ID CVE-2004-0747 Type cve Reporter NVD Modified 2017-10-10T21:29:31
Description
Buffer overflow in Apache 2.0.50 and earlier allows local users to gain apache privileges via a .htaccess file that causes the overflow during expansion of environment variables.
{"result": {"cert": [{"id": "VU:481998", "type": "cert", "title": "Apache vulnerable to buffer overflow when expanding environment variables", "description": "### Overview\n\nThere is a buffer overflow vulnerability in ap_resolve_env() function of Apache that could allow a local user to gain elevated privileges.\n\n### Description\n\nThe [Apache HTTP Server](<http://httpd.apache.org/>) is a freely available web server that runs on a variety of operating systems including Unix, Linux, and Microsoft Windows. The `ap_resolve_env()` function is responsible for expanding environment variables when parsing configurations files such as `.htaccess` or `httpd.conf`. There is a vulnerability in this function that could allow a local user to trigger a buffer overflow. \n\nThe Apache Software Foundation notes that in order to exploit this vulnerability, a local user would need to install the malicious configuration file on the server and force the server to parse this file. \n \n--- \n \n### Impact\n\nA local user with the ability to force a vulnerable to server to parse a malicious configuration file could gain elevated privileges. \n \n--- \n \n### Solution\n\n**Upgrade or Apply Patch** \nUpgrade or apply patch as specified by your vendor. This issue is resolved in Apache version 2.0.51. \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nApache| | -| 17 Sep 2004 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23481998 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://www.apache.org/dist/httpd/Announcement2.html>\n * <http://www.uniras.gov.uk/vuls/2004/403518/index.htm>\n * <http://secunia.com/advisories/12540/>\n * <http://www.securitytracker.com/alerts/2004/Sep/1011303.html>\n * <http://rhn.redhat.com/errata/RHSA-2004-463.html>\n\n### Credit\n\nThis vulnerability was reported by the Swedish IT Incident Centre within the National Post and Telecom Agency (SITIC).\n\nThis document was written by Damon Morda.\n\n### Other Information\n\n * CVE IDs: [CAN-2004-0747](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CAN-2004-0747>)\n * Date Public: 15 Sep 2004\n * Date First Published: 17 Sep 2004\n * Date Last Updated: 17 Sep 2004\n * Severity Metric: 3.37\n * Document Revision: 9\n\n", "published": "2004-09-17T00:00:00", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.kb.cert.org/vuls/id/481998", "cvelist": ["CVE-2004-0747", "CVE-2004-0747"], "lastseen": "2016-02-03T09:12:36"}], "osvdb": [{"id": "OSVDB:9991", "type": "osvdb", "title": "Apache HTTP Server ap_resolve_env Environment Variable Local Overflow", "description": "## Vulnerability Description\nApache HTTP Server and IBM HTTP Server contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when function ap_resolve_env() in server/util.c expands environment variable constructs from configuration files such as .htaccess or httpd.conf. For an attacker to exploit the flaw they would need to carefully craft malicious configuration files and have write access to the legitimate copies. This flaw may lead to a loss of confidentiality.\n## Solution Description\nUpgrade to version 2.0.51 or higher or apply the patch from IBM, as it has been reported to fix this vulnerability.\n## Short Description\nApache HTTP Server and IBM HTTP Server contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when function ap_resolve_env() in server/util.c expands environment variable constructs from configuration files such as .htaccess or httpd.conf. For an attacker to exploit the flaw they would need to carefully craft malicious configuration files and have write access to the legitimate copies. This flaw may lead to a loss of confidentiality.\n## References:\nVendor URL: http://httpd.apache.org/\nVendor URL: http://www.ibm.com/us/\nVendor Specific Solution URL: http://www.apache.org/dist/httpd/patches/apply_to_2.0.50/CAN-2004-0747.patch\n[Vendor Specific Advisory URL](http://www-1.ibm.com/support/docview.wss?rs=177&uid=swg24007795)\n[Vendor Specific Advisory URL](http://www.apacheweek.com/features/security-20)\n[Vendor Specific Advisory URL](http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01090)\n[Vendor Specific Advisory URL](http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBOV01083)\nSecurity Tracker: 1011303\n[Secunia Advisory ID:13025](https://secuniaresearch.flexerasoftware.com/advisories/13025/)\n[Secunia Advisory ID:13027](https://secuniaresearch.flexerasoftware.com/advisories/13027/)\n[Secunia Advisory ID:12540](https://secuniaresearch.flexerasoftware.com/advisories/12540/)\n[Secunia Advisory ID:12922](https://secuniaresearch.flexerasoftware.com/advisories/12922/)\n[Related OSVDB ID: 9994](https://vulners.com/osvdb/OSVDB:9994)\nRedHat RHSA: RHSA-2004:463\nOther Advisory URL: http://www.uniras.gov.uk/l1/l2/l3/alerts2004/alert-3404.txt\nOther Advisory URL: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:096\nOther Advisory URL: http://www.suse.de/de/security/2004_32_apache2.html\nOther Advisory URL: http://www.sitic.se/rad_och_rekommendationer/sa04-002.html\nOther Advisory URL: http://security.gentoo.org/glsa/glsa-200409-21.xml\nOther Advisory URL: http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000868\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0501.html\nKeyword: PQ94086\nISS X-Force ID: 17384\n[CVE-2004-0747](https://vulners.com/cve/CVE-2004-0747)\n", "published": "2004-09-15T12:54:16", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:9991", "cvelist": ["CVE-2004-0747"], "lastseen": "2017-04-28T13:20:05"}], "openvas": [{"id": "OPENVAS:100172", "type": "openvas", "title": "Apache Web Server Configuration File Environment Variable Local Buffer Overflow Vulnerability", "description": "According to its version number, the remote version of Apache Web\n Server is prone to a local buffer-overflow vulnerability that\n affects a configuration file environment variable. This occurs\n because the application fails to validate user-supplied string\n lengths before copying them into finite process buffers.\n\n An attacker may leverage this issue to execute arbitrary code on\n the affected computer with the privileges of the Apache webserver\n process.", "published": "2009-05-02T00:00:00", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=100172", "cvelist": ["CVE-2004-0747"], "lastseen": "2017-09-19T12:03:38"}, {"id": "OPENVAS:52390", "type": "openvas", "title": "FreeBSD Ports: apache", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "published": "2008-09-04T00:00:00", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=52390", "cvelist": ["CVE-2004-0747"], "lastseen": "2017-07-02T21:10:15"}, {"id": "OPENVAS:1361412562310100172", "type": "openvas", "title": "Apache Web Server Configuration File Environment Variable Local Buffer Overflow Vulnerability", "description": "According to its version number, the remote version of Apache Web\n Server is prone to a local buffer-overflow vulnerability that\n affects a configuration file environment variable.", "published": "2009-05-02T00:00:00", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310100172", "cvelist": ["CVE-2004-0747"], "lastseen": "2018-03-27T19:17:21"}, {"id": "OPENVAS:54677", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200409-21 (apache)", "description": "The remote host is missing updates announced in\nadvisory GLSA 200409-21.", "published": "2008-09-24T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=54677", "cvelist": ["CVE-2004-0786", "CVE-2004-0747", "CVE-2004-0748", "CVE-2004-0809", "CVE-2004-0751"], "lastseen": "2017-07-24T12:49:44"}, {"id": "OPENVAS:1361412562310835139", "type": "openvas", "title": "HP-UX Update for Apache with PHP HPSBUX01090", "description": "Check for the Version of Apache with PHP", "published": "2009-05-05T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310835139", "cvelist": ["CVE-2004-0786", "CVE-2004-0747", "CVE-2004-0748", "CVE-2004-0809", "CVE-2004-0811", "CVE-2004-0751"], "lastseen": "2018-04-09T11:39:41"}, {"id": "OPENVAS:835139", "type": "openvas", "title": "HP-UX Update for Apache with PHP HPSBUX01090", "description": "Check for the Version of Apache with PHP", "published": "2009-05-05T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=835139", "cvelist": ["CVE-2004-0786", "CVE-2004-0747", "CVE-2004-0748", "CVE-2004-0809", "CVE-2004-0811", "CVE-2004-0751"], "lastseen": "2017-07-24T12:56:28"}], "freebsd": [{"id": "4D49F4BA-071F-11D9-B45D-000C41E2CDAD", "type": "freebsd", "title": "apache -- ap_resolve_env buffer overflow", "description": "\nSITIC discovered a vulnerability in Apache 2's handling of\n\t environmental variable settings in the httpd configuration\n\t files (the main `httpd.conf' and `.htaccess' files).\n\t According to a SITIC advisory:\n\nThe buffer overflow occurs when expanding ${ENVVAR}\n\t constructs in .htaccess or httpd.conf files. The function\n\t ap_resolve_env() in server/util.c copies data from\n\t environment variables to the character array tmp with\n\t strcat(3), leading to a buffer overflow.\n\n", "published": "2004-09-15T00:00:00", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vuxml.freebsd.org/freebsd/4d49f4ba-071f-11d9-b45d-000c41e2cdad.html", "cvelist": ["CVE-2004-0747"], "lastseen": "2016-09-26T17:25:21"}], "nessus": [{"id": "FREEBSD_PKG_4D49F4BA071F11D9B45D000C41E2CDAD.NASL", "type": "nessus", "title": "FreeBSD : apache -- ap_resolve_env buffer overflow (4d49f4ba-071f-11d9-b45d-000c41e2cdad)", "description": "SITIC discovered a vulnerability in Apache 2's handling of environmental variable settings in the httpd configuration files (the main `httpd.conf' and `.htaccess' files). According to a SITIC advisory :\n\nThe buffer overflow occurs when expanding ${ENVVAR} constructs in .htaccess or httpd.conf files. The function ap_resolve_env() in server/util.c copies data from environment variables to the character array tmp with strcat(3), leading to a buffer overflow.", "published": "2009-04-23T00:00:00", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=36910", "cvelist": ["CVE-2004-0747"], "lastseen": "2017-10-29T13:44:38"}, {"id": "SUSE_SA_2004_032.NASL", "type": "nessus", "title": "SUSE-SA:2004:032: apache2", "description": "The remote host is missing the patch for the advisory SUSE-SA:2004:032 (apache2).\n\n\nThe Apache daemon is running on most of the web-servers used in the Internet today.\nThe Red Hat ASF Security-Team and the Swedish IT Incident Center within the National Post and Telecom Agency (SITIC) have found a bug in apache2 each.\nThe first vulnerability appears in the apr_uri_parse() function while handling IPv6 addresses. The affected code passes a negative length argument to the memcpy() function. On BSD systems this can lead to remote command execution due to the nature of the memcpy() implementation.\nOn Linux this bug will result in a remote denial-of-service condition.\nThe second bug is a local buffer overflow that occurs while expanding ${ENVVAR} in the .htaccess and httpd.conf file. Both files are not writeable by normal user by default.", "published": "2004-09-15T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=14731", "cvelist": ["CVE-2004-0786", "CVE-2004-0747"], "lastseen": "2016-09-26T17:23:27"}, {"id": "GENTOO_GLSA-200409-21.NASL", "type": "nessus", "title": "GLSA-200409-21 : Apache 2, mod_dav: Multiple vulnerabilities", "description": "The remote host is affected by the vulnerability described in GLSA-200409-21 (Apache 2, mod_dav: Multiple vulnerabilities)\n\n A potential infinite loop has been found in the input filter of mod_ssl (CAN-2004-0748) as well as a possible segmentation fault in the char_buffer_read function if reverse proxying to a SSL server is being used (CAN-2004-0751). Furthermore, mod_dav, as shipped in Apache httpd 2 or mod_dav 1.0.x for Apache 1.3, contains a NULL pointer dereference which can be triggered remotely (CAN-2004-0809). The third issue is an input validation error found in the IPv6 URI parsing routines within the apr-util library (CAN-2004-0786). Additionally a possible buffer overflow has been reported when expanding environment variables during the parsing of configuration files (CAN-2004-0747).\n Impact :\n\n A remote attacker could cause a Denial of Service either by aborting a SSL connection in a special way, resulting in CPU consumption, by exploiting the segmentation fault in mod_ssl or the mod_dav flaw. A remote attacker could also crash a httpd child process by sending a specially crafted URI.\n The last vulnerability could be used by a local user to gain the privileges of a httpd child, if the server parses a carefully prepared .htaccess file.\n Workaround :\n\n There is no known workaround at this time.", "published": "2004-09-17T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=14766", "cvelist": ["CVE-2004-0786", "CVE-2004-0747", "CVE-2004-0748", "CVE-2004-0809", "CVE-2004-0751"], "lastseen": "2018-07-12T17:34:32"}, {"id": "APACHE_2_0_51.NASL", "type": "nessus", "title": "Apache 2.0.x < 2.0.51 Multiple Vulnerabilities (OF, DoS)", "description": "According to its Server response header, the remote host is running a version of Apache 2.0.x prior to 2.0.51. It is, therefore, affected by multiple vulnerabilities :\n\n - An input validation issue in apr-util can be triggered by malformed IPv6 literal addresses and result in a buffer overflow (CVE-2004-0786).\n\n - There is a buffer overflow that can be triggered when expanding environment variables during configuration file parsing (CVE-2004-0747).\n\n - A segfault in mod_dav_ds when handling an indirect lock refresh can lead to a process crash (CVE-2004-0809).\n\n - A segfault in the SSL input filter can be triggered if using 'speculative' mode by, for instance, a proxy request to an SSL server (CVE-2004-0751).\n\n - There is the potential for an infinite loop in mod_ssl (CVE-2004-0748).", "published": "2004-09-16T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=14748", "cvelist": ["CVE-2004-0786", "CVE-2004-0747", "CVE-2004-0748", "CVE-2004-0809", "CVE-2004-0751"], "lastseen": "2018-07-01T14:25:08"}, {"id": "REDHAT-RHSA-2004-463.NASL", "type": "nessus", "title": "RHEL 3 : httpd (RHSA-2004:463)", "description": "Updated httpd packages that include fixes for security issues are now available.\n\nThe Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server.\n\nFour issues have been discovered affecting releases of the Apache HTTP 2.0 Server, up to and including version 2.0.50 :\n\nTesting using the Codenomicon HTTP Test Tool performed by the Apache Software Foundation security group and Red Hat uncovered an input validation issue in the IPv6 URI parsing routines in the apr-util library. If a remote attacker sent a request including a carefully crafted URI, an httpd child process could be made to crash. This issue is not believed to allow arbitrary code execution on Red Hat Enterprise Linux. This issue also does not represent a significant denial of service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0786 to this issue.\n\nThe Swedish IT Incident Centre (SITIC) reported a buffer overflow in the expansion of environment variables during configuration file parsing. This issue could allow a local user to gain 'apache' privileges if an httpd process can be forced to parse a carefully crafted .htaccess file written by a local user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0747 to this issue.\n\nAn issue was discovered in the mod_ssl module which could be triggered if the server is configured to allow proxying to a remote SSL server.\nA malicious remote SSL server could force an httpd child process to crash by sending a carefully crafted response header. This issue is not believed to allow execution of arbitrary code. This issue also does not represent a significant Denial of Service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0751 to this issue.\n\nAn issue was discovered in the mod_dav module which could be triggered for a location where WebDAV authoring access has been configured. A malicious remote client which is authorized to use the LOCK method could force an httpd child process to crash by sending a particular sequence of LOCK requests. This issue does not allow execution of arbitrary code. This issue also does not represent a significant Denial of Service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0809 to this issue.\n\nUsers of the Apache HTTP server should upgrade to these updated packages, which contain backported patches that address these issues.", "published": "2004-09-15T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=14736", "cvelist": ["CVE-2004-0786", "CVE-2004-0747", "CVE-2004-0809", "CVE-2004-0751"], "lastseen": "2017-10-29T13:45:03"}, {"id": "MANDRAKE_MDKSA-2004-096.NASL", "type": "nessus", "title": "Mandrake Linux Security Advisory : apache2 (MDKSA-2004:096)", "description": "Two Denial of Service conditions were discovered in the input filter of mod_ssl, the module that enables apache to handle HTTPS requests.\n\nAnother vulnerability was discovered by the ASF security team using the Codenomicon HTTP Test Tool. This vulnerability, in the apr-util library, can possibly lead to arbitrary code execution if certain non-default conditions are met (enabling the AP_ENABLE_EXCEPTION_HOOK define).\n\nAs well, the SITIC have discovered a buffer overflow when Apache expands environment variables in configuration files such as .htaccess and httpd.conf, which can lead to possible privilege escalation. This can only be done, however, if an attacker is able to place malicious configuration files on the server.\n\nFinally, a crash condition was discovered in the mod_dav module by Julian Reschke, where sending a LOCK refresh request to an indirectly locked resource could crash the server.\n\nThe updated packages have been patched to protect against these vulnerabilities.", "published": "2004-09-16T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=14752", "cvelist": ["CVE-2004-0786", "CVE-2004-0747", "CVE-2004-0748", "CVE-2004-0809", "CVE-2004-0783", "CVE-2004-0751"], "lastseen": "2017-10-29T13:45:25"}, {"id": "MACOSX_SECUPD20041202.NASL", "type": "nessus", "title": "Mac OS X Multiple Vulnerabilities (Security Update 2004-12-02)", "description": "The remote host is missing Security Update 2004-12-02. This security update contains a number of fixes for the following programs :\n\n - Apache\n - Apache2\n - AppKit\n - Cyrus IMAP\n - HIToolbox\n - Kerberos\n - Postfix\n - PSNormalizer\n - QuickTime Streaming Server\n - Safari\n - Terminal\n\nThese programs contain multiple vulnerabilities that could allow a remote attacker to execute arbitrary code.", "published": "2004-12-02T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=15898", "cvelist": ["CVE-2004-1121", "CVE-2004-0644", "CVE-2004-1123", "CVE-2004-0786", "CVE-2004-0747", "CVE-2003-0987", "CVE-2004-0643", "CVE-2004-0885", "CVE-2004-1122", "CVE-2004-0804", "CVE-2004-1086", "CVE-2004-0642", "CVE-2004-0748", "CVE-2004-1088", "CVE-2004-1087", "CVE-2004-0803", "CVE-2004-1084", "CVE-2004-1081", "CVE-2004-0940", "CVE-2004-1082", "CVE-2004-0772", "CVE-2004-0174", "CVE-2004-1089", "CVE-2004-0488", "CVE-2004-1083", "CVE-2004-0492", "CVE-2003-0020", "CVE-2004-1085", "CVE-2004-0886", "CVE-2004-0751"], "lastseen": "2018-07-15T03:46:57"}], "httpd": [{"id": "HTTPD:FA00EE6E5A32CC9AB0A435F425709933", "type": "httpd", "title": "Apache Httpd < 2.0.51: Environment variable expansion flaw", "description": "\n\nA buffer overflow was found in the\nexpansion of environment variables during configuration file parsing. This\nissue could allow a local user to gain the privileges of a httpd\nchild if a server can be forced to parse a carefully crafted .htaccess file \nwritten by a local user.\n\n", "published": "2004-08-05T00:00:00", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://httpd.apache.org/security_report.html", "cvelist": ["CVE-2004-0747"], "lastseen": "2016-09-26T21:39:38"}, {"id": "HTTPD:FF6707403F89E77CD90F095B4014299E", "type": "httpd", "title": "Apache Httpd < None: Environment variable expansion flaw", "description": "\n\nA buffer overflow was found in the\nexpansion of environment variables during configuration file parsing. This\nissue could allow a local user to gain the privileges of a httpd\nchild if a server can be forced to parse a carefully crafted .htaccess file \nwritten by a local user.\n\n", "published": "2004-08-05T00:00:00", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://httpd.apache.org/security_report.html", "cvelist": ["CVE-2004-0747"], "lastseen": "2018-04-11T18:10:29"}], "gentoo": [{"id": "GLSA-200409-21", "type": "gentoo", "title": "Apache 2, mod_dav: Multiple vulnerabilities", "description": "### Background\n\nThe Apache HTTP server is one of most popular web servers on the internet. mod_ssl provides SSL v2/v3 and TLS v1 support for it and mod_dav is the Apache module for Distributed Authoring and Versioning (DAV). \n\n### Description\n\nA potential infinite loop has been found in the input filter of mod_ssl (CAN-2004-0748) as well as a possible segmentation fault in the char_buffer_read function if reverse proxying to a SSL server is being used (CAN-2004-0751). Furthermore, mod_dav, as shipped in Apache httpd 2 or mod_dav 1.0.x for Apache 1.3, contains a NULL pointer dereference which can be triggered remotely (CAN-2004-0809). The third issue is an input validation error found in the IPv6 URI parsing routines within the apr-util library (CAN-2004-0786). Additionally a possible buffer overflow has been reported when expanding environment variables during the parsing of configuration files (CAN-2004-0747). \n\n### Impact\n\nA remote attacker could cause a Denial of Service either by aborting a SSL connection in a special way, resulting in CPU consumption, by exploiting the segmentation fault in mod_ssl or the mod_dav flaw. A remote attacker could also crash a httpd child process by sending a specially crafted URI. The last vulnerabilty could be used by a local user to gain the privileges of a httpd child, if the server parses a carefully prepared .htaccess file. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll Apache 2 users should upgrade to the latest version: \n \n \n # emerge sync\n \n # emerge -pv \">=www-servers/apache-2.0.51\"\n # emerge \">=www-servers/apache-2.0.51\"\n\nAll mod_dav users should upgrade to the latest version: \n \n \n # emerge sync\n \n # emerge -pv \">=net-www/mod_dav-1.0.3-r2\"\n # emerge \">=net-www/mod_dav-1.0.3-r2\"", "published": "2004-09-16T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://security.gentoo.org/glsa/200409-21", "cvelist": ["CVE-2004-0786", "CVE-2004-0747", "CVE-2004-0748", "CVE-2004-0809", "CVE-2004-0751"], "lastseen": "2016-09-06T19:46:59"}], "redhat": [{"id": "RHSA-2004:463", "type": "redhat", "title": "(RHSA-2004:463) httpd security update", "description": "The Apache HTTP server is a powerful, full-featured, efficient, and\nfreely-available Web server.\n\nFour issues have been discovered affecting releases of the Apache HTTP 2.0\nServer, up to and including version 2.0.50:\n\nTesting using the Codenomicon HTTP Test Tool performed by the Apache\nSoftware Foundation security group and Red Hat uncovered an input\nvalidation issue in the IPv6 URI parsing routines in the apr-util library. \nIf a remote attacker sent a request including a carefully crafted URI, an\nhttpd child process could be made to crash. This issue is not believed to\nallow arbitrary code execution on Red Hat Enterprise Linux. This issue\nalso does not represent a significant denial of service attack as requests\nwill continue to be handled by other Apache child processes. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the name\nCAN-2004-0786 to this issue.\n\nThe Swedish IT Incident Centre (SITIC) reported a buffer overflow in the\nexpansion of environment variables during configuration file parsing. This\nissue could allow a local user to gain 'apache' privileges if an httpd\nprocess can be forced to parse a carefully crafted .htaccess file written\nby a local user. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2004-0747 to this issue.\n\nAn issue was discovered in the mod_ssl module which could be triggered if\nthe server is configured to allow proxying to a remote SSL server. A\nmalicious remote SSL server could force an httpd child process to crash by\nsending a carefully crafted response header. This issue is not believed to\nallow execution of arbitrary code. This issue also does not represent a\nsignificant Denial of Service attack as requests will continue to be\nhandled by other Apache child processes. The Common Vulnerabilities and\nExposures project (cve.mitre.org) has assigned the name CAN-2004-0751 to\nthis issue.\n\nAn issue was discovered in the mod_dav module which could be triggered for\na location where WebDAV authoring access has been configured. A malicious\nremote client which is authorized to use the LOCK method could force an\nhttpd child process to crash by sending a particular sequence of LOCK\nrequests. This issue does not allow execution of arbitrary code. This\nissue also does not represent a significant Denial of Service attack as\nrequests will continue to be handled by other Apache child processes. The\nCommon Vulnerabilities and Exposures project (cve.mitre.org) has assigned\nthe name CAN-2004-0809 to this issue. \n\nUsers of the Apache HTTP server should upgrade to these updated packages,\nwhich contain backported patches that address these issues.", "published": "2004-09-15T04:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2004:463", "cvelist": ["CVE-2004-0747", "CVE-2004-0751", "CVE-2004-0786", "CVE-2004-0809"], "lastseen": "2017-08-02T22:57:23"}], "suse": [{"id": "SUSE-SA:2004:032", "type": "suse", "title": "remote denial-of-service in apache2", "description": "The Apache daemon is running on most of the web-servers used in the Internet today. The Red Hat ASF Security-Team and the Swedish IT Incident Center within the National Post and Telecom Agency (SITIC) have found a bug in apache2 each. The first vulnerability appears in the apr_uri_parse() function while handling IPv6 addresses. The affected code passes a negative length argument to the memcpy() function. On BSD systems this can lead to remote command execution due to the nature of the memcpy() implementation. On Linux this bug will result in a remote denial-of-service condition. The second bug is a local buffer overflow that occurs while expanding ${ENVVAR} in the .htaccess and httpd.conf file. Both files are not writeable by normal user by default.\n#### Solution\nThere is no known workaround.", "published": "2004-09-15T15:46:39", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2004-09/msg00011.html", "cvelist": ["CVE-2004-0788", "CVE-2004-0786", "CVE-2004-0765", "CVE-2004-0747", "CVE-2004-0762", "CVE-2004-0758", "CVE-2004-0784", "CVE-2004-0807", "CVE-2004-0718", "CVE-2004-0764", "CVE-2004-0757", "CVE-2004-0494", "CVE-2004-0808", "CVE-2004-0782", "CVE-2004-0783", "CVE-2004-0597", "CVE-2004-0722", "CVE-2004-0832", "CVE-2004-0785", "CVE-2004-0759", "CVE-2004-0754", "CVE-2004-0763", "CVE-2004-0761"], "lastseen": "2016-09-04T11:57:20"}]}}
