CERTVU:849993Some implementations of mod_dav contain a format string vulnerability in "ap_log_rerror()" function
0.023 Low
EPSS
Percentile
89.7%
Overview
A vulnerability in some implementations of mod_dav may permit a remote attacker to gain unauthorized access to a web server running mod_dav.
Description
mod_dav is a module designed to provide DAV capabilities for a web server. A format string vulnerability in some implementations may permit a remote attacker to gain unauthorized access to a web server running mod_dav.
Here is a brief primer for those unfamiliar with format string vulnerabilities:
_A format string vulnerability occurs when a call to a function in the printf family is made with a format string under the control of an attacker. The most basic case arises when a programmer uses printf as follows:
_
_\tprintf(s);
_
_where s comes from the attacker’s input. There are a variety of attacks based on this flaw, many of which can lead to the ability to execute code with the privileges of the vulnerable program. Most of the attacks leverage the %n conversion character, which has the somewhat unusual effect of writing to memory, as opposed to most conversion characters which only read from memory. If the attacker can cause the above printf statement to be issued as follows (by providing %n as input):
_
_\tprintf(“%n”);
_
he can write to the stack, and by carefully choosing his input he can control what gets written, and where it goes.
David Litchfield found some problems in Oracle’s 9iAS/9.0.2 implementation of mod_dav. Examination of Greg Stein’s open source mod_dav (often used by Apache installations) suggested the problem may be broader than just Oracle’s implementation. The following code is from the function dav_lookup_uri in the module dav_util:
if (strcasecmp(comp.scheme, scheme) != 0 || comp.port != port) { result.err.status = ``HTTP_BAD_GATEWAY``; ``result.err.desc`` = ap_psprintf(r->pool, "Destination URI refers to different " "scheme or port (%s://hostname:%d)\" "(want: %s://hostname:%d)", ``comp.scheme ? comp.scheme : scheme, comp.port ? comp.port : port, scheme, port);``
You can see that in at least one case, result.err.desc gets filled in with values under the control of the caller. Specifically, comp.scheme, comp.port, scheme, and port, can be influenced by an intruder. The result variable is returned to the function dav_method_copymove in the module mod_dav as “lookup”:
lookup = ``dav_lookup_uri``(dest, r); if (lookup.rnew == NULL) { 2: if (``lookup.err.status`` == ``HTTP_BAD_REQUEST``) { /* This supplies additional information for the default message. */ ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, r, 1: ``lookup.err.desc``); return ``HTTP_BAD_REQUEST``; }
You can see that on the line labeled “1:” if lookup.err.desc could be influenced by an intruder, a format string vulnerability would exist. However, that section of code only gets executed if lookup.err.status is HTTP_BAD_REQUEST and the dav_lookup_uri function sets err.status to be HTTP_BAD_GATEWAY, so this code doesn’t get executed.
Based on these observations, we concluded that a format string vulnerability does not exist in the open source mod_dav. However, we believe that it would be more “correct” to include an explicit format string specifier in all calls to ap_log_error (and indeed any functions that ultimately use the printf family or other var_args-like functions). We recommended to Greg Stein that this change be made, though we see no immediate security concern – just a future problem waiting to happen. Oracle is vulnerable because they allow the user to gain control of the format string through a minor change to their implementation of the mod_dav routines. Other vendors may have made similar changes.
Based on our recommendations, Greg Stein made the following change to revision 1.91 of mod_dav.c:
Code a bit more defensively. If dav_lookup_uri() ever placed user input into lookup.err.desc for the HTTP_BAD_REQUEST case, then we could have problems (via a format string attack). This change frees us from *future* worries.
Until you apply a patch from Oracle, you may consider disabling mod_dav functionality on Oracle 9iAS/9.0.2. If you are making use of another implementation of mod_dav, you may wish to make the changes to the source yourself. Here is an example:
`-\t ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, r,
- ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, r, “%s”,`
Impact
A remote attacker may be able to gain privileged access to a web server running mod_dav.
Solution
Apply a vendor patch.
You may wish to disable mod_dav until a patch can be applied.
Vendor Information
849993
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Oracle Corporation __ Affected
Updated: February 14, 2003
Status
Affected
Vendor Statement
See <http://otn.oracle.com/deploy/security/pdf/2003alert52.pdf>.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Apple Computer Inc. Not Affected
Notified: September 25, 2002 Updated: July 24, 2003
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Cray Inc. __ Not Affected
Notified: September 25, 2002 Updated: September 25, 2002
Status
Not Affected
Vendor Statement
Cray, Inc. does not distribute Apache with any of its operating systems.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
IBM __ Not Affected
Notified: September 25, 2002 Updated: September 27, 2002
Status
Not Affected
Vendor Statement
IBM is not vulnerable to the above mentioned issues with the Apache “mod_dav” module. While we do provide Open Source packeges through the AIX Linux Toolbox, “mod_dav” is not one of them.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Microsoft Corporation __ Not Affected
Updated: November 06, 2002
Status
Not Affected
Vendor Statement
We’ve reviewed this and are not vulnerable as we are not using mod_dav.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
OpenBSD __ Not Affected
Notified: September 25, 2002 Updated: September 26, 2002
Status
Not Affected
Vendor Statement
We do not include apache 2.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Openwall GNU/*/Linux __ Not Affected
Notified: September 25, 2002 Updated: November 06, 2002
Status
Not Affected
Vendor Statement
Openwall GNU/*/Linux is not affected.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Red Hat Inc. __ Not Affected
Notified: September 25, 2002 Updated: February 18, 2003
Status
Not Affected
Vendor Statement
Red Hat products are not affected by this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Xerox Corporation __ Not Affected
Notified: September 25, 2002 Updated: May 30, 2003
Status
Not Affected
Vendor Statement
A response to this vulnerability is available from our web site: <http://www.xerox.com/security>.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
3Com Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
AT&T Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Alcatel Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
BSDI Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Cisco Systems Inc. Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Computer Associates Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Conectiva Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Data General Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Debian Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
F5 Networks Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
FreeBSD Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Fujitsu Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Guardian Digital Inc. Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Hewlett-Packard Company __ Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
At the time of writing this document, Hewlett Packard is currently investigating the potential impact to the new HP’s released Operating System software products.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Intel Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Juniper Networks Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Lachman Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Lotus Software Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Lucent Technologies Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
MandrakeSoft Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
MontaVista Software Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Multinet Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
NEC Corporation Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
NetBSD Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Network Appliance Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Nortel Networks Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
SGI Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Sequent Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Sony Corporation Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
SuSE Inc. Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Sun Microsystems Inc. Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
The SCO Group (SCO Linux) Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
The SCO Group (SCO UnixWare) Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Unisphere Networks Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Unisys Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Wind River Systems Inc. Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
Wirex Unknown
Notified: September 25, 2002 Updated: September 25, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849993 Feedback>).
View all 46 vendors __View less vendors __
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://www.nextgenss.com/advisories/ora-appservfmtst.txt>
- <http://otn.oracle.com/deploy/security/pdf/2003alert52.pdf>
- <http://www.webdav.org/mod_dav/>
Acknowledgements
This vulnerability was discovered by David Litchfield of Next Generation Security Software Ltd. The CERT/CC thanks both Next Generation Security Software Ltd and Oracle for providing information upon which this document is based.
This document was written by Ian A Finlay and Shawn V. Hernan.
Other Information
| CVE IDs: | CVE-2002-0842 |
|---|---|
| Severity Metric: | 28.13 Date Public: |
Related
