{"id": "ORACLELINUX_ELSA-2006-0619.NASL", "bulletinFamily": "scanner", "title": "Oracle Linux 3 / 4 : httpd (ELSA-2006-0619)", "description": "From Red Hat Security Advisory 2006:0619 :\n\nUpdated Apache httpd packages that correct security issues and resolve\nbugs are now available for Red Hat Enterprise Linux 3 and 4.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nThe Apache HTTP Server is a popular Web server available for free.\n\nA bug was found in Apache where an invalid Expect header sent to the\nserver was returned to the user in an unescaped error message. This\ncould allow an attacker to perform a cross-site scripting attack if a\nvictim was tricked into connecting to a site and sending a carefully\ncrafted Expect header. (CVE-2006-3918)\n\nWhile a web browser cannot be forced to send an arbitrary Expect\nheader by a third-party attacker, it was recently discovered that\ncertain versions of the Flash plugin can manipulate request headers.\nIf users running such versions can be persuaded to load a web page\nwith a malicious Flash applet, a cross-site scripting attack against\nthe server may be possible.\n\nOn Red Hat Enterprise Linux 3 and 4 systems, due to an unrelated issue\nin the handling of malformed Expect headers, the page produced by the\ncross-site scripting attack will only be returned after a timeout\nexpires (2-5 minutes by default) if not first canceled by the user.\n\nUsers of httpd should update to these erratum packages, which contain\na backported patch to correct these issues.", "published": "2013-07-12T00:00:00", "modified": "2013-07-12T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "https://www.tenable.com/plugins/nessus/67402", "reporter": "This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://oss.oracle.com/pipermail/el-errata/2007-March/000078.html", "https://oss.oracle.com/pipermail/el-errata/2006-November/000001.html"], "cvelist": ["CVE-2006-3918"], "type": "nessus", "lastseen": "2021-01-17T12:43:50", "edition": 24, "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-3918"]}, {"type": "nessus", "idList": ["CENTOS_RHSA-2006-0618.NASL", "REDHAT-RHSA-2006-0619.NASL", "SUSE_SA_2006_051.NASL", "REDHAT-RHSA-2006-0618.NASL", "DEBIAN_DSA-1167.NASL", "WWW_EXPECT_XSS.NASL", "SUSE9_12125.NASL", "UBUNTU_USN-575-1.NASL", "F5_BIGIP_SOL6669.NASL", "CENTOS_RHSA-2006-0619.NASL"]}, {"type": "httpd", "idList": ["HTTPD:7FD1B79F0D1704151C70AE49C5A4F4BD", "HTTPD:21276F7B71358FCD8ED42705121EF5F3"]}, {"type": "centos", "idList": ["CESA-2006:0618-01", "CESA-2006:0618", "CESA-2006:0619"]}, {"type": "redhat", "idList": ["RHSA-2006:0619", "RHSA-2006:0618"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:61420", "PACKETSTORM:102234"]}, {"type": "f5", "idList": ["F5:K6669", "SOL6669"]}, {"type": "oraclelinux", "idList": ["ELSA-2006-0619"]}, {"type": "exploitdb", "idList": ["EDB-ID:28424"]}, {"type": "osvdb", "idList": ["OSVDB:27487"]}, {"type": "debian", "idList": ["DEBIAN:DSA-1167-1:158F8"]}, {"type": "seebug", "idList": ["SSV:71772"]}, {"type": "openvas", "idList": ["OPENVAS:65467", "OPENVAS:840304", "OPENVAS:850009", "OPENVAS:1361412562310835247", "OPENVAS:57335", "OPENVAS:65575", "OPENVAS:835247", "OPENVAS:835224", "OPENVAS:136141256231065575", "OPENVAS:136141256231065467"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:683C3B1D02827D6B32706DB1D146B2D8"]}, {"type": "suse", "idList": ["SUSE-SA:2006:051", "SUSE-SA:2008:021"]}, {"type": "ubuntu", "idList": ["USN-575-1"]}], "modified": "2021-01-17T12:43:50", "rev": 2}, "score": {"value": 5.4, "vector": "NONE", "modified": "2021-01-17T12:43:50", "rev": 2}, "vulnersScore": 5.4}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2006:0619 and \n# Oracle Linux Security Advisory ELSA-2006-0619 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(67402);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2006-3918\");\n script_bugtraq_id(19661);\n script_xref(name:\"RHSA\", value:\"2006:0619\");\n\n script_name(english:\"Oracle Linux 3 / 4 : httpd (ELSA-2006-0619)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2006:0619 :\n\nUpdated Apache httpd packages that correct security issues and resolve\nbugs are now available for Red Hat Enterprise Linux 3 and 4.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nThe Apache HTTP Server is a popular Web server available for free.\n\nA bug was found in Apache where an invalid Expect header sent to the\nserver was returned to the user in an unescaped error message. This\ncould allow an attacker to perform a cross-site scripting attack if a\nvictim was tricked into connecting to a site and sending a carefully\ncrafted Expect header. (CVE-2006-3918)\n\nWhile a web browser cannot be forced to send an arbitrary Expect\nheader by a third-party attacker, it was recently discovered that\ncertain versions of the Flash plugin can manipulate request headers.\nIf users running such versions can be persuaded to load a web page\nwith a malicious Flash applet, a cross-site scripting attack against\nthe server may be possible.\n\nOn Red Hat Enterprise Linux 3 and 4 systems, due to an unrelated issue\nin the handling of malformed Expect headers, the page produced by the\ncross-site scripting attack will only be returned after a timeout\nexpires (2-5 minutes by default) if not first canceled by the user.\n\nUsers of httpd should update to these erratum packages, which contain\na backported patch to correct these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2006-November/000001.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2007-March/000078.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected httpd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-suexec\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/07/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/11/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(3|4)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 3 / 4\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL3\", cpu:\"i386\", reference:\"httpd-2.0.46-61.ent.0.1\")) flag++;\nif (rpm_check(release:\"EL3\", cpu:\"x86_64\", reference:\"httpd-2.0.46-61.ent.0.1\")) flag++;\nif (rpm_check(release:\"EL3\", cpu:\"i386\", reference:\"httpd-devel-2.0.46-61.ent.0.1\")) flag++;\nif (rpm_check(release:\"EL3\", cpu:\"x86_64\", reference:\"httpd-devel-2.0.46-61.ent.0.1\")) flag++;\nif (rpm_check(release:\"EL3\", cpu:\"i386\", reference:\"mod_ssl-2.0.46-61.ent.0.1\")) flag++;\nif (rpm_check(release:\"EL3\", cpu:\"x86_64\", reference:\"mod_ssl-2.0.46-61.ent.0.1\")) flag++;\n\nif (rpm_check(release:\"EL4\", cpu:\"i386\", reference:\"httpd-2.0.52-28.1\")) flag++;\nif (rpm_check(release:\"EL4\", cpu:\"x86_64\", reference:\"httpd-2.0.52-28.1\")) flag++;\nif (rpm_check(release:\"EL4\", cpu:\"i386\", reference:\"httpd-devel-2.0.52-28.1\")) flag++;\nif (rpm_check(release:\"EL4\", cpu:\"x86_64\", reference:\"httpd-devel-2.0.52-28.1\")) flag++;\nif (rpm_check(release:\"EL4\", cpu:\"i386\", reference:\"httpd-manual-2.0.52-28.1\")) flag++;\nif (rpm_check(release:\"EL4\", cpu:\"x86_64\", reference:\"httpd-manual-2.0.52-28.1\")) flag++;\nif (rpm_check(release:\"EL4\", cpu:\"i386\", reference:\"httpd-suexec-2.0.52-28.1\")) flag++;\nif (rpm_check(release:\"EL4\", cpu:\"x86_64\", reference:\"httpd-suexec-2.0.52-28.1\")) flag++;\nif (rpm_check(release:\"EL4\", cpu:\"i386\", reference:\"mod_ssl-2.0.52-28.1\")) flag++;\nif (rpm_check(release:\"EL4\", cpu:\"x86_64\", reference:\"mod_ssl-2.0.52-28.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-devel / httpd-manual / httpd-suexec / mod_ssl\");\n}\n", "naslFamily": "Oracle Linux Local Security Checks", "pluginID": "67402", "cpe": ["p-cpe:/a:oracle:linux:httpd-devel", "p-cpe:/a:oracle:linux:httpd", "p-cpe:/a:oracle:linux:httpd-suexec", "p-cpe:/a:oracle:linux:mod_ssl", "cpe:/o:oracle:linux:3", "p-cpe:/a:oracle:linux:httpd-manual", "cpe:/o:oracle:linux:4"], "scheme": null}

{"cve": [{"lastseen": "2020-10-03T11:48:16", "description": "http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file.", "edition": 3, "cvss3": {}, "published": "2006-07-28T00:04:00", "title": "CVE-2006-3918", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-3918"], "modified": "2017-10-11T01:31:00", "cpe": ["cpe:/a:ibm:http_server:6.0", "cpe:/a:apache:http_server:1.3.22", "cpe:/a:apache:http_server:2.2", "cpe:/a:apache:http_server:1.3.17", "cpe:/a:apache:http_server:2.2.1", "cpe:/a:apache:http_server:2.0", "cpe:/a:apache:http_server:2.0.57", "cpe:/a:apache:http_server:1.3.1", "cpe:/a:apache:http_server:1.3.20", "cpe:/a:apache:http_server:1.3.19", "cpe:/a:apache:http_server:1.3.12", "cpe:/a:ibm:http_server:6.1", "cpe:/a:apache:http_server:1.3", "cpe:/a:apache:http_server:1.3.11", "cpe:/a:apache:http_server:1.3.18"], "id": "CVE-2006-3918", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3918", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:apache:http_server:1.3.19:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.22:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.12:*:win32:*:*:*:*:*", "cpe:2.3:a:ibm:http_server:6.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.12:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.57:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.17:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.20:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.11:*:win32:*:*:*:*:*", "cpe:2.3:a:ibm:http_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.18:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-01-06T09:25:01", "description": "Updated Apache httpd packages that correct a security issue are now\navailable for Red Hat Enterprise Linux 2.1.\n\nThis update has been rated as having important security impact by the\nRed Hat Security Response Team.\n\nThe Apache HTTP Server is a popular Web server available for free.\n\nA bug was found in Apache where an invalid Expect header sent to the\nserver was returned to the user in an unescaped error message. This\ncould allow an attacker to perform a cross-site scripting attack if a\nvictim was tricked into connecting to a site and sending a carefully\ncrafted Expect header. (CVE-2006-3918)\n\nWhile a web browser cannot be forced to send an arbitrary Expect\nheader by a third-party attacker, it was recently discovered that\ncertain versions of the Flash plugin can manipulate request headers.\nIf users running such versions can be persuaded to load a web page\nwith a malicious Flash applet, a cross-site scripting attack against\nthe server may be possible.\n\nUsers of Apache should upgrade to these updated packages, which\ncontain a backported patch to correct this issue.", "edition": 26, "published": "2013-06-29T00:00:00", "title": "CentOS 4 : apache (CESA-2006:0618)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3918"], "modified": "2013-06-29T00:00:00", "cpe": ["p-cpe:/a:centos:centos:httpd-suexec", "p-cpe:/a:centos:centos:mod_ssl", "p-cpe:/a:centos:centos:httpd-manual", "cpe:/o:centos:centos:4", "p-cpe:/a:centos:centos:httpd", "p-cpe:/a:centos:centos:httpd-devel"], "id": "CENTOS_RHSA-2006-0618.NASL", "href": "https://www.tenable.com/plugins/nessus/67036", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2006:0618 and \n# CentOS Errata and Security Advisory 2006:0618 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(67036);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2006-3918\");\n script_bugtraq_id(19661);\n script_xref(name:\"RHSA\", value:\"2006:0618\");\n\n script_name(english:\"CentOS 4 : apache (CESA-2006:0618)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated Apache httpd packages that correct a security issue are now\navailable for Red Hat Enterprise Linux 2.1.\n\nThis update has been rated as having important security impact by the\nRed Hat Security Response Team.\n\nThe Apache HTTP Server is a popular Web server available for free.\n\nA bug was found in Apache where an invalid Expect header sent to the\nserver was returned to the user in an unescaped error message. This\ncould allow an attacker to perform a cross-site scripting attack if a\nvictim was tricked into connecting to a site and sending a carefully\ncrafted Expect header. (CVE-2006-3918)\n\nWhile a web browser cannot be forced to send an arbitrary Expect\nheader by a third-party attacker, it was recently discovered that\ncertain versions of the Flash plugin can manipulate request headers.\nIf users running such versions can be persuaded to load a web page\nwith a malicious Flash applet, a cross-site scripting attack against\nthe server may be possible.\n\nUsers of Apache should upgrade to these updated packages, which\ncontain a backported patch to correct this issue.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2006-August/013165.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?373ad018\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected apache packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:httpd-suexec\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/07/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/29\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^4([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 4.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-4\", cpu:\"ia64\", reference:\"httpd-2.0.52-28.ent.centos4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"ia64\", reference:\"httpd-devel-2.0.52-28.ent.centos4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"ia64\", reference:\"httpd-manual-2.0.52-28.ent.centos4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"ia64\", reference:\"httpd-suexec-2.0.52-28.ent.centos4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"ia64\", reference:\"mod_ssl-2.0.52-28.ent.centos4\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-devel / httpd-manual / httpd-suexec / mod_ssl\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-06T09:25:01", "description": "Updated Apache httpd packages that correct security issues and resolve\nbugs are now available for Red Hat Enterprise Linux 3 and 4.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nThe Apache HTTP Server is a popular Web server available for free.\n\nA bug was found in Apache where an invalid Expect header sent to the\nserver was returned to the user in an unescaped error message. This\ncould allow an attacker to perform a cross-site scripting attack if a\nvictim was tricked into connecting to a site and sending a carefully\ncrafted Expect header. (CVE-2006-3918)\n\nWhile a web browser cannot be forced to send an arbitrary Expect\nheader by a third-party attacker, it was recently discovered that\ncertain versions of the Flash plugin can manipulate request headers.\nIf users running such versions can be persuaded to load a web page\nwith a malicious Flash applet, a cross-site scripting attack against\nthe server may be possible.\n\nOn Red Hat Enterprise Linux 3 and 4 systems, due to an unrelated issue\nin the handling of malformed Expect headers, the page produced by the\ncross-site scripting attack will only be returned after a timeout\nexpires (2-5 minutes by default) if not first canceled by the user.\n\nUsers of httpd should update to these erratum packages, which contain\na backported patch to correct these issues.", "edition": 26, "published": "2006-08-14T00:00:00", "title": "CentOS 3 / 4 : httpd (CESA-2006:0619)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3918"], "modified": "2006-08-14T00:00:00", "cpe": ["p-cpe:/a:centos:centos:httpd-suexec", "p-cpe:/a:centos:centos:mod_ssl", "p-cpe:/a:centos:centos:httpd-manual", "cpe:/o:centos:centos:4", "p-cpe:/a:centos:centos:httpd", "p-cpe:/a:centos:centos:httpd-devel", "cpe:/o:centos:centos:3"], "id": "CENTOS_RHSA-2006-0619.NASL", "href": "https://www.tenable.com/plugins/nessus/22207", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2006:0619 and \n# CentOS Errata and Security Advisory 2006:0619 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(22207);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2006-3918\");\n script_bugtraq_id(19661);\n script_xref(name:\"RHSA\", value:\"2006:0619\");\n\n script_name(english:\"CentOS 3 / 4 : httpd (CESA-2006:0619)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated Apache httpd packages that correct security issues and resolve\nbugs are now available for Red Hat Enterprise Linux 3 and 4.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nThe Apache HTTP Server is a popular Web server available for free.\n\nA bug was found in Apache where an invalid Expect header sent to the\nserver was returned to the user in an unescaped error message. This\ncould allow an attacker to perform a cross-site scripting attack if a\nvictim was tricked into connecting to a site and sending a carefully\ncrafted Expect header. (CVE-2006-3918)\n\nWhile a web browser cannot be forced to send an arbitrary Expect\nheader by a third-party attacker, it was recently discovered that\ncertain versions of the Flash plugin can manipulate request headers.\nIf users running such versions can be persuaded to load a web page\nwith a malicious Flash applet, a cross-site scripting attack against\nthe server may be possible.\n\nOn Red Hat Enterprise Linux 3 and 4 systems, due to an unrelated issue\nin the handling of malformed Expect headers, the page produced by the\ncross-site scripting attack will only be returned after a timeout\nexpires (2-5 minutes by default) if not first canceled by the user.\n\nUsers of httpd should update to these erratum packages, which contain\na backported patch to correct these issues.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2006-August/013135.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d7bef01e\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2006-August/013136.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1ec64603\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2006-August/013143.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?57ea1f21\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2006-August/013144.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1f103564\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected httpd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:httpd-suexec\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/07/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/08/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/08/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(3|4)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 3.x / 4.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-3\", cpu:\"i386\", reference:\"httpd-2.0.46-61.ent.centos3\")) flag++;\nif (rpm_check(release:\"CentOS-3\", cpu:\"x86_64\", reference:\"httpd-2.0.46-61.ent.centos3\")) flag++;\nif (rpm_check(release:\"CentOS-3\", cpu:\"i386\", reference:\"httpd-devel-2.0.46-61.ent.centos3\")) flag++;\nif (rpm_check(release:\"CentOS-3\", cpu:\"x86_64\", reference:\"httpd-devel-2.0.46-61.ent.centos3\")) flag++;\nif (rpm_check(release:\"CentOS-3\", cpu:\"i386\", reference:\"mod_ssl-2.0.46-61.ent.centos3\")) flag++;\nif (rpm_check(release:\"CentOS-3\", cpu:\"x86_64\", reference:\"mod_ssl-2.0.46-61.ent.centos3\")) flag++;\n\nif (rpm_check(release:\"CentOS-4\", cpu:\"i386\", reference:\"httpd-2.0.52-28.ent.centos4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"x86_64\", reference:\"httpd-2.0.52-28.ent.centos4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"i386\", reference:\"httpd-devel-2.0.52-28.ent.centos4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"x86_64\", reference:\"httpd-devel-2.0.52-28.ent.centos4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"i386\", reference:\"httpd-manual-2.0.52-28.ent.centos4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"x86_64\", reference:\"httpd-manual-2.0.52-28.ent.centos4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"i386\", reference:\"httpd-suexec-2.0.52-28.ent.centos4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"x86_64\", reference:\"httpd-suexec-2.0.52-28.ent.centos4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"i386\", reference:\"mod_ssl-2.0.52-28.ent.centos4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"x86_64\", reference:\"mod_ssl-2.0.52-28.ent.centos4\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-devel / httpd-manual / httpd-suexec / mod_ssl\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-12T10:05:29", "description": "The remote BIG-IP device is missing a patch required by a security\nadvisory.", "edition": 30, "published": "2014-10-10T00:00:00", "title": "F5 Networks BIG-IP : Apache HTTP Expect header handling (SOL6669)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3918"], "modified": "2014-10-10T00:00:00", "cpe": ["cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/h:f5:big-ip"], "id": "F5_BIGIP_SOL6669.NASL", "href": "https://www.tenable.com/plugins/nessus/78212", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution SOL6669.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78212);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2006-3918\");\n script_bugtraq_id(19661);\n\n script_name(english:\"F5 Networks BIG-IP : Apache HTTP Expect header handling (SOL6669)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote BIG-IP device is missing a patch required by a security\nadvisory.\"\n );\n # http://seclists.org/bugtraq/2006/May/0440.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://seclists.org/bugtraq/2006/May/0440.html\"\n );\n # http://www.securityfocus.com/archive/1/441014/30/0/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.securityfocus.com/archive/1/441014/30/0/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K6669\"\n );\n # https://web.archive.org/web/20070523192439/http://httpd.apache.org/security/vulnerabilities_13.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?636217b2\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution SOL6669.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/05/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"SOL6669\";\nvmatrix = make_array();\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"9.2.0-9.2.5\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"9.3\",\"9.4\",\"10\",\"11\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"9.2.2-9.2.5\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"9.3\",\"9.4\",\"10\",\"11\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"9.2.2-9.2.5\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"9.3\",\"9.4\",\"10\",\"11\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"9.0.0-9.2.5\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"9.3\",\"9.4\",\"9.6\",\"10\",\"11\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-17T13:05:40", "description": "Updated Apache httpd packages that correct a security issue are now\navailable for Red Hat Enterprise Linux 2.1.\n\nThis update has been rated as having important security impact by the\nRed Hat Security Response Team.\n\nThe Apache HTTP Server is a popular Web server available for free.\n\nA bug was found in Apache where an invalid Expect header sent to the\nserver was returned to the user in an unescaped error message. This\ncould allow an attacker to perform a cross-site scripting attack if a\nvictim was tricked into connecting to a site and sending a carefully\ncrafted Expect header. (CVE-2006-3918)\n\nWhile a web browser cannot be forced to send an arbitrary Expect\nheader by a third-party attacker, it was recently discovered that\ncertain versions of the Flash plugin can manipulate request headers.\nIf users running such versions can be persuaded to load a web page\nwith a malicious Flash applet, a cross-site scripting attack against\nthe server may be possible.\n\nUsers of Apache should upgrade to these updated packages, which\ncontain a backported patch to correct this issue.", "edition": 27, "published": "2006-08-10T00:00:00", "title": "RHEL 2.1 : apache (RHSA-2006:0618)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3918"], "modified": "2006-08-10T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:2.1", "p-cpe:/a:redhat:enterprise_linux:apache", "p-cpe:/a:redhat:enterprise_linux:apache-manual", "p-cpe:/a:redhat:enterprise_linux:apache-devel"], "id": "REDHAT-RHSA-2006-0618.NASL", "href": "https://www.tenable.com/plugins/nessus/22202", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2006:0618. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(22202);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2006-3918\");\n script_bugtraq_id(19661);\n script_xref(name:\"RHSA\", value:\"2006:0618\");\n\n script_name(english:\"RHEL 2.1 : apache (RHSA-2006:0618)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated Apache httpd packages that correct a security issue are now\navailable for Red Hat Enterprise Linux 2.1.\n\nThis update has been rated as having important security impact by the\nRed Hat Security Response Team.\n\nThe Apache HTTP Server is a popular Web server available for free.\n\nA bug was found in Apache where an invalid Expect header sent to the\nserver was returned to the user in an unescaped error message. This\ncould allow an attacker to perform a cross-site scripting attack if a\nvictim was tricked into connecting to a site and sending a carefully\ncrafted Expect header. (CVE-2006-3918)\n\nWhile a web browser cannot be forced to send an arbitrary Expect\nheader by a third-party attacker, it was recently discovered that\ncertain versions of the Flash plugin can manipulate request headers.\nIf users running such versions can be persuaded to load a web page\nwith a malicious Flash applet, a cross-site scripting attack against\nthe server may be possible.\n\nUsers of Apache should upgrade to these updated packages, which\ncontain a backported patch to correct this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2006-3918\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2006:0618\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected apache, apache-devel and / or apache-manual\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:apache-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:apache-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:2.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/07/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/08/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/08/10\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^2\\.1([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 2.1\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i386\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2006:0618\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"apache-1.3.27-11.ent\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"apache-devel-1.3.27-11.ent\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"apache-manual-1.3.27-11.ent\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache / apache-devel / apache-manual\");\n }\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-17T13:05:41", "description": "Updated Apache httpd packages that correct security issues and resolve\nbugs are now available for Red Hat Enterprise Linux 3 and 4.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nThe Apache HTTP Server is a popular Web server available for free.\n\nA bug was found in Apache where an invalid Expect header sent to the\nserver was returned to the user in an unescaped error message. This\ncould allow an attacker to perform a cross-site scripting attack if a\nvictim was tricked into connecting to a site and sending a carefully\ncrafted Expect header. (CVE-2006-3918)\n\nWhile a web browser cannot be forced to send an arbitrary Expect\nheader by a third-party attacker, it was recently discovered that\ncertain versions of the Flash plugin can manipulate request headers.\nIf users running such versions can be persuaded to load a web page\nwith a malicious Flash applet, a cross-site scripting attack against\nthe server may be possible.\n\nOn Red Hat Enterprise Linux 3 and 4 systems, due to an unrelated issue\nin the handling of malformed Expect headers, the page produced by the\ncross-site scripting attack will only be returned after a timeout\nexpires (2-5 minutes by default) if not first canceled by the user.\n\nUsers of httpd should update to these erratum packages, which contain\na backported patch to correct these issues.", "edition": 27, "published": "2006-08-14T00:00:00", "title": "RHEL 3 / 4 : httpd (RHSA-2006:0619)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3918"], "modified": "2006-08-14T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:3", "cpe:/o:redhat:enterprise_linux:4", "p-cpe:/a:redhat:enterprise_linux:httpd-suexec", "p-cpe:/a:redhat:enterprise_linux:mod_ssl", "p-cpe:/a:redhat:enterprise_linux:httpd", "p-cpe:/a:redhat:enterprise_linux:httpd-manual", "p-cpe:/a:redhat:enterprise_linux:httpd-devel"], "id": "REDHAT-RHSA-2006-0619.NASL", "href": "https://www.tenable.com/plugins/nessus/22224", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2006:0619. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(22224);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2006-3918\");\n script_bugtraq_id(19661);\n script_xref(name:\"RHSA\", value:\"2006:0619\");\n\n script_name(english:\"RHEL 3 / 4 : httpd (RHSA-2006:0619)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated Apache httpd packages that correct security issues and resolve\nbugs are now available for Red Hat Enterprise Linux 3 and 4.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nThe Apache HTTP Server is a popular Web server available for free.\n\nA bug was found in Apache where an invalid Expect header sent to the\nserver was returned to the user in an unescaped error message. This\ncould allow an attacker to perform a cross-site scripting attack if a\nvictim was tricked into connecting to a site and sending a carefully\ncrafted Expect header. (CVE-2006-3918)\n\nWhile a web browser cannot be forced to send an arbitrary Expect\nheader by a third-party attacker, it was recently discovered that\ncertain versions of the Flash plugin can manipulate request headers.\nIf users running such versions can be persuaded to load a web page\nwith a malicious Flash applet, a cross-site scripting attack against\nthe server may be possible.\n\nOn Red Hat Enterprise Linux 3 and 4 systems, due to an unrelated issue\nin the handling of malformed Expect headers, the page produced by the\ncross-site scripting attack will only be returned after a timeout\nexpires (2-5 minutes by default) if not first canceled by the user.\n\nUsers of httpd should update to these erratum packages, which contain\na backported patch to correct these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2006-3918\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2006:0619\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-suexec\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/07/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/08/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(3|4)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 3.x / 4.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2006:0619\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL3\", reference:\"httpd-2.0.46-61.ent\")) flag++;\n if (rpm_check(release:\"RHEL3\", reference:\"httpd-devel-2.0.46-61.ent\")) flag++;\n if (rpm_check(release:\"RHEL3\", reference:\"mod_ssl-2.0.46-61.ent\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", reference:\"httpd-2.0.52-28.ent\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"httpd-devel-2.0.52-28.ent\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"httpd-manual-2.0.52-28.ent\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"httpd-suexec-2.0.52-28.ent\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"mod_ssl-2.0.52-28.ent\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-devel / httpd-manual / httpd-suexec / mod_ssl\");\n }\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-01T07:01:06", "description": "The remote web server fails to sanitize the contents of an 'Expect'\nrequest header before using it to generate dynamic web content. An\nunauthenticated, remote attacker may be able to leverage this issue to\nlaunch cross-site scripting attacks against the affected service,\nperhaps through specially crafted ShockWave (SWF) files.", "edition": 27, "cvss3": {"score": 4.3, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}, "published": "2006-08-23T00:00:00", "title": "Web Server Expect Header XSS", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3918", "CVE-2007-5944"], "modified": "2021-01-02T00:00:00", "cpe": [], "id": "WWW_EXPECT_XSS.NASL", "href": "https://www.tenable.com/plugins/nessus/22254", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(22254);\n script_version(\"1.31\");\n script_cvs_date(\"Date: 2018/11/15 20:50:20\");\n\n script_cve_id(\"CVE-2006-3918\", \"CVE-2007-5944\");\n script_bugtraq_id(19661, 26457);\n\n script_name(english:\"Web Server Expect Header XSS\");\n script_summary(english:\"Checks for an XSS flaw involving Expect Headers\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is vulnerable to a cross-site scripting attack.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web server fails to sanitize the contents of an 'Expect'\nrequest header before using it to generate dynamic web content. An\nunauthenticated, remote attacker may be able to leverage this issue to\nlaunch cross-site scripting attacks against the affected service,\nperhaps through specially crafted ShockWave (SWF) files.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2006/May/150\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2006/May/440\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2006/Jul/423\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.apache.org/dist/httpd/CHANGES_2.2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.apache.org/dist/httpd/CHANGES_2.0\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.apache.org/dist/httpd/CHANGES_1.3\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www-1.ibm.com/support/docview.wss?uid=swg1PK24631\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www-1.ibm.com/support/docview.wss?uid=swg24017314\");\n script_set_attribute(attribute:\"solution\", value:\n\"Check with the vendor for an update to the web server. For Apache,\nthe issue is reportedly fixed by versions 1.3.35 / 2.0.57 / 2.2.2; for\nIBM HTTP Server, upgrade to 6.0.2.13 / 6.1.0.1; for IBM WebSphere\nApplication Server, upgrade to 5.1.1.17.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2006-3918\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/05/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/08/23\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"find_service2.nasl\", \"http_version.nasl\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"raw.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nif (islocalhost() ) exit(0, \"Nessus can not test for the issue over the loopback interface.\");\n\nport = get_http_port(default:80);\nif ( get_port_transport(port) != ENCAPS_IP ) exit(0, \"This script only works for HTTP connections\");\n\nsoc = open_sock_tcp(port);\nif (!soc) audit(AUDIT_SOCK_FAIL, port);\n\n\n# Generate a request to exploit the flaw.\nexploit = SCRIPT_NAME + \" testing for BID 19661 <test>\";\nrq = http_mk_get_req(port: port, item: \"/\", add_headers: make_array(\"Expect\", exploit));\nbuf = http_mk_buffer_from_req(req: rq);\nif ( buf == NULL ) audit(AUDIT_FN_FAIL, \"http_mk_buffer_from_req\");\n\n# Send the request but don't worry about the response.\nfilter = \"tcp and \"\n + \"src host \" + get_host_ip() + \" and \"\n + \"src port \" + port + \" and \"\n + \"dst port \" + get_source_port(soc);\nres = send_capture(socket:soc, data:buf, pcap_filter:filter);\nif (res == NULL) audit(AUDIT_RESP_NOT, port);\nflags = get_tcp_element(tcp:res, element:\"th_flags\");\nif (flags & TH_ACK == 0) exit(0, \"The TCP response from the web server on port \"+port+\" was not an ACK.\");\n\n\n# Half-close the connection.\n#\n# nb: the server sends a 417 response only after the connection is\n# closed; a half-close allows us to receive the response.\nip = ip();\nseq = get_tcp_element(tcp:res, element:\"th_ack\");\ntcp = tcp(\n th_dport : port,\n th_sport : get_source_port(soc),\n th_seq : seq,\n th_ack : seq,\n th_win : get_tcp_element(tcp:res, element:\"th_win\"),\n th_flags : TH_FIN|TH_ACK\n);\nhalfclose = mkpacket(ip, tcp);\nr = send_packet(halfclose, pcap_filter:filter, pcap_timeout:5);\nif ( !isnull(r) && (\"417 Expectation Failed\" >< r ||\n\t\t \"417 invalid Expect header value:\" >< r ) )\n{\n res2 = strstr(r, \"417 Expectation Failed\");\n if ( isnull(res2) ) res2 = strstr(r, \"417 invalid Expect header value:\");\n}\n\n\n# There's a problem if we see our exploit in the response.\nres = recv(socket:soc, length:1024);\nclose(soc);\n\nif ( isnull(res)) res = res2;\n\nif (\n res &&\n (\n \"417 Expectation Failed\" >< res ||\n \"417 invalid Expect header value:\" >< res\n ) &&\n exploit >< res\n)\n{\n set_kb_item(name:'www/'+port+'/XSS', value:TRUE);\n\n if (report_verbosity > 0)\n {\n report = '\\n'\n + 'Nessus was able to exploit the issue using the following request :\\n'\n + '\\n'\n + crap(data:\"-\", length:30) + \" snip \" + crap(data:\"-\", length:30)+'\\n'\n + http_mk_buffer_from_req(req:rq)\n + crap(data:\"-\", length:30) + \" snip \" + crap(data:\"-\", length:30)+ '\\n';\n\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, 'affected');\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-06T09:44:41", "description": "Several remote vulnerabilities have been discovered in the Apache, the\nworlds most popular webserver, which may lead to the execution of\narbitrary web script. The Common Vulnerabilities and Exposures project\nidentifies the following problems :\n\n - CVE-2005-3352\n A cross-site scripting (XSS) flaw exists in the mod_imap\n component of the Apache server.\n\n - CVE-2006-3918\n Apache does not sanitize the Expect header from an HTTP\n request when it is reflected back in an error message,\n which might allow cross-site scripting (XSS) style\n attacks.", "edition": 25, "published": "2006-10-14T00:00:00", "title": "Debian DSA-1167-1 : apache - missing input sanitising ", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3918", "CVE-2005-3352"], "modified": "2006-10-14T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:3.1", "p-cpe:/a:debian:debian_linux:apache"], "id": "DEBIAN_DSA-1167.NASL", "href": "https://www.tenable.com/plugins/nessus/22709", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-1167. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(22709);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2005-3352\", \"CVE-2006-3918\");\n script_xref(name:\"DSA\", value:\"1167\");\n\n script_name(english:\"Debian DSA-1167-1 : apache - missing input sanitising \");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several remote vulnerabilities have been discovered in the Apache, the\nworlds most popular webserver, which may lead to the execution of\narbitrary web script. The Common Vulnerabilities and Exposures project\nidentifies the following problems :\n\n - CVE-2005-3352\n A cross-site scripting (XSS) flaw exists in the mod_imap\n component of the Apache server.\n\n - CVE-2006-3918\n Apache does not sanitize the Expect header from an HTTP\n request when it is reflected back in an error message,\n which might allow cross-site scripting (XSS) style\n attacks.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=381381\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=343466\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2005-3352\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2006-3918\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2006/dsa-1167\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the apache package.\n\nFor the stable distribution (sarge) these problems have been fixed in\nversion 1.3.33-6sarge3.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/09/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/10/14\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/12/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.1\", prefix:\"apache\", reference:\"1.3.33-6sarge3\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"apache-common\", reference:\"1.3.33-6sarge3\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"apache-dbg\", reference:\"1.3.33-6sarge3\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"apache-dev\", reference:\"1.3.33-6sarge3\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"apache-doc\", reference:\"1.3.33-6sarge3\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"apache-perl\", reference:\"1.3.33-6sarge3\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"apache-ssl\", reference:\"1.3.33-6sarge3\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"apache-utils\", reference:\"1.3.33-6sarge3\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"libapache-mod-perl\", reference:\"1.29.0.3-6sarge3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-17T14:14:48", "description": "The remote host is missing the patch for the advisory SUSE-SA:2006:051 (apache2).\n\n\nThe web server Apache2 has been updated to fix several security issues:\n\nThe security fix for CVE-2005-3357 (denial of service) broke the\nearlier security fix for SSL verification (CVE-2005-2700). This\nproblem has been corrected.\n\nAdditionally a cross site scripting bug with the 'Expect' header error\nreporting was fixed (CVE-2006-3918). The Apache foundation does not\nconsider this a security problem.", "edition": 7, "published": "2007-02-18T00:00:00", "title": "SUSE-SA:2006:051: apache2", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-2700", "CVE-2006-3918", "CVE-2005-3357"], "modified": "2007-02-18T00:00:00", "cpe": [], "id": "SUSE_SA_2006_051.NASL", "href": "https://www.tenable.com/plugins/nessus/24429", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# This plugin text was extracted from SuSE Security Advisory SUSE-SA:2006:051\n#\n\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif(description)\n{\n script_id(24429);\n script_version(\"1.10\");\n \n name[\"english\"] = \"SUSE-SA:2006:051: apache2\";\n \n script_name(english:name[\"english\"]);\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a vendor-supplied security patch\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is missing the patch for the advisory SUSE-SA:2006:051 (apache2).\n\n\nThe web server Apache2 has been updated to fix several security issues:\n\nThe security fix for CVE-2005-3357 (denial of service) broke the\nearlier security fix for SSL verification (CVE-2005-2700). This\nproblem has been corrected.\n\nAdditionally a cross site scripting bug with the 'Expect' header error\nreporting was fixed (CVE-2006-3918). The Apache foundation does not\nconsider this a security problem.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"http://www.novell.com/linux/security/advisories/2006_51_apache.html\" );\n script_set_attribute(attribute:\"risk_factor\", value:\"Medium\" );\n\n\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/02/18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n script_end_attributes();\n\n \n summary[\"english\"] = \"Check for the version of the apache2 package\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_GATHER_INFO);\n \n script_copyright(english:\"This script is Copyright (C) 2007-2021 Tenable Network Security, Inc.\");\n family[\"english\"] = \"SuSE Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/SuSE/rpm-list\");\n exit(0);\n}\n\ninclude(\"rpm.inc\");\nif ( rpm_check( reference:\"apache2-2.0.54-10.8\", release:\"SUSE10.0\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"apache2-prefork-2.0.54-10.8\", release:\"SUSE10.0\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"apache2-worker-2.0.54-10.8\", release:\"SUSE10.0\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"apache2-2.0.50-7.17\", release:\"SUSE9.2\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"apache2-prefork-2.0.50-7.17\", release:\"SUSE9.2\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"apache2-worker-2.0.50-7.17\", release:\"SUSE9.2\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"apache2-2.0.53-9.15\", release:\"SUSE9.3\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"apache2-prefork-2.0.53-9.15\", release:\"SUSE9.3\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"apache2-worker-2.0.53-9.15\", release:\"SUSE9.3\") )\n{\n security_warning(0);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T14:02:15", "description": "This update fixes multiple bugs in apache :\n\n - cross-site scripting problem when processing the\n 'Expect' header. (CVE-2006-3918)\n\n - cross-site scripting problem in mod_imap.\n (CVE-2007-5000)\n\n - cross-site scripting problem in mod_status.\n (CVE-2007-6388)\n\n - cross-site scripting problem in the ftp proxy module.\n (CVE-2008-0005)", "edition": 25, "published": "2009-09-24T00:00:00", "title": "SuSE9 Security Update : Apache (YOU Patch Number 12125)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3918", "CVE-2008-0005", "CVE-2007-6388", "CVE-2007-5000"], "modified": "2009-09-24T00:00:00", "cpe": ["cpe:/o:suse:suse_linux"], "id": "SUSE9_12125.NASL", "href": "https://www.tenable.com/plugins/nessus/41207", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(41207);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2006-3918\", \"CVE-2007-5000\", \"CVE-2007-6388\", \"CVE-2008-0005\");\n\n script_name(english:\"SuSE9 Security Update : Apache (YOU Patch Number 12125)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 9 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes multiple bugs in apache :\n\n - cross-site scripting problem when processing the\n 'Expect' header. (CVE-2006-3918)\n\n - cross-site scripting problem in mod_imap.\n (CVE-2007-5000)\n\n - cross-site scripting problem in mod_status.\n (CVE-2007-6388)\n\n - cross-site scripting problem in the ftp proxy module.\n (CVE-2008-0005)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2006-3918/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2007-5000.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2007-6388.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2008-0005.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply YOU patch number 12125.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/03/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/09/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 9 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SUSE9\", reference:\"apache-1.3.29-71.26\")) flag++;\nif (rpm_check(release:\"SUSE9\", reference:\"apache-devel-1.3.29-71.26\")) flag++;\nif (rpm_check(release:\"SUSE9\", reference:\"apache-doc-1.3.29-71.26\")) flag++;\nif (rpm_check(release:\"SUSE9\", reference:\"apache-example-pages-1.3.29-71.26\")) flag++;\nif (rpm_check(release:\"SUSE9\", reference:\"mod_ssl-2.8.16-71.26\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-01T06:56:34", "description": "It was discovered that Apache did not sanitize the Expect header from\nan HTTP request when it is reflected back in an error message, which\ncould result in browsers becoming vulnerable to cross-site scripting\nattacks when processing the output. With cross-site scripting\nvulnerabilities, if a user were tricked into viewing server output\nduring a crafted server request, a remote attacker could exploit this\nto modify the contents, or steal confidential data (such as\npasswords), within the same domain. This was only vulnerable in Ubuntu\n6.06. (CVE-2006-3918)\n\nIt was discovered that when configured as a proxy server and using a\nthreaded MPM, Apache did not properly sanitize its input. A remote\nattacker could send Apache crafted date headers and cause a denial of\nservice via application crash. By default, mod_proxy is disabled in\nUbuntu. (CVE-2007-3847)\n\nIt was discovered that mod_autoindex did not force a character set,\nwhich could result in browsers becoming vulnerable to cross-site\nscripting attacks when processing the output. (CVE-2007-4465)\n\nIt was discovered that mod_imap/mod_imagemap did not force a character\nset, which could result in browsers becoming vulnerable to cross-site\nscripting attacks when processing the output. By default,\nmod_imap/mod_imagemap is disabled in Ubuntu. (CVE-2007-5000)\n\nIt was discovered that mod_status when status pages were available,\nallowed for cross-site scripting attacks. By default, mod_status is\ndisabled in Ubuntu. (CVE-2007-6388)\n\nIt was discovered that mod_proxy_balancer did not sanitize its input,\nwhich could result in browsers becoming vulnerable to cross-site\nscripting attacks when processing the output. By default,\nmod_proxy_balancer is disabled in Ubuntu. This was only vulnerable in\nUbuntu 7.04 and 7.10. (CVE-2007-6421)\n\nIt was discovered that mod_proxy_balancer could be made to dereference\na NULL pointer. A remote attacker could send a crafted request and\ncause a denial of service via application crash. By default,\nmod_proxy_balancer is disabled in Ubuntu. This was only vulnerable in\nUbuntu 7.04 and 7.10. (CVE-2007-6422)\n\nIt was discovered that mod_proxy_ftp did not force a character set,\nwhich could result in browsers becoming vulnerable to cross-site\nscripting attacks when processing the output. By default,\nmod_proxy_ftp is disabled in Ubuntu. (CVE-2008-0005).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 26, "published": "2008-02-05T00:00:00", "title": "Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : apache2 vulnerabilities (USN-575-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3918", "CVE-2007-4465", "CVE-2008-0005", "CVE-2007-6421", "CVE-2007-3847", "CVE-2007-6388", "CVE-2007-5000", "CVE-2007-6422"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:apache2-src", "p-cpe:/a:canonical:ubuntu_linux:apache2-prefork-dev", "cpe:/o:canonical:ubuntu_linux:7.10", "p-cpe:/a:canonical:ubuntu_linux:apache2-mpm-event", "p-cpe:/a:canonical:ubuntu_linux:apache2-mpm-perchild", "cpe:/o:canonical:ubuntu_linux:6.10", "p-cpe:/a:canonical:ubuntu_linux:libapr0", "p-cpe:/a:canonical:ubuntu_linux:apache2-mpm-prefork", "p-cpe:/a:canonical:ubuntu_linux:libapr0-dev", "p-cpe:/a:canonical:ubuntu_linux:apache2", "p-cpe:/a:canonical:ubuntu_linux:apache2.2-common", "p-cpe:/a:canonical:ubuntu_linux:apache2-mpm-worker", "p-cpe:/a:canonical:ubuntu_linux:apache2-threaded-dev", "p-cpe:/a:canonical:ubuntu_linux:apache2-doc", "p-cpe:/a:canonical:ubuntu_linux:apache2-common", "p-cpe:/a:canonical:ubuntu_linux:apache2-utils", "cpe:/o:canonical:ubuntu_linux:7.04", "cpe:/o:canonical:ubuntu_linux:6.06:-:lts"], "id": "UBUNTU_USN-575-1.NASL", "href": "https://www.tenable.com/plugins/nessus/30184", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-575-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(30184);\n script_version(\"1.23\");\n script_cvs_date(\"Date: 2019/08/02 13:33:01\");\n\n script_cve_id(\"CVE-2006-3918\", \"CVE-2007-3847\", \"CVE-2007-4465\", \"CVE-2007-5000\", \"CVE-2007-6388\", \"CVE-2007-6421\", \"CVE-2007-6422\", \"CVE-2008-0005\");\n script_bugtraq_id(19661, 25489, 25653, 26838, 27234, 27236, 27237);\n script_xref(name:\"USN\", value:\"575-1\");\n\n script_name(english:\"Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : apache2 vulnerabilities (USN-575-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that Apache did not sanitize the Expect header from\nan HTTP request when it is reflected back in an error message, which\ncould result in browsers becoming vulnerable to cross-site scripting\nattacks when processing the output. With cross-site scripting\nvulnerabilities, if a user were tricked into viewing server output\nduring a crafted server request, a remote attacker could exploit this\nto modify the contents, or steal confidential data (such as\npasswords), within the same domain. This was only vulnerable in Ubuntu\n6.06. (CVE-2006-3918)\n\nIt was discovered that when configured as a proxy server and using a\nthreaded MPM, Apache did not properly sanitize its input. A remote\nattacker could send Apache crafted date headers and cause a denial of\nservice via application crash. By default, mod_proxy is disabled in\nUbuntu. (CVE-2007-3847)\n\nIt was discovered that mod_autoindex did not force a character set,\nwhich could result in browsers becoming vulnerable to cross-site\nscripting attacks when processing the output. (CVE-2007-4465)\n\nIt was discovered that mod_imap/mod_imagemap did not force a character\nset, which could result in browsers becoming vulnerable to cross-site\nscripting attacks when processing the output. By default,\nmod_imap/mod_imagemap is disabled in Ubuntu. (CVE-2007-5000)\n\nIt was discovered that mod_status when status pages were available,\nallowed for cross-site scripting attacks. By default, mod_status is\ndisabled in Ubuntu. (CVE-2007-6388)\n\nIt was discovered that mod_proxy_balancer did not sanitize its input,\nwhich could result in browsers becoming vulnerable to cross-site\nscripting attacks when processing the output. By default,\nmod_proxy_balancer is disabled in Ubuntu. This was only vulnerable in\nUbuntu 7.04 and 7.10. (CVE-2007-6421)\n\nIt was discovered that mod_proxy_balancer could be made to dereference\na NULL pointer. A remote attacker could send a crafted request and\ncause a denial of service via application crash. By default,\nmod_proxy_balancer is disabled in Ubuntu. This was only vulnerable in\nUbuntu 7.04 and 7.10. (CVE-2007-6422)\n\nIt was discovered that mod_proxy_ftp did not force a character set,\nwhich could result in browsers becoming vulnerable to cross-site\nscripting attacks when processing the output. By default,\nmod_proxy_ftp is disabled in Ubuntu. (CVE-2008-0005).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/575-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(79, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache2-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache2-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache2-mpm-event\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache2-mpm-perchild\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache2-mpm-prefork\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache2-mpm-worker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache2-prefork-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache2-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache2-threaded-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache2-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache2.2-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libapr0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libapr0-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:6.06:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:6.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:7.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:7.10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/02/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/02/05\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(6\\.06|6\\.10|7\\.04|7\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 6.06 / 6.10 / 7.04 / 7.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"6.06\", pkgname:\"apache2\", pkgver:\"2.0.55-4ubuntu2.3\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"apache2-common\", pkgver:\"2.0.55-4ubuntu2.3\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"apache2-doc\", pkgver:\"2.0.55-4ubuntu2.3\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"apache2-mpm-perchild\", pkgver:\"2.0.55-4ubuntu2.3\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"apache2-mpm-prefork\", pkgver:\"2.0.55-4ubuntu2.3\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"apache2-mpm-worker\", pkgver:\"2.0.55-4ubuntu2.3\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"apache2-prefork-dev\", pkgver:\"2.0.55-4ubuntu2.3\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"apache2-threaded-dev\", pkgver:\"2.0.55-4ubuntu2.3\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"apache2-utils\", pkgver:\"2.0.55-4ubuntu2.3\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"libapr0\", pkgver:\"2.0.55-4ubuntu2.3\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"libapr0-dev\", pkgver:\"2.0.55-4ubuntu2.3\")) flag++;\nif (ubuntu_check(osver:\"6.10\", pkgname:\"apache2\", pkgver:\"2.0.55-4ubuntu4.2\")) flag++;\nif (ubuntu_check(osver:\"6.10\", pkgname:\"apache2-common\", pkgver:\"2.0.55-4ubuntu4.2\")) flag++;\nif (ubuntu_check(osver:\"6.10\", pkgname:\"apache2-doc\", pkgver:\"2.0.55-4ubuntu4.2\")) flag++;\nif (ubuntu_check(osver:\"6.10\", pkgname:\"apache2-mpm-perchild\", pkgver:\"2.0.55-4ubuntu4.2\")) flag++;\nif (ubuntu_check(osver:\"6.10\", pkgname:\"apache2-mpm-prefork\", pkgver:\"2.0.55-4ubuntu4.2\")) flag++;\nif (ubuntu_check(osver:\"6.10\", pkgname:\"apache2-mpm-worker\", pkgver:\"2.0.55-4ubuntu4.2\")) flag++;\nif (ubuntu_check(osver:\"6.10\", pkgname:\"apache2-prefork-dev\", pkgver:\"2.0.55-4ubuntu4.2\")) flag++;\nif (ubuntu_check(osver:\"6.10\", pkgname:\"apache2-threaded-dev\", pkgver:\"2.0.55-4ubuntu4.2\")) flag++;\nif (ubuntu_check(osver:\"6.10\", pkgname:\"apache2-utils\", pkgver:\"2.0.55-4ubuntu4.2\")) flag++;\nif (ubuntu_check(osver:\"6.10\", pkgname:\"libapr0\", pkgver:\"2.0.55-4ubuntu4.2\")) flag++;\nif (ubuntu_check(osver:\"6.10\", pkgname:\"libapr0-dev\", pkgver:\"2.0.55-4ubuntu4.2\")) flag++;\nif (ubuntu_check(osver:\"7.04\", pkgname:\"apache2\", pkgver:\"2.2.3-3.2ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"7.04\", pkgname:\"apache2-doc\", pkgver:\"2.2.3-3.2ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"7.04\", pkgname:\"apache2-mpm-event\", pkgver:\"2.2.3-3.2ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"7.04\", pkgname:\"apache2-mpm-perchild\", pkgver:\"2.2.3-3.2ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"7.04\", pkgname:\"apache2-mpm-prefork\", pkgver:\"2.2.3-3.2ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"7.04\", pkgname:\"apache2-mpm-worker\", pkgver:\"2.2.3-3.2ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"7.04\", pkgname:\"apache2-prefork-dev\", pkgver:\"2.2.3-3.2ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"7.04\", pkgname:\"apache2-src\", pkgver:\"2.2.3-3.2ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"7.04\", pkgname:\"apache2-threaded-dev\", pkgver:\"2.2.3-3.2ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"7.04\", pkgname:\"apache2-utils\", pkgver:\"2.2.3-3.2ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"7.04\", pkgname:\"apache2.2-common\", pkgver:\"2.2.3-3.2ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"apache2\", pkgver:\"2.2.4-3ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"apache2-doc\", pkgver:\"2.2.4-3ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"apache2-mpm-event\", pkgver:\"2.2.4-3ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"apache2-mpm-perchild\", pkgver:\"2.2.4-3ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"apache2-mpm-prefork\", pkgver:\"2.2.4-3ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"apache2-mpm-worker\", pkgver:\"2.2.4-3ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"apache2-prefork-dev\", pkgver:\"2.2.4-3ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"apache2-src\", pkgver:\"2.2.4-3ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"apache2-threaded-dev\", pkgver:\"2.2.4-3ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"apache2-utils\", pkgver:\"2.2.4-3ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"apache2.2-common\", pkgver:\"2.2.4-3ubuntu0.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache2 / apache2-common / apache2-doc / apache2-mpm-event / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "centos": [{"lastseen": "2020-07-17T03:31:21", "bulletinFamily": "unix", "cvelist": ["CVE-2006-3918"], "description": "**CentOS Errata and Security Advisory** CESA-2006:0619\n\n\nThe Apache HTTP Server is a popular Web server available for free.\r\n\r\nA bug was found in Apache where an invalid Expect header sent to the server\r\nwas returned to the user in an unescaped error message. This could\r\nallow an attacker to perform a cross-site scripting attack if a victim was\r\ntricked into connecting to a site and sending a carefully crafted Expect\r\nheader. (CVE-2006-3918)\r\n\r\nWhile a web browser cannot be forced to send an arbitrary Expect\r\nheader by a third-party attacker, it was recently discovered that\r\ncertain versions of the Flash plugin can manipulate request headers.\r\nIf users running such versions can be persuaded to load a web page\r\nwith a malicious Flash applet, a cross-site scripting attack against\r\nthe server may be possible.\r\n\r\nOn Red Hat Enterprise Linux 3 and 4 systems, due to an unrelated issue in\r\nthe handling of malformed Expect headers, the page produced by the\r\ncross-site scripting attack will only be returned after a timeout expires\r\n(2-5 minutes by default) if not first canceled by the user.\r\n\r\nUsers of httpd should update to these erratum packages, which contain a\r\nbackported patch to correct these issues.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2006-August/025173.html\nhttp://lists.centos.org/pipermail/centos-announce/2006-August/025174.html\nhttp://lists.centos.org/pipermail/centos-announce/2006-August/025181.html\nhttp://lists.centos.org/pipermail/centos-announce/2006-August/025182.html\n\n**Affected packages:**\nhttpd\nhttpd-devel\nhttpd-manual\nhttpd-suexec\nmod_ssl\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2006-0619.html", "edition": 6, "modified": "2006-08-24T00:08:07", "published": "2006-08-10T22:42:31", "href": "http://lists.centos.org/pipermail/centos-announce/2006-August/025173.html", "id": "CESA-2006:0619", "title": "httpd, mod_ssl security update", "type": "centos", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-12-20T18:24:00", "bulletinFamily": "unix", "cvelist": ["CVE-2006-3918"], "description": "**CentOS Errata and Security Advisory** CESA-2006:0618\n\n\nThe Apache HTTP Server is a popular Web server available for free. \r\n\r\nA bug was found in Apache where an invalid Expect header sent to the server\r\nwas returned to the user in an unescaped error message. This could\r\nallow an attacker to perform a cross-site scripting attack if a victim was\r\ntricked into connecting to a site and sending a carefully crafted Expect\r\nheader. (CVE-2006-3918)\r\n\r\nWhile a web browser cannot be forced to send an arbitrary Expect header by\r\na third-party attacker, it was recently discovered that certain versions of\r\nthe Flash plugin can manipulate request headers. If users running such\r\nversions can be persuaded to load a web page with a malicious Flash applet,\r\na cross-site scripting attack against the server may be possible.\r\n\r\nUsers of Apache should upgrade to these updated packages, which contain a\r\nbackported patch to correct this issue.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2006-August/025201.html\nhttp://lists.centos.org/pipermail/centos-announce/2006-August/025202.html\nhttp://lists.centos.org/pipermail/centos-announce/2006-August/025203.html\n\n**Affected packages:**\nhttpd\nhttpd-devel\nhttpd-manual\nhttpd-suexec\nmod_ssl\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2006-0618.html", "edition": 6, "modified": "2006-08-24T16:50:36", "published": "2006-08-24T16:29:11", "href": "http://lists.centos.org/pipermail/centos-announce/2006-August/025201.html", "id": "CESA-2006:0618", "title": "httpd, mod_ssl security update", "type": "centos", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-12-20T18:28:11", "bulletinFamily": "unix", "cvelist": ["CVE-2006-3918"], "description": "**CentOS Errata and Security Advisory** CESA-2006:0618-01\n\n\nThe Apache HTTP Server is a popular Web server available for free. \r\n\r\nA bug was found in Apache where an invalid Expect header sent to the server\r\nwas returned to the user in an unescaped error message. This could\r\nallow an attacker to perform a cross-site scripting attack if a victim was\r\ntricked into connecting to a site and sending a carefully crafted Expect\r\nheader. (CVE-2006-3918)\r\n\r\nWhile a web browser cannot be forced to send an arbitrary Expect header by\r\na third-party attacker, it was recently discovered that certain versions of\r\nthe Flash plugin can manipulate request headers. If users running such\r\nversions can be persuaded to load a web page with a malicious Flash applet,\r\na cross-site scripting attack against the server may be possible.\r\n\r\nUsers of Apache should upgrade to these updated packages, which contain a\r\nbackported patch to correct this issue.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2006-August/025166.html\n\n**Affected packages:**\napache\napache-devel\napache-manual\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/rh21as-errata.html", "edition": 5, "modified": "2006-08-08T23:33:33", "published": "2006-08-08T23:33:33", "href": "http://lists.centos.org/pipermail/centos-announce/2006-August/025166.html", "id": "CESA-2006:0618-01", "title": "apache security update", "type": "centos", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:24", "bulletinFamily": "software", "cvelist": ["CVE-2006-3918"], "edition": 1, "description": "## Solution Description\nUpgrade to version 1.3.35, 2.0.58, 2.2.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## References:\nVendor URL: http://httpd.apache.org/\nVendor Specific News/Changelog Entry: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3117\nVendor Specific News/Changelog Entry: http://svn.apache.org/viewvc?view=rev&revision=394965\n[Vendor Specific Advisory URL](http://www.us.debian.org/security/2006/dsa-1167)\n[Vendor Specific Advisory URL](http://www-1.ibm.com/support/docview.wss?uid=swg24013080)\n[Vendor Specific Advisory URL](ftp://patches.sgi.com/support/free/security/advisories/20060801-01-P.asc)\n[Vendor Specific Advisory URL](http://support.avaya.com/elmodocs2/security/ASA-2006-194.htm)\n[Vendor Specific Advisory URL](http://openbsd.org/errata.html#httpd2)\n[Secunia Advisory ID:1016569](https://secuniaresearch.flexerasoftware.com/advisories/1016569/)\n[Secunia Advisory ID:21478](https://secuniaresearch.flexerasoftware.com/advisories/21478/)\n[Secunia Advisory ID:21598](https://secuniaresearch.flexerasoftware.com/advisories/21598/)\n[Secunia Advisory ID:21848](https://secuniaresearch.flexerasoftware.com/advisories/21848/)\n[Secunia Advisory ID:22317](https://secuniaresearch.flexerasoftware.com/advisories/22317/)\n[Secunia Advisory ID:22523](https://secuniaresearch.flexerasoftware.com/advisories/22523/)\n[Secunia Advisory ID:21744](https://secuniaresearch.flexerasoftware.com/advisories/21744/)\n[Secunia Advisory ID:21986](https://secuniaresearch.flexerasoftware.com/advisories/21986/)\n[Secunia Advisory ID:21399](https://secuniaresearch.flexerasoftware.com/advisories/21399/)\n[Secunia Advisory ID:21172](https://secuniaresearch.flexerasoftware.com/advisories/21172/)\n[Secunia Advisory ID:22140](https://secuniaresearch.flexerasoftware.com/advisories/22140/)\nRedHat RHSA: RHSA-2006:0618\nRedHat RHSA: RHSA-2006:0692\nOther Advisory URL: http://lists.suse.com/archive/suse-security-announce/2006-Sep/0004.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-05/0151.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0425.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-05/0441.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0456.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-11/0102.html\nFrSIRT Advisory: ADV-2006-2963\nFrSIRT Advisory: ADV-2006-2964\n[CVE-2006-3918](https://vulners.com/cve/CVE-2006-3918)\n", "modified": "2006-05-08T07:04:07", "published": "2006-05-08T07:04:07", "href": "https://vulners.com/osvdb/OSVDB:27487", "id": "OSVDB:27487", "title": "Apache HTTP Server Crafted Expect Header Cross Domain HTML Injection", "type": "osvdb", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "httpd": [{"lastseen": "2020-12-24T14:26:52", "bulletinFamily": "software", "cvelist": ["CVE-2006-3918"], "description": "\n\nA flaw in the handling of invalid Expect headers. If an attacker can\ninfluence the Expect header that a victim sends to a target site they\ncould perform a cross-site scripting attack. It is known that \nsome versions of Flash can set an arbitrary Expect header which can \ntrigger this flaw. Not marked as a security issue for 2.0 or\n2.2 as the cross-site scripting is only returned to the victim after\nthe server times out a connection.\n\n", "edition": 5, "modified": "2006-05-08T00:00:00", "published": "2006-05-08T00:00:00", "id": "HTTPD:7FD1B79F0D1704151C70AE49C5A4F4BD", "href": "https://httpd.apache.org/security_report.html", "title": "Apache Httpd < None: Expect header Cross-Site Scripting", "type": "httpd", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2016-09-26T21:39:38", "bulletinFamily": "software", "cvelist": ["CVE-2006-3918"], "description": "\n\nA flaw in the handling of invalid Expect headers. If an attacker can\ninfluence the Expect header that a victim sends to a target site they\ncould perform a cross-site scripting attack. It is known that \nsome versions of Flash can set an arbitrary Expect header which can \ntrigger this flaw. Not marked as a security issue for 2.0 or\n2.2 as the cross-site scripting is only returned to the victim after\nthe server times out a connection.\n\n", "edition": 1, "modified": "2006-05-01T00:00:00", "published": "2006-05-01T00:00:00", "id": "HTTPD:21276F7B71358FCD8ED42705121EF5F3", "href": "https://httpd.apache.org/security_report.html", "type": "httpd", "title": "Apache Httpd < 1.3.35: Expect header Cross-Site Scripting", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "f5": [{"lastseen": "2017-10-12T02:11:18", "bulletinFamily": "software", "cvelist": ["CVE-2006-3918"], "edition": 1, "description": "**Note:** Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to [K4602: Overview of F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\n**F5 products and versions that have been evaluated for this Security Advisory**\n\nProduct | Affected | Not Affected \n---|---|--- \nBIG-IP LTM | 9.0.0 - 9.2.5 | 9.3.x \n9.4.x \n9.6.x \n10.x \n11.x \nBIG-IP GTM | 9.2.2 - 9.2.5 | 9.3.x \n9.4.x \n10.x \n11.x \nBIG-IP ASM | 9.2.0 - 9.2.5 | 9.3.x \n9.4.x \n10.x \n11.x \nBIG-IP Link Controller | 9.2.2 - 9.2.5 \n| 9.3.x \n9.4.x \n10.x \n11.x \nBIG-IP WebAccelerator | None | 9.4.x \n10.x \n11.x \nBIG-IP PSM | None | 9.4.x \n10.x \n11.x \nBIG-IP WAN Optimization | None | 10.x \n11.x \nBIG-IP APM | None | 10.x \n11.x \nBIG-IP Edge Gateway | None | 10.x \n11.x \nBIG-IP Analytics \n| None | 11.x \nBIG-IP AFM | None | 11.x \nBIG-IP PEM \n| None | 11.x \nFirePass | 3.1.0 - 5.5.1 \n6.0.0 | 5.5.2 \n6.0.1 - 6.1.0 \n7.x \nEnterprise Manager | None | 1.x \n2.x \n3.x \n \n \nThe vulnerability exists in the Apache web server, which is used by FirePass. Apache will not sanitize the contents of the HTTP Expect header when receiving an HTTP request. Instead, the contents of the Expect header will be returned in a successful HTTP response. This permits executable code such as JavaScript that is inserted into the HTTP Expect header to be executed by the browser in the security context of the web site whose page was returned. A cross-site scripting attack may be permitted as a result, which can disclose sensitive information or perform other malicious actions.\n\nThis vulnerability is difficult to exploit because insertion of code into an HTTP header would generally require an attacker to have exploited another, more serious vulnerability in the browser. It is not sufficient to create a hyperlink with exploit code embedded in the URL parameters, as is the case with the standard cross-site scripting technique. Although ActiveX and the ActionScript language available in Adobe/Macromedia Flash have the capability to craft HTTP requests, including headers and proof-of-concepts, the constraint of having to first download a malicious ActiveX control or Flash file makes this vulnerability unlikely to be exploited.\n\nInformation about this advisory is available at the following locations:\n\n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3918>\n\n<http://httpd.apache.org/security/vulnerabilities_13.html>\n\n<http://seclists.org/bugtraq/2006/May/0440.html>\n\n<http://www.securityfocus.com/archive/1/441014/30/0/>\n\nF5 Product Development tracked this issue as CR47467 for BIG-IP, and it was fixed in BIG-IP 9.4.0. For information about upgrading, refer to the BIG-IP [LTM](<https://support.f5.com/content/kb/en-us/products/big-ip_ltm.html>), [GTM](<https://support.f5.com/content/kb/en-us/products/big-ip_gtm.html>), [ASM](<https://support.f5.com/content/kb/en-us/products/big-ip_asm.html>), [Link Controller](<https://support.f5.com/content/kb/en-us/products/lc_9_x.html>), or [WebAccelerator](<https://support.f5.com/content/kb/en-us/products/wa.html>) release notes.\n\nF5 Product Development tracked this issue as CR67295 for FirePass, and it was fixed in 5.5.2 and 6.0.1. For information about upgrading, refer to the [FirePass](<https://support.f5.com/content/kb/en-us/products/firepass.html>) release notes. \n \nAdditionally, this issue was fixed in cumulative hotfix 600-3 for FirePass software. You may download this hotfix or later versions of the cumulative hotfix from the F5 [Downloads](<http://downloads.f5.com/>) site. \n \nFor information about the F5 hotfix policy, refer to [K4918: Overview of F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>).\n\nFor instructions about installing a FirePass hotfix, refer to [K3430: Installing hotfixes](<https://support.f5.com/csp/article/K3430>).\n", "modified": "2016-01-09T02:24:00", "published": "2007-05-17T04:00:00", "id": "F5:K6669", "href": "https://support.f5.com/csp/article/K6669", "title": "Apache HTTP Expect header handling", "type": "f5", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-26T17:23:04", "bulletinFamily": "software", "cvelist": ["CVE-2006-3918"], "edition": 1, "description": "The vulnerability exists in the Apache web server, which is used by FirePass. Apache will not sanitize the contents of the HTTP Expect header when receiving an HTTP request. Instead, the contents of the Expect header will be returned in a successful HTTP response. This permits executable code such as JavaScript that is inserted into the HTTP Expect header to be executed by the browser in the security context of the web site whose page was returned. A cross-site scripting attack may be permitted as a result, which can disclose sensitive information or perform other malicious actions.\n\nThis vulnerability is difficult to exploit because insertion of code into an HTTP header would generally require an attacker to have exploited another, more serious vulnerability in the browser. It is not sufficient to create a hyperlink with exploit code embedded in the URL parameters, as is the case with the standard cross-site scripting technique. Although ActiveX and the ActionScript language available in Adobe/Macromedia Flash have the capability to craft HTTP requests, including headers and proof-of-concepts, the constraint of having to first download a malicious ActiveX control or Flash file makes this vulnerability unlikely to be exploited.\n\nInformation about this advisory is available at the following locations:\n\n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3918>\n\n<http://httpd.apache.org/security/vulnerabilities_13.html>\n\n<http://seclists.org/bugtraq/2006/May/0440.html>\n\n<http://www.securityfocus.com/archive/1/441014/30/0/>\n\nF5 Product Development tracked this issue as CR47467 for BIG-IP, and it was fixed in BIG-IP 9.4.0. For information about upgrading, refer to the BIG-IP LTM, GTM, ASM, Link Controller, or WebAccelerator release notes.\n\nF5 Product Development tracked this issue as CR67295 for FirePass, and it was fixed in 5.5.2 and 6.0.1. For information about upgrading, refer to the FirePass release notes. \n \nAdditionally, this issue was fixed in cumulative hotfix 600-3 for FirePass software. You may download this hotfix or later versions of the cumulative hotfix from the F5 [Downloads](<http://downloads.f5.com/>) site. \n \nFor information about the F5 hotfix policy, refer to SOL4918: Overview of F5 critical issue hotfix policy.\n\nFor instructions about installing a FirePass hotfix, refer to SOL3430: Installing hotfixes.\n", "modified": "2013-03-19T00:00:00", "published": "2007-05-16T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/6000/600/sol6669.html", "id": "SOL6669", "title": "SOL6669 - Apache HTTP Expect header handling", "type": "f5", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-02-03T08:08:34", "description": "Apache 2.x HTTP Server Arbitrary HTTP Request Headers Security Weakness. CVE-2006-3918. Remote exploit for linux platform", "published": "2006-08-24T00:00:00", "type": "exploitdb", "title": "Apache 2.x HTTP Server Arbitrary HTTP Request Headers Security Weakness", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3918"], "modified": "2006-08-24T00:00:00", "id": "EDB-ID:28424", "href": "https://www.exploit-db.com/exploits/28424/", "sourceData": "source: http://www.securityfocus.com/bid/19661/info\r\n\r\nApache HTTP server is prone to a security weakness related to HTTP request headers.\r\n\r\nAn attacker may exploit this issue to steal cookie-based authentication credentials and launch other attacks.\r\n\r\nvar req:LoadVars=new LoadVars();\r\nreq.addRequestHeader(\"Expect\",\r\n\"<script>alert('gotcha!')</script>\");\r\nreq.send(\"http://www.target.site/\",\"_blank\",\"GET\");", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/28424/"}], "redhat": [{"lastseen": "2019-08-13T18:46:08", "bulletinFamily": "unix", "cvelist": ["CVE-2006-3918"], "description": "The Apache HTTP Server is a popular Web server available for free. \r\n\r\nA bug was found in Apache where an invalid Expect header sent to the server\r\nwas returned to the user in an unescaped error message. This could\r\nallow an attacker to perform a cross-site scripting attack if a victim was\r\ntricked into connecting to a site and sending a carefully crafted Expect\r\nheader. (CVE-2006-3918)\r\n\r\nWhile a web browser cannot be forced to send an arbitrary Expect header by\r\na third-party attacker, it was recently discovered that certain versions of\r\nthe Flash plugin can manipulate request headers. If users running such\r\nversions can be persuaded to load a web page with a malicious Flash applet,\r\na cross-site scripting attack against the server may be possible.\r\n\r\nUsers of Apache should upgrade to these updated packages, which contain a\r\nbackported patch to correct this issue.", "modified": "2018-03-14T19:27:28", "published": "2006-08-08T04:00:00", "id": "RHSA-2006:0618", "href": "https://access.redhat.com/errata/RHSA-2006:0618", "type": "redhat", "title": "(RHSA-2006:0618) apache security update", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-08-13T18:45:51", "bulletinFamily": "unix", "cvelist": ["CVE-2006-3918"], "description": "The Apache HTTP Server is a popular Web server available for free.\r\n\r\nA bug was found in Apache where an invalid Expect header sent to the server\r\nwas returned to the user in an unescaped error message. This could\r\nallow an attacker to perform a cross-site scripting attack if a victim was\r\ntricked into connecting to a site and sending a carefully crafted Expect\r\nheader. (CVE-2006-3918)\r\n\r\nWhile a web browser cannot be forced to send an arbitrary Expect\r\nheader by a third-party attacker, it was recently discovered that\r\ncertain versions of the Flash plugin can manipulate request headers.\r\nIf users running such versions can be persuaded to load a web page\r\nwith a malicious Flash applet, a cross-site scripting attack against\r\nthe server may be possible.\r\n\r\nOn Red Hat Enterprise Linux 3 and 4 systems, due to an unrelated issue in\r\nthe handling of malformed Expect headers, the page produced by the\r\ncross-site scripting attack will only be returned after a timeout expires\r\n(2-5 minutes by default) if not first canceled by the user.\r\n\r\nUsers of httpd should update to these erratum packages, which contain a\r\nbackported patch to correct these issues.", "modified": "2017-09-08T12:18:13", "published": "2006-08-10T04:00:00", "id": "RHSA-2006:0619", "href": "https://access.redhat.com/errata/RHSA-2006:0619", "type": "redhat", "title": "(RHSA-2006:0619) httpd security update", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:35:38", "bulletinFamily": "unix", "cvelist": ["CVE-2006-3918"], "description": " [2.0.52-28.1]\n - changed index.html to oracle_index.html\n \n [2.0.52-28.ent]\n - add security fix for Expect header XSS (CVE-2006-3918, #200732) ", "edition": 4, "modified": "2006-11-30T00:00:00", "published": "2006-11-30T00:00:00", "id": "ELSA-2006-0619", "href": "http://linux.oracle.com/errata/ELSA-2006-0619.html", "title": "Moderate httpd security update ", "type": "oraclelinux", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "packetstorm": [{"lastseen": "2016-12-05T22:13:38", "description": "", "published": "2007-12-02T00:00:00", "type": "packetstorm", "title": "ProCheckUp Security Advisory 2007.37", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3918"], "modified": "2007-12-02T00:00:00", "id": "PACKETSTORM:61420", "href": "https://packetstormsecurity.com/files/61420/ProCheckUp-Security-Advisory-2007.37.html", "sourceData": "`PR07-37: XSS on Apache HTTP Server 413 error pages via malformed HTTP method \n \n \nVulnerability found: 7 November 2007 \n \nVendor contacted: 14 November 2007 \n \nRisk factor: N/A \n \nThe reason why we didn't consider this vulnerability a security risk is because the attacker needs to force the victim's browser to submit a malformed HTTP method. \n \nHeader injection has been demonstrated to be possible using Flash [1] [2], but might be dependent on vulnerable Flash plugins. \n \nA relevant example published in the past is exploiting the Apache 'Expect' XSS [3] (CVE-2006-3918) using flash [4]. \n \nHowever, in this case we need to spoof the HTTP METHOD to a specially-crafted value. \n \n \nDescription: \n \nIt is possible to cause Apache HTTP server to return client-supplied scripting code by submitting a malformed HTTP method which would actually carry the payload (i.e.: malicious JavaScript) and invalid length data in the form of either of the following: \n \nTwo 'Content-length:' headers equals to zero. i.e.: \"Content-Length: 0[LF]Content-Length: 0\" \nOne 'Content-length:' header equals to two values. i.e.: \"Content-length: 0, 0\" \nOne 'Content-length:' header equals to a negative value. i.e.: \"Content-length: -1\" \nOne 'Content-length:' header equals to a large value. i.e.: \"Content-length: 9999999999999999999999999999999999999999999999\" \n \n \nApache 2.X returns a '413 Request Entity Too Large' error, when submitting invalid length data. When probing for XSS on the error page returned by the server we have 3 possible string vectors: \n \nThe 'Host:' header \nThe URL \nThe HTTP method \n \nIf we probe for XSS using the 'Host:' header, Apache correctly filters the angle brackets and replaces them with HTML entities: \n \nREQUEST: \n \nGET / HTTP/1.1 \nHost: <BADCHARS> \nConnection: close \nContent-length: -1 \n[LF] \n[LF] \n \n \nSERVER'S REPONSE: \n \nHTTP/1.1 413 Request Entity Too Large \nDate: Fri, 30 Nov 2007 12:40:19 GMT \nServer: Apache/2.0.55 (Ubuntu) PHP/5.1.6 \nConnection: close \nContent-Type: text/html; charset=iso-8859-1 \n \n<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\"> \n<html><head> \n<title>413 Request Entity Too Large</title> \n</head><body> \n<h1>Request Entity Too Large</h1> \nThe requested resource<br />/<br /> \ndoes not allow request data with GET requests, or the amount of data provided in \nthe request exceeds the capacity limit. \n<hr> \n<address>Apache/2.0.55 (Ubuntu) PHP/5.1.6 Server at <badchars> Port 80</address> \n</body></html> \n \n \nNotice that '<BADCHARS>' gets replaced with '<badchars>' \n \nIf we probe for XSS using the URL, Apache ALSO correctly filters the angle brackets and replaces them with HTML entities: \n \nREQUEST: \n \nGET /<BADCHARS>/ HTTP/1.1 \nHost: target-domain.foo \nConnection: close \nContent-length: -1 \n[LF] \n[LF] \n \n \nSERVER'S RESPONSE: \n \nHTTP/1.1 413 Request Entity Too Large \nDate: Fri, 30 Nov 2007 12:41:17 GMT \nServer: Apache/2.0.55 (Ubuntu) PHP/5.1.6 \nConnection: close \nContent-Type: text/html; charset=iso-8859-1 \n \n<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\"> \n<html><head> \n<title>413 Request Entity Too Large</title> \n</head><body> \n<h1>Request Entity Too Large</h1> \nThe requested resource<br />/<BADCHARS>/<br /> \ndoes not allow request data with GET requests, or the amount of data provided in \nthe request exceeds the capacity limit. \n<hr> \n<address>Apache/2.0.55 (Ubuntu) PHP/5.1.6 Server at target-domain.foo Port 80</address> \n</body></html> \n \n \nAgain, '<BADCHARS>' gets replaced with '<badchars>' \n \n \nHowever, if we probe for XSS using a malformed HTTP method, the angle brackets are NOT replaced with HTML entities: \n \n \nREQUEST: \n \n<BADCHARS> / HTTP/1.1 \nHost: target-domain.foo \nConnection: close \nContent-length: -1 \n[LF] \n[LF] \n \n \nSERVER'S RESPONSE: \n \nHTTP/1.1 413 Request Entity Too Large \nDate: Fri, 30 Nov 2007 12:42:46 GMT \nServer: Apache/2.0.55 (Ubuntu) PHP/5.1.6 \nConnection: close \nContent-Type: text/html; charset=iso-8859-1 \n \n<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\"> \n<html><head> \n<title>413 Request Entity Too Large</title> \n</head><body> \n<h1>Request Entity Too Large</h1> \nThe requested resource<br />/<br /> \ndoes not allow request data with <BADCHARS> requests, or the amount of data provided in \nthe request exceeds the capacity limit. \n<hr> \n<address>Apache/2.0.55 (Ubuntu) PHP/5.1.6 Server at target-domain.foo Port 80</address> \n</body></html> \n \n \n \nThe following script could be used to audit your network for vulnerable web servers: \n \n#!/bin/bash \n# PR07-37-scan \nif [ $# -ne 1 ] \nthen \necho \"$0 <hosts-file>\" \nexit \nfi \n \nfor i in `cat $1` \ndo \n \nif echo -en \"<PROCHECKUP> / HTTP/1.1\\nHost: $i\\nConnection: close\\nContent-length: 0\\nContent-length: 0\\n\\n\" | nc -w 4 $i 80 | grep -i '<PROCHECKUP>' > /dev/null \nthen \necho \"$i is VULNERABLE!\" \nfi \n \ndone \n \n \nVulnerability successfully tested on (banners extracted from server headers): \n \nServer: Apache/2.0.46 (Red Hat) \nServer: Apache/2.0.51 (Fedora) \nServer: Apache/2.0.55 (Ubuntu) PHP/5.1.6 \nServer: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.7g \nServer: Apache/2.2.3 (FreeBSD) mod_ssl/2.2.3 OpenSSL/0.9.7e-p1 DAV/2 \nServer: Apache/2.2.4 (Linux/SUSE) \n \n \nNote: other versions might also be vulnerable. \n \n \nConsequences: \n \nThis type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e. session IDs) to unauthorised third parties provided that a web browser is tricked to submit a malformed HTTP method. \n \n \nWorkaround: \n \nDisable Apache's default 413 error pages by adding 'ErrorDocument 413' statement to the Apache config file. \n \n \nReferences: \n \nhttp://www.procheckup.com/Vulnerability_2007.php \n \n[1] \"Forging HTTP request headers with Flash\" \nhttp://archives.neohapsis.com/archives/bugtraq/2006-07/0425.html \n \n[2] \"HTTP Header Injection Vulnerabilities in the Flash Player Plugin\" \nhttp://download2.rapid7.com/r7-0026/ \n \n[3] \"Unfiltered Header Injection in Apache 1.3.34/2.0.57/2.2.1\" \nhttp://www.securityfocus.com/archive/1/433280 \n \n[4] \"More Expect Exploitation In Flash\" \nhttp://ha.ckers.org/blog/20071103/more-expect-exploitation-in-flash/ \n \n \nCredits: Adrian Pastor and Amir Azam of ProCheckUp Ltd (www.procheckup.com). \n \nSpecial thanks go to Amit Klein and Joe Orton for providing such valuable feedback. \n`\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/61420/PR07-37.txt"}, {"lastseen": "2016-12-05T22:18:08", "description": "", "published": "2011-06-14T00:00:00", "type": "packetstorm", "title": "Oracle HTTP Server Header Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3918", "CVE-2007-0275"], "modified": "2011-06-14T00:00:00", "id": "PACKETSTORM:102234", "href": "https://packetstormsecurity.com/files/102234/Oracle-HTTP-Server-Header-Cross-Site-Scripting.html", "sourceData": "`--------------------------------------------------------------------------------------------------------- \nOracle HTTP Server XSS Header Injection \n--------------------------------------------------------------------------------------------------------- \n# Attack Pattern ID : CAPEC-86 \n# CWE ID : CI-79 \n# OWASP IDs : A1-Injections, A2-Cross Site Scripting (XSS) \n# CVE ID : not yet \n# Related CVEs : CVE-2006-3918, CVE-2007-0275 \n# A.K.A : Unfiltered Header Injection \n# Product Type : Application \n# Vendor : Oracle Corporation \n# Product : Oracle HTTP Server for Oracle Application Server 10g \n# Vulnerable Versions: 10.1.2.0.2 \n# Probably Vulnerable: (not tested) 10.1.2.0.0, 9.0.4.3.0, 9.0.4.2.0, 9.0.4.1.0, 9.0.4.0.0 \n# Severity : Medium \n# Tested on : Linux, Windows Server 2003 \n# Download link : http://www.oracle.com/technetwork/middleware/ias/downloads/101201se-090616.html \n# Date : 12/06/2011 \n# Google Dork : allintitle:\"Oracle HTTP Server -\" \n------------------------------------------------------------------------------------------------------- \n[-] Credit : Yasser ABOUKIR \n[-] Site : http://www.yaboukir.com \n[-] Email : yaboukir@gmail.com<script type=\"text/javascript\"> \n/* <![CDATA[ */ \n(function(){try{var s,a,i,j,r,c,l=document.getElementById(\"__cf_email__\");a=l.className;if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})(); \n/* ]]> */ \n</script> \n[-] Occupation: ITC security engineering student at ENSIAS - Morocco \n------------------------------------------------------------------------------------------------------- \n[+] Vulnerability description: \nThe Oracle HTTP Server does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file. \n \n[+] Vulnerability origin: \nOracle HTTP Server (OHS) developed by Oracle Corporation is an OracleAS 10g's Web Server component. The vulnerable product is based on the Apache 1.3 Web server. This later is vulnerable to Unfiltered Header Injection which makes the vulnerability\u0092s origin of this OHS version. \n \n[+] PoC: \nSee the video in Youtube: http://www.youtube.com/watch?v=cBmbkAYXdjo \nSee the PDF: http://www.yaboukir.com/wp-content/bugtraq/XSS_Header_Injection_in_OHS_by_Yasser.pdf \n \n[+] Attack: \n> Atack Prerequisites for a successful exploitation: \nTarget software must be a client that allows scripting communication from remote hosts. Crafting the attack to exploit this issue is not a complex process. However most of the unsophisticated attackers will not know that such an attack is possible. Also an attacker needs to reach his victims by enticing them to visit remote site of some sort to redirect them and data to. \n> Attacker Skills or Knowledge Required \n- Skill or Knowledge Level: Low \nTo achieve a redirection and use of less trusted source, an attacker can simply edit HTTP Headers that are sent to client machine. \n- Skill or Knowledge Level: High \nExploiting a client side vulnerability to inject malicious scripts into the browser's executable process. \n> Methods of Attack \n- Injection \n- Modification of Resources \n- Protocol Manipulation \n> Exploit: \n- Steal session IDs, credentials, page content, etc.: \nAs the attacker succeeds in exploiting the vulnerability, he can choose to steal user's credentials in order to reuse or to analyze them later on. \n- Forceful browsing: \nWhen the attacker targets this Oracle application (through CSRF vulnerabilities, Clickjacking), the user will then be the one who perform the attacks without being aware of it. \n- Content spoofing: \nBy manipulating the content, the attacker targets the information that the user would like to get from the Website. \n \n[+] Solution: \nA solution to this issue might be the update/upgrade to the Oracle HTTP Server 11g which is based on Apache 2.2. In fact, Oracle supports only the code they ship with the Oracle Application Server 10g. Externally added modules or other changes are not supported. As a matter of fact, security patches from the Apache organization in its latest versions 1.3.35/2.0.58/2.2.2 to this vulnerability onto Oracle HTTP Server should not be applied. \n \n[+] References: \nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3918 \nOracle Application Server 10g Release 3 (10.1.3.1.0) Overview of Oracle HTTP Server, An Oracle White Paper, October 2006 \nhttp://seclists.org/Webappsec/2006/q2/245 \nhttp://www.securiteam.com/securityreviews/5KP0M1FJ5E.html \nhttp://www.securityfocus.com/archive/1/441014 \nhttp://kb2.adobe.com/cps/403/kb403030.html \nhttp://www.oracle.com/technetwork/middleware/ias/index-091236.html \nhttp://www.oracle.com/technetwork/middleware/ias/faq-089946.html \nhttp://download.oracle.com/otndocs/tech/ias/portal/files/RG/complete_Web_site_ohs_faq.htm#OHS \nhttp://xss.cx/http-header-injection-expect-response-splitting-cI-113-example-poc.aspx \nhttp://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-707/opxss-1/Oracle-Application-Server.html \n`\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/102234/oraclehttp-xss.txt"}], "debian": [{"lastseen": "2020-11-11T13:22:12", "bulletinFamily": "unix", "cvelist": ["CVE-2006-3918", "CVE-2005-3352"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 1167-1 security@debian.org\nhttp://www.debian.org/security/ Steve Kemp\nSeptember 4th, 2005 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : apache\nVulnerability : missing input sanitising \nProblem-Type : remote\nDebian-specific: no \nCVE ID : CVE-2006-3918 CVE-2005-3352\nDebian Bug : 381381 343466\n\nSeveral remote vulnerabilities have been discovered in the Apache, the\nworlds most popular webserver, which may lead to the execution of arbitrary\nweb script. The Common Vulnerabilities and Exposures project identifies\nthe following problems:\n\nCVE-2005-3352\n\n A cross-site scripting (XSS) flaw exists in the mod_imap component of\n the Apache server.\n\nCVE-2006-3918\n\n Apache does not sanitize the Expect header from an HTTP request when \n it is reflected back in an error message, which might allow cross-site \n scripting (XSS) style attacks.\n\nFor the stable distribution (sarge) these problems have been fixed in\nversion 1.3.33-6sarge3.\n\nFor the unstable distribution (sid) these problems have been fixed in\nversion 1.3.34-3.\n\nWe recommend that you upgrade your apache package.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.1 alias sarge\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge3.dsc\n Size/MD5 checksum: 1119 38df6fe54a784dfcbf3e1510e099865e\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge3.diff.gz\n Size/MD5 checksum: 373584 2af62cfb3d6523134bf52d32567d396a\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33.orig.tar.gz\n Size/MD5 checksum: 3105683 1a34f13302878a8713a2ac760d9b6da8\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.33-6sarge3_all.deb\n Size/MD5 checksum: 334696 494bae0fb839c498146119864a215a45\n http://security.debian.org/pool/updates/main/a/apache/apache-doc_1.3.33-6sarge3_all.deb\n Size/MD5 checksum: 1333060 d580b14b6d0dcd625d2e5d8cd052e172\n http://security.debian.org/pool/updates/main/a/apache/apache-utils_1.3.33-6sarge3_all.deb\n Size/MD5 checksum: 212750 62b603132ddffa8f1d209e25efaf710b\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge3_alpha.deb\n Size/MD5 checksum: 428394 f046f50e83b2001911b075426a00496e\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge3_alpha.deb\n Size/MD5 checksum: 904410 11ab4e174f28b2ad55a4b8fe9164ec70\n http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge3_alpha.deb\n Size/MD5 checksum: 9223374 18af7b52030a8235808f758c9adc2233\n http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge3_alpha.deb\n Size/MD5 checksum: 569796 3df0cdde9f4293b732b00535e288638d\n http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge3_alpha.deb\n Size/MD5 checksum: 542832 a76d1fe52c6c7b604a4406b09b553dfb\n http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge3_alpha.deb\n Size/MD5 checksum: 505212 cd448b4a36c588e832fb3450ee568383\n\n AMD64 architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge3_amd64.deb\n Size/MD5 checksum: 401596 25172b26459154f43f6d6a30ca984223\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge3_amd64.deb\n Size/MD5 checksum: 876800 90566c369fb5bd3aef95cb1a982c4673\n http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge3_amd64.deb\n Size/MD5 checksum: 9163050 0039650aceb91734f4d28d71ed03b0b7\n http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge3_amd64.deb\n Size/MD5 checksum: 524552 974a82bc6cad36fceca1beb7e6e8a751\n http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge3_amd64.deb\n Size/MD5 checksum: 513922 cee41d6c34a440aa2641c6298afaec78\n http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge3_amd64.deb\n Size/MD5 checksum: 492634 a42522ddd4b1b0df67c214fe8fe30702\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge3_arm.deb\n Size/MD5 checksum: 384426 562d9db8c2d0c08e8ef3a5ac3c066991\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge3_arm.deb\n Size/MD5 checksum: 841502 b59f5bd9cd60afad9511e8d32234b605\n http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge3_arm.deb\n Size/MD5 checksum: 8986156 f297c94b1571043f0758a114f4cffacb\n http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge3_arm.deb\n Size/MD5 checksum: 496134 3b1126c47884892ab32dabd4ee7fa724\n http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge3_arm.deb\n Size/MD5 checksum: 489830 06f770b97e273e91684b90b98cb9416c\n http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge3_arm.deb\n Size/MD5 checksum: 479416 e1de8c552383fab6a73a2a2a33033392\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge3_hppa.deb\n Size/MD5 checksum: 406792 500ae39ef6507daec78c6cb98fc5fa6b\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge3_hppa.deb\n Size/MD5 checksum: 905596 ba4e1b726c573a28cabe4f192ec47a7e\n http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge3_hppa.deb\n Size/MD5 checksum: 9100666 3afce64bfeb0d49d87acbebfad937aa2\n http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge3_hppa.deb\n Size/MD5 checksum: 536310 0ed71b8af8923bbe73743f87a5b0d15d\n http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge3_hppa.deb\n Size/MD5 checksum: 518938 f60b6a4fe07eddc4ae9ad2907e9a10de\n http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge3_hppa.deb\n Size/MD5 checksum: 508866 e7166be9bedc95e600b8e6f99c6a0773\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge3_i386.deb\n Size/MD5 checksum: 386824 316be5f99dbce3d7a99b423bf6aad4f0\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge3_i386.deb\n Size/MD5 checksum: 860258 a5739eae75197bcdfefb3f88357046fa\n http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge3_i386.deb\n Size/MD5 checksum: 9125070 44dac7aa9af92c2d35805600d9942f56\n http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge3_i386.deb\n Size/MD5 checksum: 505036 d3507dbad7cc29b5d5f48838d37788f2\n http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge3_i386.deb\n Size/MD5 checksum: 493906 6cddd1409210e44d146e562437fe9b0e\n http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge3_i386.deb\n Size/MD5 checksum: 486920 7a4ebd8d698d8b27d86cde501b2e37ea\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge3_ia64.deb\n Size/MD5 checksum: 463582 d6727fb64033b7e9e5fec02c99ddccb4\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge3_ia64.deb\n Size/MD5 checksum: 972070 993bc5598b3f8d3b323d7142f0af068a\n http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge3_ia64.deb\n Size/MD5 checksum: 9356472 4f04357801f9adf640b923ba55141d06\n http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge3_ia64.deb\n Size/MD5 checksum: 627670 67723ecb16c6354f9917cfb2994688ce\n http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge3_ia64.deb\n Size/MD5 checksum: 586218 9d531536098a6132db6e5e55c8c61f7d\n http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge3_ia64.deb\n Size/MD5 checksum: 532970 2b4d80404ec866768b13eea9cccba0c8\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge3_m68k.deb\n Size/MD5 checksum: 371224 11e27383df4c492e780b602b5a691177\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge3_m68k.deb\n Size/MD5 checksum: 847290 bda6118d92b6f4266a68e5c769915d77\n http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge3_m68k.deb\n Size/MD5 checksum: 8973936 d5f3af955891e755a6f82ad2ddc4251f\n http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge3_m68k.deb\n Size/MD5 checksum: 448792 7cc02085c7a8854f7f99bf0486db8ef1\n http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge3_m68k.deb\n Size/MD5 checksum: 477488 9f1961a7b2298f33ca700f65b598a575\n http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge3_m68k.deb\n Size/MD5 checksum: 489430 2db034e4701a55c718919dad83f2c570\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge3_mips.deb\n Size/MD5 checksum: 403474 c2078bea81d4674b94cc6928c818d91f\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge3_mips.deb\n Size/MD5 checksum: 851594 7adcef101424558b208e458a7f26e5bb\n http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge3_mips.deb\n Size/MD5 checksum: 9049020 ad184b1edc27be6777add8a2dcee59bb\n http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge3_mips.deb\n Size/MD5 checksum: 485348 b067dad315f0eb43e35ef310ffcd8f11\n http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge3_mips.deb\n Size/MD5 checksum: 510036 11237943a107b9e5aab03b164946f192\n http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge3_mips.deb\n Size/MD5 checksum: 443674 cb61d4a7fb04bdfb149e91e6f162e3a5\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge3_mipsel.deb\n Size/MD5 checksum: 403812 544f672fc2fcc2386f0dfc52270370c2\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge3_mipsel.deb\n Size/MD5 checksum: 850096 1c86bed17e26ab9a0d7fabde05f54496\n http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge3_mipsel.deb\n Size/MD5 checksum: 9054440 6dfa3da28646f6ef2cda58e6583bd42a\n http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge3_mipsel.deb\n Size/MD5 checksum: 485576 1e22bdda682380f75e383ef6daa9810d\n http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge3_mipsel.deb\n Size/MD5 checksum: 510906 e8cc83ab983be776b2b8d5efa966cc93\n http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge3_mipsel.deb\n Size/MD5 checksum: 443550 df9c83e96b60d05415de5e7437c85c4d\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge3_powerpc.deb\n Size/MD5 checksum: 398792 fde3379aa1722e4928b0dcebacde8cd3\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge3_powerpc.deb\n Size/MD5 checksum: 921430 1752e1761d599f75bec0a5440a0c5000\n http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge3_powerpc.deb\n Size/MD5 checksum: 9252778 6598265b624c8081d067b51a4a2bd7b2\n http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge3_powerpc.deb\n Size/MD5 checksum: 515538 bed60fc9b7535fb76df1dc47b3b75d31\n http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge3_powerpc.deb\n Size/MD5 checksum: 510564 c6d6fa3c927fba3205d4d8cd7255f946\n http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge3_powerpc.deb\n Size/MD5 checksum: 490806 bd21c1a2c18c159f9be20147bd56a033\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge3_s390.deb\n Size/MD5 checksum: 403296 cdb74b97915f5bba992d43aa5072bf69\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge3_s390.deb\n Size/MD5 checksum: 868460 0af306030af56192e6a4a0ddbc857fbd\n http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge3_s390.deb\n Size/MD5 checksum: 9183208 92aa1ac6e882540971f228ccb7b8581e\n http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge3_s390.deb\n Size/MD5 checksum: 490244 d70328a7357a3f0d0f4750ac44f14b7a\n http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge3_s390.deb\n Size/MD5 checksum: 514702 ceb61f369cccf94aa44aa43675eaf715\n http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge3_s390.deb\n Size/MD5 checksum: 460598 505caef969194a36e151a2ad11436c09\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge3_sparc.deb\n Size/MD5 checksum: 385712 1b7269518bb8477b617e80e4441e346c\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge3_sparc.deb\n Size/MD5 checksum: 849494 119987a73dc8781ba2f11db3b38fa32d\n http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge3_sparc.deb\n Size/MD5 checksum: 9046496 53bb97f85c73563d247165532dac13c5\n http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge3_sparc.deb\n Size/MD5 checksum: 504378 ca133fd06dd62da415ef8382453cf657\n http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge3_sparc.deb\n Size/MD5 checksum: 492194 b97d2a3cd2d95a8b77dc9ab54f52bd13\n http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge3_sparc.deb\n Size/MD5 checksum: 490386 1dca7784debdba341f27d1b388bb0eb2\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show &lt;pkg&gt;&#x27; and http://packages.debian.org/&lt;pkg&gt;\n", "edition": 3, "modified": "2006-09-04T00:00:00", "published": "2006-09-04T00:00:00", "id": "DEBIAN:DSA-1167-1:158F8", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00257.html", "title": "[SECURITY] [DSA 1167-1] New apache packages fix several vulnerabilities", "type": "debian", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "seebug": [{"lastseen": "2017-11-19T14:50:03", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Oracle HTTP Server - XSS Header Injection", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3918", "CVE-2007-0275"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-71772", "id": "SSV:71772", "sourceData": "\n ---------------------------------------------------------------------------------------------------------\r\n Oracle HTTP Server XSS Header Injection \r\n---------------------------------------------------------------------------------------------------------\r\n# Attack Pattern ID : CAPEC-86\r\n# CWE ID : CI-79\r\n# OWASP IDs : A1-Injections, A2-Cross Site Scripting (XSS)\r\n# CVE ID : not yet\r\n# Related CVEs : CVE-2006-3918, CVE-2007-0275\r\n# A.K.A : Unfiltered Header Injection\r\n# Product Type : Application\r\n# Vendor : Oracle Corporation\r\n# Product : Oracle HTTP Server for Oracle Application Server 10g\r\n# Vulnerable Versions: 10.1.2.0.2 \r\n# Probably Vulnerable: (not tested) 10.1.2.0.0, 9.0.4.3.0, 9.0.4.2.0, 9.0.4.1.0, 9.0.4.0.0\r\n# Severity : Medium\r\n# Tested on\t : Linux, Windows Server 2003\r\n# Download link : http://www.oracle.com/technetwork/middleware/ias/downloads/101201se-090616.html\r\n# Date : 12/06/2011\r\n# Google Dork : allintitle:&#34;Oracle HTTP Server -&#34;\r\n-------------------------------------------------------------------------------------------------------\r\n[-] Credit : Yasser ABOUKIR\r\n[-] Site : http://www.yaboukir.com \r\n[-] Email : yaboukir@gmail.com\r\n[-] Occupation: ITC security engineering student at ENSIAS - Morocco\r\n-------------------------------------------------------------------------------------------------------\r\n[+] Vulnerability description:\r\n\tThe Oracle HTTP Server does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file. \r\n\r\n[+] Vulnerability origin: \r\n\tOracle HTTP Server (OHS) developed by Oracle Corporation is an OracleAS 10g&#39;s Web Server component. The vulnerable product is based on the Apache 1.3 Web server. This later is vulnerable to Unfiltered Header Injection which makes the vulnerability?s origin of this OHS version.\r\n\r\n[+] PoC: \r\n See the video in Youtube: http://www.youtube.com/watch?v=cBmbkAYXdjo\r\n See the PDF: http://www.yaboukir.com/wp-content/bugtraq/XSS_Header_Injection_in_OHS_by_Yasser.pdf\r\n\r\n[+] Attack:\r\n \t&#62; Atack Prerequisites for a successful exploitation:\r\n\t\tTarget software must be a client that allows scripting communication from remote hosts. Crafting the attack to exploit this issue is not a complex process. However most of the unsophisticated attackers will not know that such an attack is possible. Also an attacker needs to reach his victims by enticing them to visit remote site of some sort to redirect them and data to. \r\n\t&#62; Attacker Skills or Knowledge Required\r\n \t\t- Skill or Knowledge Level: Low\r\n\t\t\tTo achieve a redirection and use of less trusted source, an attacker can simply edit HTTP Headers that are sent to client machine.\r\n \t\t- Skill or Knowledge Level: High\r\n\t\t\tExploiting a client side vulnerability to inject malicious scripts into the browser&#39;s executable process.\r\n\t&#62; Methods of Attack\r\n\t\t- Injection\r\n\t\t- Modification of Resources\r\n\t\t- Protocol Manipulation\r\n\t&#62; Exploit:\r\n\t\t- Steal session IDs, credentials, page content, etc.: \r\n As the attacker succeeds in exploiting the vulnerability, he can choose to steal user&#39;s credentials in order to reuse or to analyze them later on.\r\n\t\t- Forceful browsing: \r\nWhen the attacker targets this Oracle application (through CSRF vulnerabilities, Clickjacking), the user will then be the one who perform the attacks without being aware of it. \r\n\t\t- Content spoofing:\r\nBy manipulating the content, the attacker targets the information that the user would like to get from the Website.\r\n\r\n[+] Solution:\r\nA solution to this issue might be the update/upgrade to the Oracle HTTP Server 11g which is based on Apache 2.2. In fact, Oracle supports only the code they ship with the Oracle Application Server 10g. Externally added modules or other changes are not supported. As a matter of fact, security patches from the Apache organization in its latest versions 1.3.35/2.0.58/2.2.2 to this vulnerability onto Oracle HTTP Server should not be applied. \r\n\r\n[+] References:\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3918\r\nOracle Application Server 10g Release 3 (10.1.3.1.0) Overview of Oracle HTTP Server, An Oracle White Paper, October 2006\r\n http://seclists.org/Webappsec/2006/q2/245\r\n http://www.securiteam.com/securityreviews/5KP0M1FJ5E.html\r\n http://www.securityfocus.com/archive/1/441014\r\n http://kb2.adobe.com/cps/403/kb403030.html\r\n http://www.oracle.com/technetwork/middleware/ias/index-091236.html\r\n http://www.oracle.com/technetwork/middleware/ias/faq-089946.html\r\n http://download.oracle.com/otndocs/tech/ias/portal/files/RG/complete_Web_site_ohs_faq.htm#OHS\r\n http://xss.cx/http-header-injection-expect-response-splitting-cI-113-example-poc.aspx\r\nhttp://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-707/opxss-1/Oracle-Application-Server.html\r\n\r\nPDF Mirror: http://www.exploit-db.com/sploits/XSS_Header_Injection_in_OHS_by_Yasser.pdf\n ", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-71772"}], "openvas": [{"lastseen": "2017-07-24T12:50:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3918", "CVE-2005-3352"], "description": "The remote host is missing an update to apache\nannounced via advisory DSA 1167-1.\n\nSeveral remote vulnerabilities have been discovered in the Apache, the\nworlds most popular webserver, which may lead to the execution of arbitrary\nweb script. The Common Vulnerabilities and Exposures project identifies\nthe following problems:\n\nCVE-2005-3352\n\nA cross-site scripting (XSS) flaw exists in the mod_imap component of\nthe Apache server.\n\nCVE-2006-3918\n\nApache does not sanitize the Expect header from an HTTP request when\nit is reflected back in an error message, which might allow cross-site\nscripting (XSS) style attacks.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:57335", "href": "http://plugins.openvas.org/nasl.php?oid=57335", "type": "openvas", "title": "Debian Security Advisory DSA 1167-1 (apache)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1167_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 1167-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_solution = \"For the stable distribution (sarge) these problems have been fixed in\nversion 1.3.33-6sarge3.\n\nFor the unstable distribution (sid) these problems have been fixed in\nversion 1.3.34-3.\n\nWe recommend that you upgrade your apache package.\n\n https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201167-1\";\ntag_summary = \"The remote host is missing an update to apache\nannounced via advisory DSA 1167-1.\n\nSeveral remote vulnerabilities have been discovered in the Apache, the\nworlds most popular webserver, which may lead to the execution of arbitrary\nweb script. The Common Vulnerabilities and Exposures project identifies\nthe following problems:\n\nCVE-2005-3352\n\nA cross-site scripting (XSS) flaw exists in the mod_imap component of\nthe Apache server.\n\nCVE-2006-3918\n\nApache does not sanitize the Expect header from an HTTP request when\nit is reflected back in an error message, which might allow cross-site\nscripting (XSS) style attacks.\";\n\n\nif(description)\n{\n script_id(57335);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 23:13:11 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2006-3918\", \"CVE-2005-3352\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_name(\"Debian Security Advisory DSA 1167-1 (apache)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"apache-dev\", ver:\"1.3.33-6sarge3\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache-doc\", ver:\"1.3.33-6sarge3\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache-utils\", ver:\"1.3.33-6sarge3\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache\", ver:\"1.3.33-6sarge3\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache-common\", ver:\"1.3.33-6sarge3\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache-dbg\", ver:\"1.3.33-6sarge3\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache-perl\", ver:\"1.3.33-6sarge3\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache-ssl\", ver:\"1.3.33-6sarge3\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libapache-mod-perl\", ver:\"1.29.0.3-6sarge3\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-26T08:55:54", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-2700", "CVE-2006-3918", "CVE-2005-3357"], "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n apache2-worker\n apache2-prefork\n apache2\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5013454 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "modified": "2017-07-11T00:00:00", "published": "2009-10-10T00:00:00", "id": "OPENVAS:65575", "href": "http://plugins.openvas.org/nasl.php?oid=65575", "type": "openvas", "title": "SLES9: Security update for apache2,apache2-prefork,apache2-worker", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: sles9p5013454.nasl 6666 2017-07-11 13:13:36Z cfischer $\n# Description: Security update for apache2,apache2-prefork,apache2-worker\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n apache2-worker\n apache2-prefork\n apache2\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5013454 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/\";\n\ntag_solution = \"Please install the updates provided by SuSE.\";\n \nif(description)\n{\n script_id(65575);\n script_version(\"$Revision: 6666 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-11 15:13:36 +0200 (Tue, 11 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-10 16:11:46 +0200 (Sat, 10 Oct 2009)\");\n script_cve_id(\"CVE-2005-3357\", \"CVE-2005-2700\", \"CVE-2006-3918\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"SLES9: Security update for apache2,apache2-prefork,apache2-worker\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse_sles\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"apache2-worker\", rpm:\"apache2-worker~2.0.49~27.59\", rls:\"SLES9.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:39:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-2700", "CVE-2006-3918", "CVE-2005-3357"], "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n apache2-worker\n apache2-prefork\n apache2\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5013454 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "modified": "2018-04-06T00:00:00", "published": "2009-10-10T00:00:00", "id": "OPENVAS:136141256231065575", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231065575", "type": "openvas", "title": "SLES9: Security update for apache2,apache2-prefork,apache2-worker", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: sles9p5013454.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Security update for apache2,apache2-prefork,apache2-worker\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n apache2-worker\n apache2-prefork\n apache2\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5013454 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/\";\n\ntag_solution = \"Please install the updates provided by SuSE.\";\n \nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.65575\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-10 16:11:46 +0200 (Sat, 10 Oct 2009)\");\n script_cve_id(\"CVE-2005-3357\", \"CVE-2005-2700\", \"CVE-2006-3918\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"SLES9: Security update for apache2,apache2-prefork,apache2-worker\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse_sles\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"apache2-worker\", rpm:\"apache2-worker~2.0.49~27.59\", rls:\"SLES9.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:38:14", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3918", "CVE-2008-0005", "CVE-2007-6388", "CVE-2007-5000"], "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n apache-example-pages\n apache-doc\n apache-devel\n apache\n mod_ssl\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5023075 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "modified": "2018-04-06T00:00:00", "published": "2009-10-10T00:00:00", "id": "OPENVAS:136141256231065467", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231065467", "type": "openvas", "title": "SLES9: Security update for Apache", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: sles9p5023075.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Security update for Apache\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n apache-example-pages\n apache-doc\n apache-devel\n apache\n mod_ssl\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5023075 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/\";\n\ntag_solution = \"Please install the updates provided by SuSE.\";\n \nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.65467\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-10 16:11:46 +0200 (Sat, 10 Oct 2009)\");\n script_cve_id(\"CVE-2006-3918\", \"CVE-2007-5000\", \"CVE-2007-6388\", \"CVE-2008-0005\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_name(\"SLES9: Security update for Apache\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse_sles\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"apache-example-pages\", rpm:\"apache-example-pages~1.3.29~71.26\", rls:\"SLES9.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-26T08:55:32", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3918", "CVE-2008-0005", "CVE-2007-6388", "CVE-2007-5000"], "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n apache-example-pages\n apache-doc\n apache-devel\n apache\n mod_ssl\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5023075 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "modified": "2017-07-11T00:00:00", "published": "2009-10-10T00:00:00", "id": "OPENVAS:65467", "href": "http://plugins.openvas.org/nasl.php?oid=65467", "type": "openvas", "title": "SLES9: Security update for Apache", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: sles9p5023075.nasl 6666 2017-07-11 13:13:36Z cfischer $\n# Description: Security update for Apache\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n apache-example-pages\n apache-doc\n apache-devel\n apache\n mod_ssl\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5023075 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/\";\n\ntag_solution = \"Please install the updates provided by SuSE.\";\n \nif(description)\n{\n script_id(65467);\n script_version(\"$Revision: 6666 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-11 15:13:36 +0200 (Tue, 11 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-10 16:11:46 +0200 (Sat, 10 Oct 2009)\");\n script_cve_id(\"CVE-2006-3918\", \"CVE-2007-5000\", \"CVE-2007-6388\", \"CVE-2008-0005\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_name(\"SLES9: Security update for Apache\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse_sles\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"apache-example-pages\", rpm:\"apache-example-pages~1.3.29~71.26\", rls:\"SLES9.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-12-12T11:20:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3918", "CVE-2007-6203", "CVE-2008-0005", "CVE-2007-6421", "CVE-2007-6388", "CVE-2007-5000", "CVE-2007-6422"], "description": "Check for the Version of apache2,apache", "modified": "2017-12-08T00:00:00", "published": "2009-01-23T00:00:00", "id": "OPENVAS:850009", "href": "http://plugins.openvas.org/nasl.php?oid=850009", "type": "openvas", "title": "SuSE Update for apache2,apache SUSE-SA:2008:021", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2008_021.nasl 8050 2017-12-08 09:34:29Z santu $\n#\n# SuSE Update for apache2,apache SUSE-SA:2008:021\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Various minor bugs have been fixed in the Apache 1 and\n Apache 2 web servers and released as a roll-up update.\n\n Security problems that were fixed include:\n\n - cross site scripting problem when processing the 'Expect' header\n CVE-2006-3918 (Apache 1 only)\n\n - cross site scripting problem in mod_imap CVE-2007-5000\n (Apache 1 and 2)\n\n - cross site scripting problem in mod_status CVE-2007-6388\n (Apache 1 and 2)\n\n - cross site scripting problem in the ftp proxy module CVE-2008-0005\n (Apache 1 and 2)\n\n - cross site scripting problem in the error page for status code 413\n CVE-2007-6203 (Apache 2)\n\n - cross site scripting problem in mod_proxy_balancer\n CVE-2007-6421 (Apache 2)\n\n - A flaw in mod_proxy_balancer allowed attackers to crash apache\n CVE-2007-6422 (Apache 2)\";\n\ntag_impact = \"cross site scripting\";\ntag_affected = \"apache2,apache on SUSE LINUX 10.1, openSUSE 10.2, openSUSE 10.3, SUSE SLES 9, Novell Linux Desktop 9 SDK, Novell Linux Desktop 9, Open Enterprise Server, Novell Linux POS 9, SLE SDK 10 SP1, SUSE Linux Enterprise Server 10 SP1\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_id(850009);\n script_version(\"$Revision: 8050 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-08 10:34:29 +0100 (Fri, 08 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-01-23 16:44:26 +0100 (Fri, 23 Jan 2009)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"SUSE-SA\", value: \"2008-021\");\n script_cve_id(\"CVE-2006-3918\", \"CVE-2007-5000\", \"CVE-2007-6203\", \"CVE-2007-6388\", \"CVE-2007-6421\", \"CVE-2007-6422\", \"CVE-2008-0005\");\n script_name( \"SuSE Update for apache2,apache SUSE-SA:2008:021\");\n\n script_summary(\"Check for the Version of apache2,apache\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"openSUSE10.3\")\n{\n\n if ((res = isrpmvuln(pkg:\"apache2\", rpm:\"apache2~2.2.4~70.4\", rls:\"openSUSE10.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-devel\", rpm:\"apache2-devel~2.2.4~70.4\", rls:\"openSUSE10.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-doc\", rpm:\"apache2-doc~2.2.4~70.4\", rls:\"openSUSE10.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-example-pages\", rpm:\"apache2-example-pages~2.2.4~70.4\", rls:\"openSUSE10.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-prefork\", rpm:\"apache2-prefork~2.2.4~70.4\", rls:\"openSUSE10.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-utils\", rpm:\"apache2-utils~2.2.4~70.4\", rls:\"openSUSE10.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-worker\", rpm:\"apache2-worker~2.2.4~70.4\", rls:\"openSUSE10.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"openSUSE10.2\")\n{\n\n if ((res = isrpmvuln(pkg:\"apache2\", rpm:\"apache2~2.2.3~24\", rls:\"openSUSE10.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-devel\", rpm:\"apache2-devel~2.2.3~24\", rls:\"openSUSE10.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-doc\", rpm:\"apache2-doc~2.2.3~24\", rls:\"openSUSE10.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-example-pages\", rpm:\"apache2-example-pages~2.2.3~24\", rls:\"openSUSE10.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-prefork\", rpm:\"apache2-prefork~2.2.3~24\", rls:\"openSUSE10.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-worker\", rpm:\"apache2-worker~2.2.3~24\", rls:\"openSUSE10.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"NLDk9\")\n{\n\n if ((res = isrpmvuln(pkg:\"libapr0\", rpm:\"libapr0~2.0.59~1.8\", rls:\"NLDk9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2\", rpm:\"apache2~2.0.59~1.8\", rls:\"NLDk9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-devel\", rpm:\"apache2-devel~2.0.59~1.8\", rls:\"NLDk9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-prefork\", rpm:\"apache2-prefork~2.0.59~1.8\", rls:\"NLDk9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-worker\", rpm:\"apache2-worker~2.0.59~1.8\", rls:\"NLDk9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-doc\", rpm:\"apache2-doc~2.0.59~1.8\", rls:\"NLDk9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-example-pages\", rpm:\"apache2-example-pages~2.0.59~1.8\", rls:\"NLDk9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"OES\")\n{\n\n if ((res = isrpmvuln(pkg:\"apache\", rpm:\"apache~1.3.29~71.26\", rls:\"OES\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-devel\", rpm:\"apache-devel~1.3.29~71.26\", rls:\"OES\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-doc\", rpm:\"apache-doc~1.3.29~71.26\", rls:\"OES\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-example-pages\", rpm:\"apache-example-pages~1.3.29~71.26\", rls:\"OES\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.8.16~71.26\", rls:\"OES\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libapr0\", rpm:\"libapr0~2.0.59~1.8\", rls:\"OES\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2\", rpm:\"apache2~2.0.59~1.8\", rls:\"OES\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-devel\", rpm:\"apache2-devel~2.0.59~1.8\", rls:\"OES\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-prefork\", rpm:\"apache2-prefork~2.0.59~1.8\", rls:\"OES\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-worker\", rpm:\"apache2-worker~2.0.59~1.8\", rls:\"OES\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-doc\", rpm:\"apache2-doc~2.0.59~1.8\", rls:\"OES\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-example-pages\", rpm:\"apache2-example-pages~2.0.59~1.8\", rls:\"OES\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"SLES9\")\n{\n\n if ((res = isrpmvuln(pkg:\"apache\", rpm:\"apache~1.3.29~71.26\", rls:\"SLES9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-devel\", rpm:\"apache-devel~1.3.29~71.26\", rls:\"SLES9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-doc\", rpm:\"apache-doc~1.3.29~71.26\", rls:\"SLES9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-example-pages\", rpm:\"apache-example-pages~1.3.29~71.26\", rls:\"SLES9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.8.16~71.26\", rls:\"SLES9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libapr0\", rpm:\"libapr0~2.0.59~1.8\", rls:\"SLES9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2\", rpm:\"apache2~2.0.59~1.8\", rls:\"SLES9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-devel\", rpm:\"apache2-devel~2.0.59~1.8\", rls:\"SLES9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-prefork\", rpm:\"apache2-prefork~2.0.59~1.8\", rls:\"SLES9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-worker\", rpm:\"apache2-worker~2.0.59~1.8\", rls:\"SLES9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-doc\", rpm:\"apache2-doc~2.0.59~1.8\", rls:\"SLES9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-example-pages\", rpm:\"apache2-example-pages~2.0.59~1.8\", rls:\"SLES9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"NLDk9SDK\")\n{\n\n if ((res = isrpmvuln(pkg:\"apache\", rpm:\"apache~1.3.29~71.26\", rls:\"NLDk9SDK\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-devel\", rpm:\"apache-devel~1.3.29~71.26\", rls:\"NLDk9SDK\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-doc\", rpm:\"apache-doc~1.3.29~71.26\", rls:\"NLDk9SDK\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-example-pages\", rpm:\"apache-example-pages~1.3.29~71.26\", rls:\"NLDk9SDK\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.8.16~71.26\", rls:\"NLDk9SDK\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libapr0\", rpm:\"libapr0~2.0.59~1.8\", rls:\"NLDk9SDK\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2\", rpm:\"apache2~2.0.59~1.8\", rls:\"NLDk9SDK\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-devel\", rpm:\"apache2-devel~2.0.59~1.8\", rls:\"NLDk9SDK\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-prefork\", rpm:\"apache2-prefork~2.0.59~1.8\", rls:\"NLDk9SDK\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-worker\", rpm:\"apache2-worker~2.0.59~1.8\", rls:\"NLDk9SDK\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-doc\", rpm:\"apache2-doc~2.0.59~1.8\", rls:\"NLDk9SDK\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-example-pages\", rpm:\"apache2-example-pages~2.0.59~1.8\", rls:\"NLDk9SDK\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"LES10SP1\")\n{\n\n if ((res = isrpmvuln(pkg:\"apache2\", rpm:\"apache2~2.2.3~16.17.3\", rls:\"LES10SP1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-devel\", rpm:\"apache2-devel~2.2.3~16.17.3\", rls:\"LES10SP1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-doc\", rpm:\"apache2-doc~2.2.3~16.17.3\", rls:\"LES10SP1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-example-pages\", rpm:\"apache2-example-pages~2.2.3~16.17.3\", rls:\"LES10SP1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-prefork\", rpm:\"apache2-prefork~2.2.3~16.17.3\", rls:\"LES10SP1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-worker\", rpm:\"apache2-worker~2.2.3~16.17.3\", rls:\"LES10SP1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"SLESDK10SP1\")\n{\n\n if ((res = isrpmvuln(pkg:\"apache2\", rpm:\"apache2~2.2.3~16.17.3\", rls:\"SLESDK10SP1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-devel\", rpm:\"apache2-devel~2.2.3~16.17.3\", rls:\"SLESDK10SP1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-doc\", rpm:\"apache2-doc~2.2.3~16.17.3\", rls:\"SLESDK10SP1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-example-pages\", rpm:\"apache2-example-pages~2.2.3~16.17.3\", rls:\"SLESDK10SP1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-prefork\", rpm:\"apache2-prefork~2.2.3~16.17.3\", rls:\"SLESDK10SP1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-worker\", rpm:\"apache2-worker~2.2.3~16.17.3\", rls:\"SLESDK10SP1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"SL10.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"apache2\", rpm:\"apache2~2.2.3~16.17.3\", rls:\"SL10.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-devel\", rpm:\"apache2-devel~2.2.3~16.17.3\", rls:\"SL10.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-doc\", rpm:\"apache2-doc~2.2.3~16.17.3\", rls:\"SL10.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-example-pages\", rpm:\"apache2-example-pages~2.2.3~16.17.3\", rls:\"SL10.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-prefork\", rpm:\"apache2-prefork~2.2.3~16.17.3\", rls:\"SL10.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-worker\", rpm:\"apache2-worker~2.2.3~16.17.3\", rls:\"SL10.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"NLPOS9\")\n{\n\n if ((res = isrpmvuln(pkg:\"apache\", rpm:\"apache~1.3.29~71.26\", rls:\"NLPOS9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-devel\", rpm:\"apache-devel~1.3.29~71.26\", rls:\"NLPOS9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-doc\", rpm:\"apache-doc~1.3.29~71.26\", rls:\"NLPOS9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-example-pages\", rpm:\"apache-example-pages~1.3.29~71.26\", rls:\"NLPOS9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.8.16~71.26\", rls:\"NLPOS9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libapr0\", rpm:\"libapr0~2.0.59~1.8\", rls:\"NLPOS9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2\", rpm:\"apache2~2.0.59~1.8\", rls:\"NLPOS9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-devel\", rpm:\"apache2-devel~2.0.59~1.8\", rls:\"NLPOS9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-prefork\", rpm:\"apache2-prefork~2.0.59~1.8\", rls:\"NLPOS9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-worker\", rpm:\"apache2-worker~2.0.59~1.8\", rls:\"NLPOS9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-doc\", rpm:\"apache2-doc~2.0.59~1.8\", rls:\"NLPOS9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache2-example-pages\", rpm:\"apache2-example-pages~2.0.59~1.8\", rls:\"NLPOS9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-12-04T11:29:39", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3918", "CVE-2007-4465", "CVE-2008-0005", "CVE-2007-6421", "CVE-2007-3847", "CVE-2007-6388", "CVE-2007-5000", "CVE-2007-6422"], "description": "Ubuntu Update for Linux kernel vulnerabilities USN-575-1", "modified": "2017-12-01T00:00:00", "published": "2009-03-23T00:00:00", "id": "OPENVAS:840304", "href": "http://plugins.openvas.org/nasl.php?oid=840304", "type": "openvas", "title": "Ubuntu Update for apache2 vulnerabilities USN-575-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_575_1.nasl 7969 2017-12-01 09:23:16Z santu $\n#\n# Ubuntu Update for apache2 vulnerabilities USN-575-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"It was discovered that Apache did not sanitize the Expect header from\n an HTTP request when it is reflected back in an error message, which\n could result in browsers becoming vulnerable to cross-site scripting\n attacks when processing the output. With cross-site scripting\n vulnerabilities, if a user were tricked into viewing server output\n during a crafted server request, a remote attacker could exploit this\n to modify the contents, or steal confidential data (such as passwords),\n within the same domain. This was only vulnerable in Ubuntu 6.06.\n (CVE-2006-3918)\n\n It was discovered that when configured as a proxy server and using a\n threaded MPM, Apache did not properly sanitize its input. A remote\n attacker could send Apache crafted date headers and cause a denial of\n service via application crash. By default, mod_proxy is disabled in\n Ubuntu. (CVE-2007-3847)\n \n It was discovered that mod_autoindex did not force a character set,\n which could result in browsers becoming vulnerable to cross-site\n scripting attacks when processing the output. (CVE-2007-4465)\n \n It was discovered that mod_imap/mod_imagemap did not force a\n character set, which could result in browsers becoming vulnerable\n to cross-site scripting attacks when processing the output. By\n default, mod_imap/mod_imagemap is disabled in Ubuntu. (CVE-2007-5000)\n \n It was discovered that mod_status when status pages were available,\n allowed for cross-site scripting attacks. By default, mod_status is\n disabled in Ubuntu. (CVE-2007-6388)\n \n It was discovered that mod_proxy_balancer did not sanitize its input,\n which could result in browsers becoming vulnerable to cross-site\n scripting attacks when processing the output. By default,\n mod_proxy_balancer is disabled in Ubuntu. This was only vulnerable\n in Ubuntu 7.04 and 7.10. (CVE-2007-6421)\n \n It was discovered that mod_proxy_balancer could be made to\n dereference a NULL pointer. A remote attacker could send a crafted\n request and cause a denial of service via application crash. By\n default, mod_proxy_balancer is disabled in Ubuntu. This was only\n vulnerable in Ubuntu 7.04 and 7.10. (CVE-2007-6422)\n \n It was discovered that mod_proxy_ftp did not force a character set,\n which could result in browsers becoming vulnerable to cross-site\n scripting attacks when processing the output. By default,\n mod_proxy_ftp is disabled in Ubuntu. (CVE-2008-0005)\";\n\ntag_summary = \"Ubuntu Update for Linux kernel vulnerabilities USN-575-1\";\ntag_affected = \"apache2 vulnerabilities on Ubuntu 6.06 LTS ,\n Ubuntu 6.10 ,\n Ubuntu 7.04 ,\n Ubuntu 7.10\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-575-1/\");\n script_id(840304);\n script_version(\"$Revision: 7969 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 10:23:16 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-03-23 10:59:50 +0100 (Mon, 23 Mar 2009)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name: \"USN\", value: \"575-1\");\n script_cve_id(\"CVE-2006-3918\", \"CVE-2007-3847\", \"CVE-2007-4465\", \"CVE-2007-5000\", \"CVE-2007-6388\", \"CVE-2007-6421\", \"CVE-2007-6422\", \"CVE-2008-0005\");\n script_name( \"Ubuntu Update for apache2 vulnerabilities USN-575-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU7.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apache2-mpm-event\", ver:\"2.2.3-3.2ubuntu2.1\", rls:\"UBUNTU7.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-mpm-prefork\", ver:\"2.2.3-3.2ubuntu2.1\", rls:\"UBUNTU7.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-mpm-worker\", ver:\"2.2.3-3.2ubuntu2.1\", rls:\"UBUNTU7.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-prefork-dev\", ver:\"2.2.3-3.2ubuntu2.1\", rls:\"UBUNTU7.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-threaded-dev\", ver:\"2.2.3-3.2ubuntu2.1\", rls:\"UBUNTU7.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-utils\", ver:\"2.2.3-3.2ubuntu2.1\", rls:\"UBUNTU7.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2.2-common\", ver:\"2.2.3-3.2ubuntu2.1\", rls:\"UBUNTU7.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-doc\", ver:\"2.2.3-3.2ubuntu2.1\", rls:\"UBUNTU7.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-mpm-perchild\", ver:\"2.2.3-3.2ubuntu2.1\", rls:\"UBUNTU7.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-src\", ver:\"2.2.3-3.2ubuntu2.1\", rls:\"UBUNTU7.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2\", ver:\"2.2.3-3.2ubuntu2.1\", rls:\"UBUNTU7.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU6.06 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apache2-common\", ver:\"2.0.55-4ubuntu2.3\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-mpm-perchild\", ver:\"2.0.55-4ubuntu2.3\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-mpm-prefork\", ver:\"2.0.55-4ubuntu2.3\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-mpm-worker\", ver:\"2.0.55-4ubuntu2.3\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-prefork-dev\", ver:\"2.0.55-4ubuntu2.3\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-threaded-dev\", ver:\"2.0.55-4ubuntu2.3\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-utils\", ver:\"2.0.55-4ubuntu2.3\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2\", ver:\"2.0.55-4ubuntu2.3\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libapr0-dev\", ver:\"2.0.55-4ubuntu2.3\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libapr0\", ver:\"2.0.55-4ubuntu2.3\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-doc\", ver:\"2.0.55-4ubuntu2.3\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU6.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apache2-common\", ver:\"2.0.55-4ubuntu4.2\", rls:\"UBUNTU6.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-mpm-perchild\", ver:\"2.0.55-4ubuntu4.2\", rls:\"UBUNTU6.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-mpm-prefork\", ver:\"2.0.55-4ubuntu4.2\", rls:\"UBUNTU6.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-mpm-worker\", ver:\"2.0.55-4ubuntu4.2\", rls:\"UBUNTU6.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-prefork-dev\", ver:\"2.0.55-4ubuntu4.2\", rls:\"UBUNTU6.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-threaded-dev\", ver:\"2.0.55-4ubuntu4.2\", rls:\"UBUNTU6.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-utils\", ver:\"2.0.55-4ubuntu4.2\", rls:\"UBUNTU6.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2\", ver:\"2.0.55-4ubuntu4.2\", rls:\"UBUNTU6.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libapr0-dev\", ver:\"2.0.55-4ubuntu4.2\", rls:\"UBUNTU6.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libapr0\", ver:\"2.0.55-4ubuntu4.2\", rls:\"UBUNTU6.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-doc\", ver:\"2.0.55-4ubuntu4.2\", rls:\"UBUNTU6.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU7.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apache2-mpm-event\", ver:\"2.2.4-3ubuntu0.1\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-mpm-prefork\", ver:\"2.2.4-3ubuntu0.1\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-mpm-worker\", ver:\"2.2.4-3ubuntu0.1\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-prefork-dev\", ver:\"2.2.4-3ubuntu0.1\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-threaded-dev\", ver:\"2.2.4-3ubuntu0.1\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-utils\", ver:\"2.2.4-3ubuntu0.1\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2.2-common\", ver:\"2.2.4-3ubuntu0.1\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-doc\", ver:\"2.2.4-3ubuntu0.1\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-mpm-perchild\", ver:\"2.2.4-3ubuntu0.1\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2-src\", ver:\"2.2.4-3ubuntu0.1\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"apache2\", ver:\"2.2.4-3ubuntu0.1\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:39:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3918", "CVE-2009-1955", "CVE-2007-6203", "CVE-2009-1890", "CVE-2009-0023", "CVE-2010-1452", "CVE-2009-1956", "CVE-2009-1891", "CVE-2009-1195"], "description": "The remote host is missing an update for the Apache-based Web Server package(s) announced via the referenced advisory.", "modified": "2018-10-04T00:00:00", "published": "2011-01-04T00:00:00", "id": "OPENVAS:1361412562310835247", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310835247", "type": "openvas", "title": "HP-UX Update for Apache-based Web Server HPSBUX02612", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_hp_ux_HPSBUX02612.nasl 11739 2018-10-04 07:49:31Z cfischer $\n#\n# HP-UX Update for Apache-based Web Server HPSBUX02612\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02579879\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.835247\");\n script_version(\"$Revision: 11739 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-04 09:49:31 +0200 (Thu, 04 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2011-01-04 15:48:51 +0100 (Tue, 04 Jan 2011)\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_xref(name:\"HPSBUX\", value:\"02612\");\n script_cve_id(\"CVE-2010-1452\", \"CVE-2009-1956\", \"CVE-2009-1955\", \"CVE-2009-1891\", \"CVE-2009-1890\", \"CVE-2009-1195\", \"CVE-2009-0023\", \"CVE-2007-6203\", \"CVE-2006-3918\");\n script_name(\"HP-UX Update for Apache-based Web Server HPSBUX02612\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Apache-based Web Server package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"HP-UX Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/hp_hp-ux\", \"ssh/login/hp_pkgrev\", re:\"ssh/login/release=HPUX(11\\.31|11\\.23|11\\.11)\");\n\n script_tag(name:\"impact\", value:\"Local information disclosure, increase of privilege, remote Denial of Service (DoS)\");\n\n script_tag(name:\"affected\", value:\"Apache-based Web Server on HP-UX B.11.11, B.11.23 and B.11.31 running Apache-based Web Server prior to\n v2.0.63.01 HP-UX Apache-based Web Server v2.0.63.01 is contained in HP-UX\n Web Server Suite v.2.32\");\n\n script_tag(name:\"insight\", value:\"Potential security vulnerabilities have been identified with HP-UX\n Apache-based Web Server. These vulnerabilities could be exploited locally to\n disclose information, increase privilege or remotely create a Denial of\n Service (DoS).\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-hpux.inc\");\n\nrelease = hpux_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"HPUX11.31\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.APACHE\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.APACHE2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.AUTH_LDAP\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.AUTH_LDAP2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.MOD_JK\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.MOD_JK2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.MOD_PERL\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.MOD_PERL2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.PHP\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.PHP2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.WEBPROXY\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.APACHE\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.APACHE2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.AUTH_LDAP\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.AUTH_LDAP2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_JK\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_JK2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_PERL\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_PERL2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.PHP\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.PHP2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.WEBPROXY\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"HPUX11.23\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.APACHE\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.APACHE2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.AUTH_LDAP\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.AUTH_LDAP2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.MOD_JK\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.MOD_JK2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.MOD_PERL\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.MOD_PERL2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.PHP\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.PHP2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.WEBPROXY\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.APACHE\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.APACHE2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.AUTH_LDAP\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.AUTH_LDAP2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_JK\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_JK2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_PERL\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_PERL2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.PHP\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.PHP2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.WEBPROXY\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"HPUX11.11\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.APACHE\", revision:\"B.2.0.63.01\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.APACHE2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.AUTH_LDAP\", revision:\"B.2.0.63.01\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.AUTH_LDAP2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_JK\", revision:\"B.2.0.63.01\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_JK2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_PERL\", revision:\"B.2.0.63.01\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_PERL2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.PHP\", revision:\"B.2.0.63.01\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.PHP2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.WEBPROXY\", revision:\"B.2.0.63.01\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2017-07-24T12:55:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3918", "CVE-2009-1955", "CVE-2007-6203", "CVE-2009-1890", "CVE-2009-0023", "CVE-2010-1452", "CVE-2009-1956", "CVE-2009-1891", "CVE-2009-1195"], "description": "Check for the Version of Apache-based Web Server", "modified": "2017-07-06T00:00:00", "published": "2011-01-04T00:00:00", "id": "OPENVAS:835247", "href": "http://plugins.openvas.org/nasl.php?oid=835247", "type": "openvas", "title": "HP-UX Update for Apache-based Web Server HPSBUX02612", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# HP-UX Update for Apache-based Web Server HPSBUX02612\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_impact = \"Local information disclosure\n increase of privilege\n remote Denial of Service (DoS)\";\ntag_affected = \"Apache-based Web Server on\n HP-UX B.11.11, B.11.23 and B.11.31 running Apache-based Web Server prior to \n v2.0.63.01 HP-UX Apache-based Web Server v2.0.63.01 is contained in HP-UX \n Web Server Suite v.2.32\";\ntag_insight = \"Potential security vulnerabilities have been identified with HP-UX \n Apache-based Web Server. These vulnerabilities could be exploited locally to \n disclose information, increase privilege or remotely create a Denial of \n Service (DoS).\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02579879\");\n script_id(835247);\n script_version(\"$Revision: 6582 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-06 16:11:56 +0200 (Thu, 06 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-01-04 15:48:51 +0100 (Tue, 04 Jan 2011)\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_xref(name: \"HPSBUX\", value: \"02612\");\n script_cve_id(\"CVE-2010-1452\", \"CVE-2009-1956\", \"CVE-2009-1955\", \"CVE-2009-1891\", \"CVE-2009-1890\", \"CVE-2009-1195\", \"CVE-2009-0023\", \"CVE-2007-6203\", \"CVE-2006-3918\");\n script_name(\"HP-UX Update for Apache-based Web Server HPSBUX02612\");\n\n script_summary(\"Check for the Version of Apache-based Web Server\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"HP-UX Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/hp_hp-ux\", \"ssh/login/release\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-hpux.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"HPUX11.31\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.APACHE\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.APACHE2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.AUTH_LDAP\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.AUTH_LDAP2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.MOD_JK\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.MOD_JK2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.MOD_PERL\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.MOD_PERL2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.PHP\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.PHP2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.WEBPROXY\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.APACHE\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.APACHE2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.AUTH_LDAP\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.AUTH_LDAP2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_JK\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_JK2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_PERL\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_PERL2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.PHP\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.PHP2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.WEBPROXY\", revision:\"B.2.0.63.01\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.23\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.APACHE\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.APACHE2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.AUTH_LDAP\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.AUTH_LDAP2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.MOD_JK\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.MOD_JK2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.MOD_PERL\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.MOD_PERL2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.PHP\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.PHP2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPCH32.WEBPROXY\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.APACHE\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.APACHE2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.AUTH_LDAP\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.AUTH_LDAP2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_JK\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_JK2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_PERL\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_PERL2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.PHP\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.PHP2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.WEBPROXY\", revision:\"B.2.0.63.01\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.11\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.APACHE\", revision:\"B.2.0.63.01\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.APACHE2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.AUTH_LDAP\", revision:\"B.2.0.63.01\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.AUTH_LDAP2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_JK\", revision:\"B.2.0.63.01\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_JK2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_PERL\", revision:\"B.2.0.63.01\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_PERL2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.PHP\", revision:\"B.2.0.63.01\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.PHP2\", revision:\"B.2.0.63.01\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.WEBPROXY\", revision:\"B.2.0.63.01\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:56:45", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-3659", "CVE-2008-2939", "CVE-2006-3918", "CVE-2008-5625", "CVE-2008-2666", "CVE-2008-2364", "CVE-2007-6203", "CVE-2007-4465", "CVE-2008-2371", "CVE-2008-3658", "CVE-2008-2168", "CVE-2008-3660", "CVE-2008-0599", "CVE-2008-0005", "CVE-2008-5658", "CVE-2008-2829", "CVE-2008-5624", "CVE-2008-5498", "CVE-2008-5557", "CVE-2008-2665"], "description": "Check for the Version of Apache-based Web Server", "modified": "2017-07-06T00:00:00", "published": "2009-10-22T00:00:00", "id": "OPENVAS:835224", "href": "http://plugins.openvas.org/nasl.php?oid=835224", "type": "openvas", "title": "HP-UX Update for Apache-based Web Server HPSBUX02465", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# HP-UX Update for Apache-based Web Server HPSBUX02465\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_impact = \"Remote Denial of Service (DoS)\n cross-site scripting (XSS)\n unauthorized access\";\ntag_affected = \"Apache-based Web Server on\n HP-UX B.11.23, B.11.31 running Apache-based Web Server versions before\n v2.2.8.05 HP-UX B.11.11, B.11.23, B.11.31 running Apache-based Web Server\n versions before v2.0.59.12\";\ntag_insight = \"Potential security vulnerabilities have been identified with HP-UX running\n Apache-based Web Server. The vulnerabilities could be exploited remotely to\n cause a Denial of Service (DoS), cross-site scripting (XSS) or unauthorized\n access. Apache-based Web Server is contained in the Apache Web Server Suite.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c01905287-1\");\n script_id(835224);\n script_version(\"$Revision: 6584 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-06 16:13:23 +0200 (Thu, 06 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-22 15:43:41 +0200 (Thu, 22 Oct 2009)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"HPSBUX\", value: \"02465\");\n script_cve_id(\"CVE-2006-3918\", \"CVE-2007-4465\", \"CVE-2007-6203\", \"CVE-2008-0005\", \"CVE-2008-0599\", \"CVE-2008-2168\", \"CVE-2008-2364\", \"CVE-2008-2371\", \"CVE-2008-2665\", \"CVE-2008-2666\", \"CVE-2008-2829\", \"CVE-2008-2939\", \"CVE-2008-3658\", \"CVE-2008-3659\", \"CVE-2008-3660\", \"CVE-2008-5498\", \"CVE-2008-5557\", \"CVE-2008-5624\", \"CVE-2008-5625\", \"CVE-2008-5658\");\n script_name(\"HP-UX Update for Apache-based Web Server HPSBUX02465\");\n\n script_summary(\"Check for the Version of Apache-based Web Server\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"HP-UX Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/hp_hp-ux\", \"ssh/login/release\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-hpux.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"HPUX11.31\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxws22APCH32.APACHE\", revision:\"B.2.2.8.05\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxws22APCH32.APACHE2\", revision:\"B.2.2.8.05\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxws22APCH32.AUTH_LDAP\", revision:\"B.2.2.8.05\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxws22APCH32.AUTH_LDAP2\", revision:\"B.2.2.8.05\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxws22APCH32.MOD_JK\", revision:\"B.2.2.8.05\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxws22APCH32.MOD_JK2\", revision:\"B.2.2.8.05\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxws22APCH32.MOD_PERL\", revision:\"B.2.2.8.05\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxws22APCH32.MOD_PERL2\", revision:\"B.2.2.8.05\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxws22APCH32.PHP\", revision:\"B.2.2.8.05\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxws22APCH32.PHP2\", revision:\"B.2.2.8.05\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxws22APCH32.WEBPROXY\", revision:\"B.2.2.8.05\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxws22APCH32.WEBPROXY2\", revision:\"B.2.2.8.05\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.APACHE\", revision:\"B.2.0.59.12\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.APACHE2\", revision:\"B.2.0.59.12\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.AUTH_LDAP\", revision:\"B.2.0.59.12\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.AUTH_LDAP2\", revision:\"B.2.0.59.12\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_JK\", revision:\"B.2.0.59.12\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_JK2\", revision:\"B.2.0.59.12\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_PERL\", revision:\"B.2.0.59.12\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_PERL2\", revision:\"B.2.0.59.12\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.PHP\", revision:\"B.2.0.59.12\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.PHP2\", revision:\"B.2.0.59.12\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.WEBPROXY\", revision:\"B.2.0.59.12\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.23\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxws22APACHE.APACHE\", revision:\"B.2.2.8.05\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxws22APACHE.APACHE2\", revision:\"B.2.2.8.05\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxws22APACHE.AUTH_LDAP\", revision:\"B.2.2.8.05\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxws22APACHE.AUTH_LDAP2\", revision:\"B.2.2.8.05\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxws22APACHE.MOD_JK\", revision:\"B.2.2.8.05\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxws22APACHE.MOD_JK2\", revision:\"B.2.2.8.05\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxws22APACHE.MOD_PERL\", revision:\"B.2.2.8.05\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxws22APACHE.MOD_PERL2\", revision:\"B.2.2.8.05\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxws22APACHE.PHP\", revision:\"B.2.2.8.05\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxws22APACHE.PHP2\", revision:\"B.2.2.8.05\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.APACHE\", revision:\"B.2.0.59.12\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.APACHE2\", revision:\"B.2.0.59.12\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.AUTH_LDAP\", revision:\"B.2.0.59.12\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.AUTH_LDAP2\", revision:\"B.2.0.59.12\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_JK\", revision:\"B.2.0.59.12\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_JK2\", revision:\"B.2.0.59.12\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_PERL\", revision:\"B.2.0.59.12\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_PERL2\", revision:\"B.2.0.59.12\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.PHP\", revision:\"B.2.0.59.12\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.PHP2\", revision:\"B.2.0.59.12\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.WEBPROXY\", revision:\"B.2.0.59.12\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.11\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.APACHE\", revision:\"B.2.0.59.12\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.APACHE2\", revision:\"B.2.0.59.12\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.AUTH_LDAP2\", revision:\"B.2.0.59.12\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_JK\", revision:\"B.2.0.59.12\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_JK2\", revision:\"B.2.0.59.12\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_PERL\", revision:\"B.2.0.59.12\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.MOD_PERL2\", revision:\"B.2.0.59.12\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.PHP\", revision:\"B.2.0.59.12\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.PHP2\", revision:\"B.2.0.59.12\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE.WEBPROXY\", revision:\"B.2.0.59.12\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:39", "description": "\nOracle HTTP Server - Cross-Site Scripting Header Injection", "edition": 1, "published": "2011-06-13T00:00:00", "title": "Oracle HTTP Server - Cross-Site Scripting Header Injection", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3918", "CVE-2007-0275"], "modified": "2011-06-13T00:00:00", "id": "EXPLOITPACK:683C3B1D02827D6B32706DB1D146B2D8", "href": "", "sourceData": "---------------------------------------------------------------------------------------------------------\n Oracle HTTP Server XSS Header Injection \n---------------------------------------------------------------------------------------------------------\n# Attack Pattern ID : CAPEC-86\n# CWE ID : CI-79\n# OWASP IDs : A1-Injections, A2-Cross Site Scripting (XSS)\n# CVE ID : not yet\n# Related CVEs : CVE-2006-3918, CVE-2007-0275\n# A.K.A : Unfiltered Header Injection\n# Product Type : Application\n# Vendor : Oracle Corporation\n# Product : Oracle HTTP Server for Oracle Application Server 10g\n# Vulnerable Versions: 10.1.2.0.2 \n# Probably Vulnerable: (not tested) 10.1.2.0.0, 9.0.4.3.0, 9.0.4.2.0, 9.0.4.1.0, 9.0.4.0.0\n# Severity : Medium\n# Tested on\t : Linux, Windows Server 2003\n# Download link : http://www.oracle.com/technetwork/middleware/ias/downloads/101201se-090616.html\n# Date : 12/06/2011\n# Google Dork : allintitle:\"Oracle HTTP Server -\"\n-------------------------------------------------------------------------------------------------------\n[-] Credit : Yasser ABOUKIR\n[-] Site : http://www.yaboukir.com \n[-] Email : yaboukir@gmail.com\n[-] Occupation: ITC security engineering student at ENSIAS - Morocco\n-------------------------------------------------------------------------------------------------------\n[+] Vulnerability description:\n\tThe Oracle HTTP Server does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file. \n\n[+] Vulnerability origin: \n\tOracle HTTP Server (OHS) developed by Oracle Corporation is an OracleAS 10g's Web Server component. The vulnerable product is based on the Apache 1.3 Web server. This later is vulnerable to Unfiltered Header Injection which makes the vulnerability\u0092s origin of this OHS version.\n\n[+] PoC: \n See the video in Youtube: http://www.youtube.com/watch?v=cBmbkAYXdjo\n See the PDF: http://www.yaboukir.com/wp-content/bugtraq/XSS_Header_Injection_in_OHS_by_Yasser.pdf\n\n[+] Attack:\n \t> Atack Prerequisites for a successful exploitation:\n\t\tTarget software must be a client that allows scripting communication from remote hosts. Crafting the attack to exploit this issue is not a complex process. However most of the unsophisticated attackers will not know that such an attack is possible. Also an attacker needs to reach his victims by enticing them to visit remote site of some sort to redirect them and data to. \n\t> Attacker Skills or Knowledge Required\n \t\t- Skill or Knowledge Level: Low\n\t\t\tTo achieve a redirection and use of less trusted source, an attacker can simply edit HTTP Headers that are sent to client machine.\n \t\t- Skill or Knowledge Level: High\n\t\t\tExploiting a client side vulnerability to inject malicious scripts into the browser's executable process.\n\t> Methods of Attack\n\t\t- Injection\n\t\t- Modification of Resources\n\t\t- Protocol Manipulation\n\t> Exploit:\n\t\t- Steal session IDs, credentials, page content, etc.: \n As the attacker succeeds in exploiting the vulnerability, he can choose to steal user's credentials in order to reuse or to analyze them later on.\n\t\t- Forceful browsing: \nWhen the attacker targets this Oracle application (through CSRF vulnerabilities, Clickjacking), the user will then be the one who perform the attacks without being aware of it. \n\t\t- Content spoofing:\nBy manipulating the content, the attacker targets the information that the user would like to get from the Website.\n\n[+] Solution:\nA solution to this issue might be the update/upgrade to the Oracle HTTP Server 11g which is based on Apache 2.2. In fact, Oracle supports only the code they ship with the Oracle Application Server 10g. Externally added modules or other changes are not supported. As a matter of fact, security patches from the Apache organization in its latest versions 1.3.35/2.0.58/2.2.2 to this vulnerability onto Oracle HTTP Server should not be applied. \n\n[+] References:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3918\nOracle Application Server 10g Release 3 (10.1.3.1.0) Overview of Oracle HTTP Server, An Oracle White Paper, October 2006\n http://seclists.org/Webappsec/2006/q2/245\n http://www.securiteam.com/securityreviews/5KP0M1FJ5E.html\n http://www.securityfocus.com/archive/1/441014\n http://kb2.adobe.com/cps/403/kb403030.html\n http://www.oracle.com/technetwork/middleware/ias/index-091236.html\n http://www.oracle.com/technetwork/middleware/ias/faq-089946.html\n http://download.oracle.com/otndocs/tech/ias/portal/files/RG/complete_Web_site_ohs_faq.htm#OHS\n http://xss.cx/http-header-injection-expect-response-splitting-cI-113-example-poc.aspx\nhttp://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-707/opxss-1/Oracle-Application-Server.html\n\nPDF Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17393.pdf (XSS_Header_Injection_in_OHS_by_Yasser.pdf)", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "suse": [{"lastseen": "2016-09-04T12:36:33", "bulletinFamily": "unix", "cvelist": ["CVE-2005-2700", "CVE-2006-3918", "CVE-2005-3357"], "description": "The web server Apache2 has been updated to fix several security issues:\n#### Solution\nThere is no known workaround, please install the update packages.", "edition": 1, "modified": "2006-09-08T14:34:17", "published": "2006-09-08T14:34:17", "id": "SUSE-SA:2006:051", "href": "http://lists.opensuse.org/opensuse-security-announce/2006-09/msg00016.html", "type": "suse", "title": "cryptographic problems in apache2", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:14:44", "bulletinFamily": "unix", "cvelist": ["CVE-2006-3918", "CVE-2007-6203", "CVE-2008-0005", "CVE-2007-6421", "CVE-2007-6388", "CVE-2007-5000", "CVE-2007-6422"], "description": "Various minor bugs have been fixed in the Apache 1 and Apache 2 web servers and released as a roll-up update.\n#### Solution\nThere is no known workaround, please install the update packages.", "edition": 1, "modified": "2008-04-04T16:29:16", "published": "2008-04-04T16:29:16", "id": "SUSE-SA:2008:021", "href": "http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00004.html", "type": "suse", "title": "cross site scripting in apache2,apache", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "ubuntu": [{"lastseen": "2020-07-08T23:31:57", "bulletinFamily": "unix", "cvelist": ["CVE-2006-3918", "CVE-2007-4465", "CVE-2008-0005", "CVE-2007-6421", "CVE-2007-3847", "CVE-2007-6388", "CVE-2007-5000", "CVE-2007-6422"], "description": "It was discovered that Apache did not sanitize the Expect header from \nan HTTP request when it is reflected back in an error message, which \ncould result in browsers becoming vulnerable to cross-site scripting \nattacks when processing the output. With cross-site scripting \nvulnerabilities, if a user were tricked into viewing server output \nduring a crafted server request, a remote attacker could exploit this \nto modify the contents, or steal confidential data (such as passwords), \nwithin the same domain. This was only vulnerable in Ubuntu 6.06. \n(CVE-2006-3918)\n\nIt was discovered that when configured as a proxy server and using a \nthreaded MPM, Apache did not properly sanitize its input. A remote \nattacker could send Apache crafted date headers and cause a denial of \nservice via application crash. By default, mod_proxy is disabled in \nUbuntu. (CVE-2007-3847)\n\nIt was discovered that mod_autoindex did not force a character set, \nwhich could result in browsers becoming vulnerable to cross-site \nscripting attacks when processing the output. (CVE-2007-4465)\n\nIt was discovered that mod_imap/mod_imagemap did not force a \ncharacter set, which could result in browsers becoming vulnerable \nto cross-site scripting attacks when processing the output. By \ndefault, mod_imap/mod_imagemap is disabled in Ubuntu. (CVE-2007-5000)\n\nIt was discovered that mod_status when status pages were available, \nallowed for cross-site scripting attacks. By default, mod_status is \ndisabled in Ubuntu. (CVE-2007-6388)\n\nIt was discovered that mod_proxy_balancer did not sanitize its input, \nwhich could result in browsers becoming vulnerable to cross-site \nscripting attacks when processing the output. By default, \nmod_proxy_balancer is disabled in Ubuntu. This was only vulnerable \nin Ubuntu 7.04 and 7.10. (CVE-2007-6421)\n\nIt was discovered that mod_proxy_balancer could be made to \ndereference a NULL pointer. A remote attacker could send a crafted \nrequest and cause a denial of service via application crash. By \ndefault, mod_proxy_balancer is disabled in Ubuntu. This was only \nvulnerable in Ubuntu 7.04 and 7.10. (CVE-2007-6422)\n\nIt was discovered that mod_proxy_ftp did not force a character set, \nwhich could result in browsers becoming vulnerable to cross-site \nscripting attacks when processing the output. By default, \nmod_proxy_ftp is disabled in Ubuntu. (CVE-2008-0005)", "edition": 5, "modified": "2008-02-04T00:00:00", "published": "2008-02-04T00:00:00", "id": "USN-575-1", "href": "https://ubuntu.com/security/notices/USN-575-1", "title": "Apache vulnerabilities", "type": "ubuntu", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}]}