Dovecot: Outdated Apache Server in www.dovecot.fi is vulnerable to various attack.

2016-05-18T16:33:46
ID H1:139591
Type hackerone
Reporter koolacac
Modified 2016-08-15T11:44:21

Description

Apache HTTP Server NULL Pointer Dereference Vulnerability

CVE 2014-3581.

>Apache HTTP Server 2.4.10 and earlier is prone to a vulnerability, which can be exploited to cause a DoS (Denial of Service). The vulnerability exists because the application contains flaw in the cache_merge_headers_out() function which is triggered when handling an empty 'Content-Type' header value.

CVE-2014-8109.

>mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory.

Apache Server Banner.

{F94511}

Good Reads: 1) Cve details.

Solution: Update to the latest Apache stable version(2.4.20)

[https://httpd.apache.org/download.cgi]