httpd, mod_ssl security update

CentOS Errata and Security Advisory CESA-2016:1421 An update for httpd is now available for Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score,...

CVE-2016-5387

It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTPPROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could...

SUSE-SU-2016:1820-1 Security update for apache2-mod_fcgid

This update for apache2-modfcgid fixes the following issues: It used to be possible to set an arbitrary $HTTPPROXY environment variable for request handlers -- like CGI scripts -- by including a specially crafted HTTP header in the request CVE-2016-1000104. As a result, these server components...

[SECURITY] Fedora 22 Update: perl-5.20.3-332.fc22

Perl is a high-level programming language with roots in C, sed, awk and she ll scripting. Perl is good at handling processes and files, and is especially good at handling text. Perl's hallmarks are practicality and efficiency. While it is used to do a lot of different things, Perl's most common...

The vulnerability of the microprogramming software in the Solar-Log photovoltaic system allows a remote attacker to gain unauthorized access to confidential information.

The vulnerability of the Microprogramming Software in the Solar-log photovoltaic system arises from the lack of password protection for CGI scripts used for data backup, restoration, and system configuration. Exploiting this vulnerability allows a malicious individual to gain unauthorized access ...

[SECURITY] Fedora 24 Update: php-5.6.23-1.fc24

PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is...

[SECURITY] Fedora 22 Update: perl-5.20.3-329.fc22

Perl is a high-level programming language with roots in C, sed, awk and she ll scripting. Perl is good at handling processes and files, and is especially good at handling text. Perl's hallmarks are practicality and efficiency. While it is used to do a lot of different things, Perl's most common...

Linksys EA6100 Wireless Router Authentication Bypass Vulnerability

Linksys EA6100 Wireless Router suffers from an authentication bypass vulnerability. Title: Linksys EA6100 Wireless Router Authentication Bypass Advisory ID: KL-001-2015-006 Publication Date: 2015.12.04 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-006.txt 1...

UBUNTU-CVE-2015-8393

pcregrep in PCRE before 8.38 mishandles the -q option for binary files, which might allow remote attackers to obtain sensitive information via a crafted file, as demonstrated by a CGI script that sends stdout data to a client...

[SECURITY] Fedora 21 Update: php-5.6.6-1.fc21

PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is...

[RT-SA-2014-008] Python CGIHTTPServer File Disclosure and Potential Code Execution

Advisory: Python CGIHTTPServer File Disclosure and Potential Code Execution The CGIHTTPServer Python module does not properly handle URL-encoded path separators in URLs. This may enable attackers to disclose a CGI script's source code or execute arbitrary CGI scripts in the server's document root...

Amazon Linux AMI : httpd24 (ALAS-2014-389)

A race condition flaw, leading to heap-based buffer overflows, was found in the modstatus httpd module. A remote attacker able to access a status page served by modstatus on a server using a threaded Multi-Processing Module MPM could send a specially crafted request that would cause the httpd chi...

Hackers Using 'Shellshock' Bash Vulnerability to Launch Botnet Attacks

Researchers on Thursday discovered a critical remotely exploitable vulnerability in the widely used command-line shell GNU Bourne Again Shell Bash, dubbed "Shellshock" which affects most of the Linux distributions and servers worldwide, and may already have been exploited in the wild to take over...

Patching Bash Vulnerability a Challenge for ICS, SCADA

While the most urgent focus where the Bash vulnerability is concerned is around Internet-facing web servers, embedded systems and industrial control systems are not exempt from worry. Experts are concerned about Linux-based industrial control systems and SCADA equipment, in particular, that may b...

Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner

This module scans for the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets CGI scripts in the Apache web server by setting the HTTPUSERAGENT environment variable to a malicious function definition. PROTIP: Use exploit/multi/handler...

Bash Environment Variable Command Execution

Date: Wed, 24 Sep 2014 17:03:19 +0200 From: Florian Weimer To: [email protected] Subject: Re: CVE-2014-6271: remote code execution through bash Florian Weimer: Chet Ramey, the GNU bash upstream maintainer, will soon release official upstream patches...

Re: [oss-security] CVE-2014-6271: remote code execution through bash

Florian Weimer: Chet Ramey, the GNU bash upstream maintainer, will soon release official upstream patches. http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-017 http://ftp.gnu.org/pub/gnu/bash/bash-3.1-patches/bash31-018 http://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052...

CVE-2014-6271

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the modcgi and modcg...

Usermin Null Byte Filtering Information Disclosure

The version of Usermin installed on the remote host is affected by an information disclosure vulnerability due to the Perl script 'miniserv.pl' failing to properly filter null characters from URLs. An attacker could exploit this to reveal the source code of CGI scripts, obtain directory listings,...

httpd: mod_cgid denial of service

A denial of service flaw was found in the way httpd's modcgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely...