+ +We would like to thank Niku Toivola of Sulake Corporation for reporting and +proposing a patch fix for this issue. + + + + + + + + + + + + + + + + + + +moderate +Solaris pollset DoS +

Faulty error handling was found affecting Solaris pollset support +(Event Port backend) caused by a bug in APR. A remote attacker +could trigger this issue on Solaris servers which used prefork or +event MPMs, resulting in a denial of service. +

+ + + + + + + + + + + + + + + + +low +mod_proxy_ftp DoS +

+A NULL pointer dereference flaw was found in the mod_proxy_ftp +module. A malicious FTP server to which requests are being proxied +could use this flaw to crash an httpd child process via a malformed +reply to the EPSV or PASV commands, resulting in a limited denial of +service. +

+ + + + + + + + + + + + + + + + +low +mod_proxy_ftp FTP command injection +

+A flaw was found in the mod_proxy_ftp module. In a reverse proxy +configuration, a remote attacker could use this flaw to bypass +intended access restrictions by creating a carefully-crafted HTTP +Authorization header, allowing the attacker to send arbitrary commands +to the FTP server. +

+ + + + + + + + + + + + + + + + +low +APR apr_palloc heap overflow +

+A flaw in apr_palloc() in the bundled copy of APR could +cause heap overflows in programs that try to apr_palloc() a user +controlled size. The Apache HTTP Server itself does not pass +unsanitized user-provided sizes to this function, so it could only +be triggered through some other application which uses apr_palloc() +in a vulnerable way. +

+ + + + + + + + + + + + + + + +low +APR apr_palloc heap overflow +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + +moderate +APR-util off-by-one overflow +

+An off-by-one overflow flaw was found in the way the bundled copy of +the APR-util library processed a variable list of arguments. An +attacker could provide a specially-crafted string as input for the +formatted output conversion routine, which could, on big-endian +platforms, potentially lead to the disclosure of sensitive information +or a denial of service. +

+ + + + + + + + + + + + + + +moderate +APR-util XML DoS +

+A denial of service flaw was found in the bundled copy of the APR-util +library Extensible Markup Language (XML) parser. A remote attacker +could create a specially-crafted XML document that would cause +excessive memory consumption when processed by the XML decoding +engine. +

+ + + + + + + + + + + + + + +low +2.6/AV:N/AC:H/Au:N/C:N/I:N/A:P +mod_deflate DoS +

+A denial of service flaw was found in the mod_deflate module. This +module continued to compress large files until compression was +complete, even if the network connection that requested the content +was closed before compression completed. This would cause mod_deflate +to consume large amounts of CPU if mod_deflate was enabled for a large +file.

+ + + + + + + + + + + + + + +low +2.6/AV:N/AC:H/Au:N/C:N/I:N/A:P +mod_deflate DoS +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + +important +7.8/AV:N/AC:L/Au:N/C:N/I:N/A:C +mod_proxy reverse proxy DoS +

+A denial of service flaw was found in the mod_proxy module when it was +used as a reverse proxy. A remote attacker could use this flaw to +force a proxy process to consume large amounts of CPU time. +

+ + + + + + + + + + + + + + +low +4.4/AV:L/AC:M/Au:N/C:P/I:P/A:P +AllowOverride Options handling bypass +

+A flaw was found in the handling of the "Options" and "AllowOverride" +directives. In configurations using the "AllowOverride" directive +with certain "Options=" arguments, local users were not restricted +from executing commands from a Server-Side-Include script as intended. +

+ + + + + + + + + + + + + + +important +5/AV:N/AC:L/Au:N/C:P/I:N/A:N +mod_proxy_ajp information disclosure +

+An information disclosure flaw was found in mod_proxy_ajp in version +2.2.11 only. In certain +situations, if a user sent a carefully crafted HTTP request, the server +could return a response intended for another user. +

+ + + + + +moderate +APR-util heap underwrite +

+A heap-based underwrite flaw was found in the way the bundled copy of +the APR-util library created compiled forms of particular search +patterns. An attacker could formulate a specially-crafted search +keyword, that would overwrite arbitrary heap memory locations when +processed by the pattern preparation engine. +

+ + + + + + + + + + + + + + +low +mod_proxy_ftp globbing XSS +

+A flaw was found in the handling of wildcards in the path of a FTP +URL with mod_proxy_ftp. If mod_proxy_ftp is enabled to support +FTP-over-HTTP, requests containing globbing characters could lead +to cross-site scripting (XSS) attacks.

+ + + + + + + + + + + + +important +Timeout detection flaw (mod_proxy_http) +

+An information disclosure flaw was found in mod_proxy_http in version +2.2.9 only, on Unix platforms. Under certain timeout +conditions, the server could return a response intended for another user. +Only those configurations which trigger the use of proxy worker pools +are affected. There was no vulnerability on earlier versions, as +proxy pools were not yet introduced. The simplest workaround is to +globally configure:

SetEnv proxy-nokeepalive 1

+ + + + + + +low +mod_proxy_ftp FTP command injection +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + +low +mod_proxy_ftp DoS +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + +low +Subrequest handling of request headers (mod_headers) +

+ +We would like to thank Philip Pickett of VMware for reporting and proposing a +fix for this issue. + + + + + + + + + + + + + + + + + + + + + + + + + + + + +important +mod_isapi module unload flaw +

+ +We would like to thank Brett Gervasoni of Sense of Security for reporting and +proposing a patch fix for this issue. + + + + + + + + + + + + + + + + + + + + + + + + + + +moderate +mod_proxy_http DoS +

+A flaw was found in the handling of excessive interim responses +from an origin server when using mod_proxy_http. A remote attacker +could cause a denial of service or high memory usage.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + +low +mod_proxy_ftp globbing XSS +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + +moderate +mod_proxy_http DoS +

+A flaw was found in the handling of excessive interim responses +from an origin server when using mod_proxy_http. A remote attacker +could cause a denial of service or high memory usage.

+ + + + + + + + + + + +low +mod_proxy_balancer CSRF +

+The mod_proxy_balancer provided an administrative interface that could be +vulnerable to cross-site request forgery (CSRF) attacks. +

+ + + + + + + + + + + +moderate +mod_proxy overflow on 64-bit systems +

+An incorrect conversion between numeric types flaw was found in the +mod_proxy module which affects some 64-bit architecture systems. A +malicious HTTP server to which requests are being proxied could use +this flaw to trigger a heap buffer overflow in an httpd child process +via a carefully crafted response. +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +moderate +mod_status XSS +

+A flaw was found in the mod_status module. On sites where mod_status is +enabled and the status pages were publicly accessible, a cross-site +scripting attack is possible. +Note that the server-status page is not enabled by default and it is best practice to not make this publicly available.

+ + + + + + + + + + +moderate +mod_status XSS +

+ + + + + + + + + + + + + + + + + + + + + + + + + + +moderate +mod_status XSS +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +moderate +mod_imagemap XSS +

+A flaw was found in the mod_imagemap module. On sites where +mod_imagemap is enabled and an imagemap file is publicly available, a +cross-site scripting attack is possible.

+ + + + + + + + + + +moderate +mod_imap XSS +

+A flaw was found in the mod_imap module. On sites where +mod_imap is enabled and an imagemap file is publicly available, a +cross-site scripting attack is possible.

+ + + + + + + + + + + + + + + + + + + + + + + + + + +moderate +mod_imap XSS +

+A flaw was found in the mod_imap module. On sites where +mod_imap is enabled and an imagemap file is publicly available, a +cross-site scripting attack is possible.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +low +mod_proxy_ftp UTF-7 XSS +

+A workaround was added in the mod_proxy_ftp module. On sites where +mod_proxy_ftp is enabled and a forward proxy is configured, a +cross-site scripting attack is possible against Web browsers which do +not correctly derive the response character set following the rules in +RFC 2616. +

+ + + + + + + + + + + + + + + + + + + + + + + + + + +low +mod_proxy_ftp UTF-7 XSS +

+ + + + + + + + + + +low +mod_proxy_balancer DoS +

+A flaw was found in the mod_proxy_balancer module. On sites where +mod_proxy_balancer is enabled, an authorized user could send a carefully +crafted request that would cause the Apache child process handling that +request to crash. This could lead to a denial of service if using a +threaded Multi-Processing Module.

+ + + + + + + + + + +low +mod_proxy_balancer XSS +

+A flaw was found in the mod_proxy_balancer module. On sites where +mod_proxy_balancer is enabled, a cross-site scripting attack against an +authorized user is possible.

+ + + + + + + + + + +moderate +mod_proxy crash +

+A flaw was found in the Apache HTTP Server mod_proxy module. On sites where +a reverse proxy is configured, a remote attacker could send a carefully +crafted request that would cause the Apache child process handling that +request to crash. On sites where a forward proxy is configured, an attacker +could cause a similar crash if a user could be persuaded to visit a +malicious site using the proxy. This could lead to a denial of service if +using a threaded Multi-Processing Module.

+ + + + + + + + +moderate +mod_proxy crash +

+ + + + + + + + + + + + + + + + + + + + + + + + + +moderate +mod_status cross-site scripting +

+A flaw was found in the mod_status module. On sites where the +server-status page is publicly accessible and ExtendedStatus is +enabled this could lead to a cross-site scripting attack. +Note that the server-status +page is not enabled by default and it is best practice to not make +this publicly available.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +moderate +mod_status cross-site scripting +

+ + + + + + + + + + + + + + + + + + + + + + + + + +moderate +mod_status cross-site scripting +

+ + + + + + + + +moderate +Signals to arbitrary processes +

The Apache HTTP server did not verify that a process +was an Apache child process before sending it signals. A local +attacker with the ability to run scripts on the HTTP server could +manipulate the scoreboard and cause arbitrary processes to be +terminated which could lead to a denial of service.

+ + + + + + + + + + + + + + + + + + + + + + + + + +moderate +Signals to arbitrary processes +

+ + + + + + + + +moderate +Signals to arbitrary processes +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +moderate +mod_cache information leak + +

The recall_headers function in mod_mem_cache in Apache 2.2.4 did not +properly copy all levels of header data, which can cause Apache to +return HTTP headers containing previously used data, which could be +used by remote attackers to obtain potentially sensitive information. +

+ + + + + +moderate +mod_cache proxy DoS + +

A bug was found in the mod_cache module. On sites where +caching is enabled, a remote attacker could send a carefully crafted +request that would cause the Apache child process handling that request to +crash. This could lead to a denial of service if using a threaded +Multi-Processing Module.

+ + + + + + + + + + + + + + + + + + + + + + + +moderate +mod_cache proxy DoS + +

+ + + + + + + + +important +mod_rewrite off-by-one error + +

+An off-by-one flaw exists in the Rewrite module, mod_rewrite. +Depending on the manner in which Apache httpd was compiled, this +software defect may result in a vulnerability which, in combination +with certain types of Rewrite rules in the web server configuration +files, could be triggered remotely. For vulnerable builds, the nature +of the vulnerability can be denial of service (crashing of web server +processes) or potentially allow arbitrary code execution. +

+ + + + + + + +important +mod_rewrite off-by-one error + +

+An off-by-one flaw exists in the Rewrite module, mod_rewrite. [... 1950 lines stripped ...]