OpenBSD Accept/Deny Rule Parsing Weakness

2004-03-13T00:00:00
ID OSVDB:19837
Type osvdb
Reporter OSVDB
Modified 2004-03-13T00:00:00

Description

Vulnerability Description

When OpenBSD is deployed on big endian byte ordered platforms (sparc64), it contains a flaw that may allow a malicious user to bypass httpd access module allow/deny rules. The issue is triggered when IP addresses are used without a netmask causing the rules to fail to match. It is possible that the flaw may allow unauthorized access resulting in a loss of confidentiality.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, OpenBSD has released patches to address this vulnerability.

Short Description

When OpenBSD is deployed on big endian byte ordered platforms (sparc64), it contains a flaw that may allow a malicious user to bypass httpd access module allow/deny rules. The issue is triggered when IP addresses are used without a netmask causing the rules to fail to match. It is possible that the flaw may allow unauthorized access resulting in a loss of confidentiality.

References:

Vendor Specific Solution URL: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/014_httpd2.patch Vendor Specific Solution URL: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/019_httpd2.patch Vendor Specific Advisory URL Vendor Specific Advisory URL CVE-2004-2338 Bugtraq ID: 9867