Debian: Security Advisory (DSA-1645-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

K17296065: Apache mod_userdir vulnerability CVE-2016-4975

Security Advisory Description Possible CRLF injection allowing HTTP response splitting attacks for sites which use moduserdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Fixed in Apache...

SUSE CVE-2008-4360

moduserdir in lighttpd before 1.4.20, when a case-insensitive operating system or filesystem is used, performs case-sensitive comparisons on filename components in configuration options, which might allow remote attackers to bypass intended access restrictions, as demonstrated by a request for a...

CVE-2008-1270

moduserdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the nobody directory...

Privilege Escalation

Apache is vulnerable to privilege escalation attacks. This exists in moduserdir . An attacker could use this flaw to inject CRLF characters into the HTTP header and could possibly gain access to secure data...

lighttpd < 1.4.51 Multiple Vulnerabilities

According to its banner, the version of lighttpd running on the remote host is prior to 1.4.51. It is, therefore, affected by the following vulnerabilities according to its release notes: - An unspecified header processing vulnerability in core - An unspecified username vulnerability in moduserdi...

MGASA-2018-0430 Updated lighttpd packages fix security vulnerabilities

Updated lighttpd package fixes security vulnerabilities: Potential path traversal with specific configs or in some use cases in modalias. use-after-free invalid Range requests in core. Process headers after combining folded headers in core. Skip username "." and ".." in moduserdir...

Security update for apache2 (moderate)

This update for apache2 fixes the following issues: Security issues fixed: - CVE-2016-8743: Fixed liberal whitespace interpretation accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chai...

Internet Bug Bounty: mod_userdir CRLF injection (CVE-2016-4975)

Possible CRLF injection allowing HTTP response splitting attacks for sites which use moduserdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Reported to security team 24th July 2016 Issu...

SUSE-SU-2018:2554-1 Security update for apache2

This update for apache2 fixes the following issues: Security issues fixed: - CVE-2016-8743: Fixed liberal whitespace interpretation accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chai...

CVE-2016-4975

It was found that Apache was vulnerable to a HTTP response splitting attack for sites which use moduserdir. An attacker could use this flaw to inject CRLF characters into the HTTP header and could possibly gain access to secure data...

CVE-2016-4975

CVE-2016-4975: Apache HTTP Server is vulnerable to CRLF injection in mod_userdir causing HTTP response splitting. Affected: 2.4.1–2.4.23. Mitigation/fix: upgrade to Apache HTTP Server 2.4.25 (and 2.2.32 for the 2.2 line). The issue is resolved by changes that prohibit CR or LF injection into head...

CVE-2016-4975 mod_userdir CRLF injection

Possible CRLF injection allowing HTTP response splitting attacks for sites which use moduserdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Fixed in Apache HTTP Server 2.4.25 Affected...

CVE-2016-4975

Possible CRLF injection allowing HTTP response splitting attacks for sites which use moduserdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Fixed in Apache HTTP Server 2.4.25 Affected...

Crlf injection

Possible CRLF injection allowing HTTP response splitting attacks for sites which use moduserdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Fixed in Apache HTTP Server 2.4.25 Affected...

CVE-2016-4975

Possible CRLF injection allowing HTTP response splitting attacks for sites which use moduserdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Fixed in Apache HTTP Server 2.4.25 Affected...

DEBIAN-CVE-2016-4975

Possible CRLF injection allowing HTTP response splitting attacks for sites which use moduserdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Fixed in Apache HTTP Server 2.4.25 Affected...

UBUNTU-CVE-2016-4975

Possible CRLF injection allowing HTTP response splitting attacks for sites which use moduserdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Fixed in Apache HTTP Server 2.4.25 Affected...

httpd: CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir

It was found that Apache was vulnerable to a HTTP response splitting attack for sites which use moduserdir. An attacker could use this flaw to inject CRLF characters into the HTTP header and could possibly gain access to secure data...

Apache 2.2.x < 2.2.32 Multiple Vulnerabilities (httpoxy)

According to its banner, the version of Apache running on the remote host is 2.2.x prior to 2.2.32. It is, therefore, affected by the following vulnerabilities : - The Apache HTTP Server is affected by a man-in-the-middle vulnerability known as 'httpoxy' due to a failure to properly resolve...