{"id": "SECURITYVULNS:DOC:6815", "bulletinFamily": "software", "title": "SA04-002 - Apache config file env variable buffer overflow", "description": "* SITIC Vulnerability Advisory *\r\n\r\n Advisory Name: Apache config file env variable buffer overflow\r\n Advisory Reference: SA04-002\r\n Date of initial release: 2004-09-15\r\n Product: Apache 2.0.x\r\n Platform: Linux, BSD systems, Unix, Windows\r\n Effect: Code execution when processing .htaccess files\r\nVulnerability Identifier: CAN-2004-0747\r\n\r\n\r\nOverview:\r\n\r\nApache suffers from a buffer overflow when expanding environment variables\r\nin configuration files such as .htaccess and httpd.conf. In a setup typical\r\nof ISPs, for instance, users are allowed to configure their own public_html\r\ndirectories with .htaccess files, leading to possible privilege escalation.\r\n\r\n\r\nDetails:\r\n\r\nThe buffer overflow occurs when expanding ${ENVVAR} constructs in .htaccess\r\nor httpd.conf files. The function ap_resolve_env() in server/util.c copies\r\ndata from environment variables to the character array tmp with strcat(3),\r\nleading to a buffer overflow.\r\n\r\nHTTP requests that exploit this problem are not shown in the access log. The\r\nerror log will show Segmentation faults, though.\r\n\r\n\r\nMitigating factors:\r\n\r\nExploitation requires manual installation of malicious .htaccess files by\r\nsomeone with normal user rights.\r\n\r\n\r\nAffected versions:\r\n\r\n o Apache 2.0.50\r\n o many other 2.0.x versions\r\n\r\n\r\nRecommendations:\r\n\r\n o A fix for this issue is incorporated into Apache 2.0.51\r\n o For Apache 2.0.*: The Apache Software Foundation has published a patch\r\n which is the official fix for this issue.\r\n\r\n\r\nPatch information:\r\n\r\n o The Apache 2.0.51 release is available from the following source:\r\n http://httpd.apache.org/\r\n o For Apache 2.0.*, the patch is available from the following source:\r\n http://www.apache.org/dist/httpd/patches/apply_to_2.0.50/\r\n\r\n\r\nAcknowledgments:\r\n\r\n\r\nThis vulnerability was discovered by Ulf Harnhammar for SITIC, Swedish IT \r\nIncident Centre.\r\n\r\n\r\nContact information:\r\n\r\nSwedish IT Incident Centre, SITIC\r\nP O Box 5398, SE-102 49 Stockholm, Sweden\r\nTelephone: +46-8-678 5799\r\nEmail: sitic at pts dot se\r\nhttp://www.sitic.se\r\n\r\n\r\nRevision history:\r\n\r\nInitial release 2004-09-15\r\n\r\n\r\nAbout SITIC:\r\n\r\nThe Swedish IT Incident Centre within the National Post and Telecom Agency\r\nhas the task to support society in working with protection against IT\r\nincidents. SITIC facilitates exchange of information regarding IT incidents\r\nbetween organisations in society, and disseminates information about new\r\nproblems which potentially may impede the functionality of IT systems. In\r\naddition, SITIC provides information and advice regarding proactive measures\r\nand compiles and publishes statistics.\r\n\r\n\r\nDisclaimer:\r\n\r\nThe decision to follow or act on information or advice contained in this\r\nVulnerability Advisory is the responsibility of each user or organisation.\r\nSITIC accepts no responsibility for any errors or omissions contained within\r\nthis Vulnerability Advisory, nor for any consequences which may arise from\r\nfollowing or acting on information or advice contained herein.", "published": "2004-09-16T00:00:00", "modified": "2004-09-16T00:00:00", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:6815", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2004-0747"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:10", "edition": 1, "viewCount": 4, "enchantments": {"score": {"value": 6.7, "vector": "NONE", "modified": "2018-08-31T11:10:10", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2004-0747"]}, {"type": "openvas", "idList": ["OPENVAS:100172", "OPENVAS:835139", "OPENVAS:1361412562310835139", "OPENVAS:52390", "OPENVAS:1361412562310100172", "OPENVAS:54677"]}, {"type": "httpd", "idList": ["HTTPD:FA00EE6E5A32CC9AB0A435F425709933", "HTTPD:FF6707403F89E77CD90F095B4014299E"]}, {"type": "freebsd", "idList": ["4D49F4BA-071F-11D9-B45D-000C41E2CDAD"]}, {"type": "cert", "idList": ["VU:481998"]}, {"type": "nessus", "idList": ["SUSE_SA_2004_032.NASL", "REDHAT-RHSA-2004-463.NASL", "FEDORA_2004-313.NASL", "FREEBSD_PKG_4D49F4BA071F11D9B45D000C41E2CDAD.NASL", "MANDRAKE_MDKSA-2004-096.NASL", "APACHE_2_0_51.NASL", "MACOSX_SECUPD20041202.NASL", "GENTOO_GLSA-200409-21.NASL"]}, {"type": "osvdb", "idList": ["OSVDB:9991"]}, {"type": "gentoo", "idList": ["GLSA-200409-21"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:6814", "SECURITYVULNS:DOC:6813"]}, {"type": "redhat", "idList": ["RHSA-2004:463"]}, {"type": "suse", "idList": ["SUSE-SA:2004:032"]}], "modified": "2018-08-31T11:10:10", "rev": 2}, "vulnersScore": 6.7}, "affectedSoftware": []}

{"cve": [{"lastseen": "2020-10-03T11:33:39", "description": "Buffer overflow in Apache 2.0.50 and earlier allows local users to gain apache privileges via a .htaccess file that causes the overflow during expansion of environment variables.", "edition": 5, "cvss3": {}, "published": "2004-10-20T04:00:00", "title": "CVE-2004-0747", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0747"], "modified": "2017-10-11T01:29:00", "cpe": ["cpe:/a:apache:http_server:2.0.40", "cpe:/a:apache:http_server:2.0.39", "cpe:/a:apache:http_server:2.0.32", "cpe:/a:apache:http_server:2.0.38", "cpe:/a:apache:http_server:2.0.35", "cpe:/a:apache:http_server:2.0.49", "cpe:/a:apache:http_server:2.0", "cpe:/a:apache:http_server:2.0.50", "cpe:/a:apache:http_server:2.0.28", "cpe:/a:apache:http_server:2.0.48", "cpe:/a:apache:http_server:2.0.46", "cpe:/a:apache:http_server:2.0.45", "cpe:/a:apache:http_server:2.0.41", "cpe:/a:apache:http_server:2.0.44", "cpe:/a:apache:http_server:2.0.37", "cpe:/a:apache:http_server:2.0.43", "cpe:/a:apache:http_server:2.0.47", "cpe:/a:apache:http_server:2.0.36", "cpe:/a:apache:http_server:2.0.42"], "id": "CVE-2004-0747", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0747", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apache:http_server:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.37:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.32:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.35:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.43:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.50:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.28:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.42:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.44:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.47:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.49:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.46:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.36:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.40:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.48:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.45:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.38:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.39:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.41:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2017-07-02T21:10:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0747"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-09-15T00:00:00", "published": "2008-09-04T00:00:00", "id": "OPENVAS:52390", "href": "http://plugins.openvas.org/nasl.php?oid=52390", "type": "openvas", "title": "FreeBSD Ports: apache", "sourceData": "#\n#VID 4d49f4ba-071f-11d9-b45d-000c41e2cdad\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: apache\n\nCVE-2004-0747\nBuffer overflow in Apache 2.0.50 and earlier allows local users to\ngain apache privileges via a .htaccess file that causes the overflow\nduring expansion of environment variables.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://lists.netsys.com/pipermail/full-disclosure/2004-September/026463.html\nhttp://www.vuxml.org/freebsd/4d49f4ba-071f-11d9-b45d-000c41e2cdad.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(52390);\n script_version(\"$Revision: 4075 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-09-15 15:13:05 +0200 (Thu, 15 Sep 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2004-0747\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"FreeBSD Ports: apache\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"apache\");\nif(!isnull(bver) && revcomp(a:bver, b:\"2.0\")>=0 && revcomp(a:bver, b:\"2.0.50_3\")<0) {\n txt += 'Package apache version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:40:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0747"], "description": "According to its version number, the remote version of Apache Web\n Server is prone to a local buffer-overflow vulnerability that\n affects a configuration file environment variable.", "modified": "2019-03-07T00:00:00", "published": "2009-05-02T00:00:00", "id": "OPENVAS:1361412562310100172", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310100172", "type": "openvas", "title": "Apache Web Server Configuration File Environment Variable Local Buffer Overflow Vulnerability", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: apache_cve_2004_0747.nasl 14031 2019-03-07 10:47:29Z cfischer $\n#\n# Apache Web Server Configuration File Environment Variable Local\n# Buffer Overflow Vulnerability\n#\n# Authors:\n# Michael Meyer\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:http_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.100172\");\n script_version(\"$Revision: 14031 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-07 11:47:29 +0100 (Thu, 07 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2009-05-02 19:46:33 +0200 (Sat, 02 May 2009)\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2004-0747\");\n script_bugtraq_id(11182);\n script_name(\"Apache Web Server Configuration File Environment Variable Local Buffer Overflow Vulnerability\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Web Servers\");\n script_dependencies(\"secpod_apache_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"apache/installed\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/11182\");\n script_xref(name:\"URL\", value:\"http://www.apache.org/dist/httpd/Announcement2.html\");\n\n script_tag(name:\"insight\", value:\"The flas occurs because the application fails to validate user-supplied\n string lengths before copying them into finite process buffers.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released an upgrade. Please see\n the references for more information.\");\n\n script_tag(name:\"summary\", value:\"According to its version number, the remote version of Apache Web\n Server is prone to a local buffer-overflow vulnerability that\n affects a configuration file environment variable.\");\n\n script_tag(name:\"impact\", value:\"An attacker may leverage this issue to execute arbitrary code on\n the affected computer with the privileges of the Apache webserver process.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit( 0 );\n\nif( ! vers = get_app_version( cpe:CPE, port:port ) )\n exit( 0 );\n\nif( version_is_less( version:vers, test_version:\"2.0.51\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"2.0.51\" );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-09-19T12:03:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0747"], "description": "According to its version number, the remote version of Apache Web\n Server is prone to a local buffer-overflow vulnerability that\n affects a configuration file environment variable. This occurs\n because the application fails to validate user-supplied string\n lengths before copying them into finite process buffers.\n\n An attacker may leverage this issue to execute arbitrary code on\n the affected computer with the privileges of the Apache webserver\n process.", "modified": "2017-09-18T00:00:00", "published": "2009-05-02T00:00:00", "id": "OPENVAS:100172", "href": "http://plugins.openvas.org/nasl.php?oid=100172", "type": "openvas", "title": "Apache Web Server Configuration File Environment Variable Local Buffer Overflow Vulnerability", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: apache_cve_2004_0747.nasl 7176 2017-09-18 12:01:01Z cfischer $\n#\n# Apache Web Server Configuration File Environment Variable Local\n# Buffer Overflow Vulnerability\n#\n# Authors:\n# Michael Meyer\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_summary = \"According to its version number, the remote version of Apache Web\n Server is prone to a local buffer-overflow vulnerability that\n affects a configuration file environment variable. This occurs\n because the application fails to validate user-supplied string\n lengths before copying them into finite process buffers.\n\n An attacker may leverage this issue to execute arbitrary code on\n the affected computer with the privileges of the Apache webserver\n process.\";\n\ntag_solution = \"The vendor has released an upgrade. Please see\n http://www.apache.org/dist/httpd/Announcement2.html for more\n information.\";\n\nif(description)\n{\n script_id(100172);\n script_version(\"$Revision: 7176 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-09-18 14:01:01 +0200 (Mon, 18 Sep 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-05-02 19:46:33 +0200 (Sat, 02 May 2009)\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_cve_id(\"CVE-2004-0747\");\n script_bugtraq_id(11182);\n script_name(\"Apache Web Server Configuration File Environment Variable Local Buffer Overflow Vulnerability\");\n\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"http_version.nasl\", \"secpod_apache_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_xref(name : \"URL\" , value : \"http://www.securityfocus.com/bid/11182\");\n exit(0);\n}\n\n\ninclude(\"http_func.inc\");\ninclude(\"version_func.inc\");\n\nhttpdPort = get_http_port(default:80);\nif(!httpdPort){\n exit(0);\n}\n\nversion = get_kb_item(\"www/\" + httpdPort + \"/Apache\");\nif(version != NULL){\n if(version_is_less(version:version, test_version:\"2.0.51\")){\n security_message(httpdPort);\n }\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:49:44", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0786", "CVE-2004-0747", "CVE-2004-0748", "CVE-2004-0809", "CVE-2004-0751"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200409-21.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "id": "OPENVAS:54677", "href": "http://plugins.openvas.org/nasl.php?oid=54677", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200409-21 (apache)", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Several vulnerabilities have been found in Apache 2 and mod_dav for Apache\n1.3 which could allow a remote attacker to cause a Denial of Service or a\nlocal user to get escalated privileges.\";\ntag_solution = \"All Apache 2 users should upgrade to the latest version:\n\n # emerge sync\n\n # emerge -pv '>=net-www/apache-2.0.51'\n # emerge '>=net-www/apache-2.0.51'\n\nAll mod_dav users should upgrade to the latest version:\n\n # emerge sync\n\n # emerge -pv '>=net-www/mod_dav-1.0.3-r2'\n # emerge '>=net-www/mod_dav-1.0.3-r2'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200409-21\nhttp://bugs.gentoo.org/show_bug.cgi?id=62626\nhttp://bugs.gentoo.org/show_bug.cgi?id=63948\nhttp://bugs.gentoo.org/show_bug.cgi?id=64145\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200409-21.\";\n\n \n\nif(description)\n{\n script_id(54677);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_cve_id(\"CVE-2004-0747\", \"CVE-2004-0748\", \"CVE-2004-0751\", \"CVE-2004-0786\", \"CVE-2004-0809\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"Gentoo Security Advisory GLSA 200409-21 (apache)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"net-www/apache\", unaffected: make_list(\"ge 2.0.51\", \"lt 2.0\"), vulnerable: make_list(\"lt 2.0.51\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"net-www/mod_dav\", unaffected: make_list(\"ge 1.0.3-r2\"), vulnerable: make_list(\"le 1.0.3-r1\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:56:28", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0786", "CVE-2004-0747", "CVE-2004-0748", "CVE-2004-0809", "CVE-2004-0811", "CVE-2004-0751"], "description": "Check for the Version of Apache with PHP", "modified": "2017-07-06T00:00:00", "published": "2009-05-05T00:00:00", "id": "OPENVAS:835139", "href": "http://plugins.openvas.org/nasl.php?oid=835139", "type": "openvas", "title": "HP-UX Update for Apache with PHP HPSBUX01090", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# HP-UX Update for Apache with PHP HPSBUX01090\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_impact = \"Remote denial of service\n local increase in privilege\";\ntag_affected = \"Apache with PHP on\n HP-UX B.11.00, B.11.11, B.11.22, and B.11.23 running the currently supported \n versions of hpuxwsAPACHE HP-UX\";\ntag_insight = \"Several potential security vulnerabilities have been identified inApache Web \n Server and PHP running on HP-UX where a remoteuser may be able to cause a \n Denial of Service (DoS), obtainlocal elevation of privileges or gain \n unauthorized access torestricted resources.<br\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c00901851-2\");\n script_id(835139);\n script_version(\"$Revision: 6584 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-06 16:13:23 +0200 (Thu, 06 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-05-05 12:14:23 +0200 (Tue, 05 May 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"HPSBUX\", value: \"01090\");\n script_cve_id(\"CVE-2004-0747\", \"CVE-2004-0748\", \"CVE-2004-0751\", \"CVE-2004-0786\", \"CVE-2004-0809\", \"CVE-2004-0811\");\n script_name( \"HP-UX Update for Apache with PHP HPSBUX01090\");\n\n script_summary(\"Check for the Version of Apache with PHP\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"HP-UX Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/hp_hp-ux\", \"ssh/login/release\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-hpux.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"HPUX11.00\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"A.2.0.52.00\", rls:\"HPUX11.00\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.11\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"A.2.0.52.00\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"B.2.0.52.00\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.23\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"B.2.0.52.00\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-09T11:39:41", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0786", "CVE-2004-0747", "CVE-2004-0748", "CVE-2004-0809", "CVE-2004-0811", "CVE-2004-0751"], "description": "Check for the Version of Apache with PHP", "modified": "2018-04-06T00:00:00", "published": "2009-05-05T00:00:00", "id": "OPENVAS:1361412562310835139", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310835139", "type": "openvas", "title": "HP-UX Update for Apache with PHP HPSBUX01090", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# HP-UX Update for Apache with PHP HPSBUX01090\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_impact = \"Remote denial of service\n local increase in privilege\";\ntag_affected = \"Apache with PHP on\n HP-UX B.11.00, B.11.11, B.11.22, and B.11.23 running the currently supported \n versions of hpuxwsAPACHE HP-UX\";\ntag_insight = \"Several potential security vulnerabilities have been identified inApache Web \n Server and PHP running on HP-UX where a remoteuser may be able to cause a \n Denial of Service (DoS), obtainlocal elevation of privileges or gain \n unauthorized access torestricted resources.<br\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c00901851-2\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.835139\");\n script_version(\"$Revision: 9370 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:53:14 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-05-05 12:14:23 +0200 (Tue, 05 May 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"HPSBUX\", value: \"01090\");\n script_cve_id(\"CVE-2004-0747\", \"CVE-2004-0748\", \"CVE-2004-0751\", \"CVE-2004-0786\", \"CVE-2004-0809\", \"CVE-2004-0811\");\n script_name( \"HP-UX Update for Apache with PHP HPSBUX01090\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of Apache with PHP\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"HP-UX Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/hp_hp-ux\", \"ssh/login/release\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-hpux.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"HPUX11.00\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"A.2.0.52.00\", rls:\"HPUX11.00\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.11\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"A.2.0.52.00\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"B.2.0.52.00\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.23\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"B.2.0.52.00\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "httpd": [{"lastseen": "2016-09-26T21:39:38", "bulletinFamily": "software", "cvelist": ["CVE-2004-0747"], "description": "\n\nA buffer overflow was found in the\nexpansion of environment variables during configuration file parsing. This\nissue could allow a local user to gain the privileges of a httpd\nchild if a server can be forced to parse a carefully crafted .htaccess file \nwritten by a local user.\n\n", "edition": 1, "modified": "2004-09-15T00:00:00", "published": "2004-08-05T00:00:00", "id": "HTTPD:FA00EE6E5A32CC9AB0A435F425709933", "href": "https://httpd.apache.org/security_report.html", "type": "httpd", "title": "Apache Httpd < 2.0.51: Environment variable expansion flaw", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2020-12-24T14:26:52", "bulletinFamily": "software", "cvelist": ["CVE-2004-0747"], "description": "\n\nA buffer overflow was found in the\nexpansion of environment variables during configuration file parsing. This\nissue could allow a local user to gain the privileges of a httpd\nchild if a server can be forced to parse a carefully crafted .htaccess file \nwritten by a local user.\n\n", "edition": 5, "modified": "2004-09-15T00:00:00", "published": "2004-08-05T00:00:00", "id": "HTTPD:FF6707403F89E77CD90F095B4014299E", "href": "https://httpd.apache.org/security_report.html", "title": "Apache Httpd < None: Environment variable expansion flaw", "type": "httpd", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-07T10:43:15", "description": "SITIC discovered a vulnerability in Apache 2's handling of\nenvironmental variable settings in the httpd configuration files (the\nmain `httpd.conf' and `.htaccess' files). According to a SITIC\nadvisory :\n\nThe buffer overflow occurs when expanding ${ENVVAR} constructs in\n.htaccess or httpd.conf files. The function ap_resolve_env() in\nserver/util.c copies data from environment variables to the character\narray tmp with strcat(3), leading to a buffer overflow.", "edition": 26, "published": "2009-04-23T00:00:00", "title": "FreeBSD : apache -- ap_resolve_env buffer overflow (4d49f4ba-071f-11d9-b45d-000c41e2cdad)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0747"], "modified": "2009-04-23T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:apache"], "id": "FREEBSD_PKG_4D49F4BA071F11D9B45D000C41E2CDAD.NASL", "href": "https://www.tenable.com/plugins/nessus/36910", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(36910);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2004-0747\");\n\n script_name(english:\"FreeBSD : apache -- ap_resolve_env buffer overflow (4d49f4ba-071f-11d9-b45d-000c41e2cdad)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"SITIC discovered a vulnerability in Apache 2's handling of\nenvironmental variable settings in the httpd configuration files (the\nmain `httpd.conf' and `.htaccess' files). According to a SITIC\nadvisory :\n\nThe buffer overflow occurs when expanding ${ENVVAR} constructs in\n.htaccess or httpd.conf files. The function ap_resolve_env() in\nserver/util.c copies data from environment variables to the character\narray tmp with strcat(3), leading to a buffer overflow.\"\n );\n # http://lists.netsys.com/pipermail/full-disclosure/2004-September/026463.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?994407f9\"\n );\n # https://vuxml.freebsd.org/freebsd/4d49f4ba-071f-11d9-b45d-000c41e2cdad.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7ab21727\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/09/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/09/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/04/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"apache>=2.0<2.0.50_3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T14:14:44", "description": "The remote host is missing the patch for the advisory SUSE-SA:2004:032 (apache2).\n\n\nThe Apache daemon is running on most of the web-servers used in the\nInternet today.\nThe Red Hat ASF Security-Team and the Swedish IT Incident Center within\nthe National Post and Telecom Agency (SITIC) have found a bug in apache2\neach.\nThe first vulnerability appears in the apr_uri_parse() function while\nhandling IPv6 addresses. The affected code passes a negative length\nargument to the memcpy() function. On BSD systems this can lead to remote\ncommand execution due to the nature of the memcpy() implementation.\nOn Linux this bug will result in a remote denial-of-service condition.\nThe second bug is a local buffer overflow that occurs while expanding\n${ENVVAR} in the .htaccess and httpd.conf file. Both files are not\nwriteable by normal user by default.", "edition": 22, "published": "2004-09-15T00:00:00", "title": "SUSE-SA:2004:032: apache2", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0786", "CVE-2004-0747"], "modified": "2004-09-15T00:00:00", "cpe": [], "id": "SUSE_SA_2004_032.NASL", "href": "https://www.tenable.com/plugins/nessus/14731", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# This plugin text was extracted from SuSE Security Advisory SUSE-SA:2004:032\n#\n\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif(description)\n{\n script_id(14731);\n script_version(\"1.15\");\n script_cve_id(\"CVE-2004-0747\", \"CVE-2004-0786\");\n script_bugtraq_id(11187, 11182);\n \n name[\"english\"] = \"SUSE-SA:2004:032: apache2\";\n \n script_name(english:name[\"english\"]);\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a vendor-supplied security patch\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is missing the patch for the advisory SUSE-SA:2004:032 (apache2).\n\n\nThe Apache daemon is running on most of the web-servers used in the\nInternet today.\nThe Red Hat ASF Security-Team and the Swedish IT Incident Center within\nthe National Post and Telecom Agency (SITIC) have found a bug in apache2\neach.\nThe first vulnerability appears in the apr_uri_parse() function while\nhandling IPv6 addresses. The affected code passes a negative length\nargument to the memcpy() function. On BSD systems this can lead to remote\ncommand execution due to the nature of the memcpy() implementation.\nOn Linux this bug will result in a remote denial-of-service condition.\nThe second bug is a local buffer overflow that occurs while expanding\n${ENVVAR} in the .htaccess and httpd.conf file. Both files are not\nwriteable by normal user by default.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"http://www.suse.de/security/2004_32_apache2.html\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n\n\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/09/15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n script_end_attributes();\n\n \n summary[\"english\"] = \"Check for the version of the apache2 package\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_GATHER_INFO);\n \n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n family[\"english\"] = \"SuSE Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/SuSE/rpm-list\");\n exit(0);\n}\n\ninclude(\"rpm.inc\");\nif ( rpm_check( reference:\"apache2-2.0.48-139\", release:\"SUSE8.1\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"apache2-prefork-2.0.48-139\", release:\"SUSE8.1\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"apache2-worker-2.0.48-139\", release:\"SUSE8.1\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"apr-2.0.48-139\", release:\"SUSE8.1\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"apache2-perchild-2.0.48-139\", release:\"SUSE8.1\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"apache2-2.0.48-139\", release:\"SUSE8.2\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"apache2-prefork-2.0.48-139\", release:\"SUSE8.2\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"apache2-worker-2.0.48-139\", release:\"SUSE8.2\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"libapr0-2.0.48-139\", release:\"SUSE8.2\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"apache2-leader-2.0.48-139\", release:\"SUSE8.2\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"apache2-2.0.48-139\", release:\"SUSE9.0\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"apache2-prefork-2.0.48-139\", release:\"SUSE9.0\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"apache2-worker-2.0.48-139\", release:\"SUSE9.0\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"libapr0-2.0.48-139\", release:\"SUSE9.0\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"apache2-leader-2.0.48-139\", release:\"SUSE9.0\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"apache2-metuxmpm-2.0.48-139\", release:\"SUSE9.0\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"apache2-2.0.49-27.14\", release:\"SUSE9.1\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"apache2-prefork-2.0.49-27.14\", release:\"SUSE9.1\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"apache2-worker-2.0.49-27.14\", release:\"SUSE9.1\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"libapr0-2.0.49-27.14\", release:\"SUSE9.1\") )\n{\n security_warning(0);\n exit(0);\n}\nif (rpm_exists(rpm:\"apache2-\", release:\"SUSE8.1\")\n || rpm_exists(rpm:\"apache2-\", release:\"SUSE8.2\")\n || rpm_exists(rpm:\"apache2-\", release:\"SUSE9.0\")\n || rpm_exists(rpm:\"apache2-\", release:\"SUSE9.1\") )\n{\n set_kb_item(name:\"CVE-2004-0747\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0786\", value:TRUE);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-17T13:05:20", "description": "Updated httpd packages that include fixes for security issues are now\navailable.\n\nThe Apache HTTP server is a powerful, full-featured, efficient, and\nfreely-available Web server.\n\nFour issues have been discovered affecting releases of the Apache HTTP\n2.0 Server, up to and including version 2.0.50 :\n\nTesting using the Codenomicon HTTP Test Tool performed by the Apache\nSoftware Foundation security group and Red Hat uncovered an input\nvalidation issue in the IPv6 URI parsing routines in the apr-util\nlibrary. If a remote attacker sent a request including a carefully\ncrafted URI, an httpd child process could be made to crash. This issue\nis not believed to allow arbitrary code execution on Red Hat\nEnterprise Linux. This issue also does not represent a significant\ndenial of service attack as requests will continue to be handled by\nother Apache child processes. The Common Vulnerabilities and Exposures\nproject (cve.mitre.org) has assigned the name CVE-2004-0786 to this\nissue.\n\nThe Swedish IT Incident Centre (SITIC) reported a buffer overflow in\nthe expansion of environment variables during configuration file\nparsing. This issue could allow a local user to gain 'apache'\nprivileges if an httpd process can be forced to parse a carefully\ncrafted .htaccess file written by a local user. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the\nname CVE-2004-0747 to this issue.\n\nAn issue was discovered in the mod_ssl module which could be triggered\nif the server is configured to allow proxying to a remote SSL server.\nA malicious remote SSL server could force an httpd child process to\ncrash by sending a carefully crafted response header. This issue is\nnot believed to allow execution of arbitrary code. This issue also\ndoes not represent a significant Denial of Service attack as requests\nwill continue to be handled by other Apache child processes. The\nCommon Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CVE-2004-0751 to this issue.\n\nAn issue was discovered in the mod_dav module which could be triggered\nfor a location where WebDAV authoring access has been configured. A\nmalicious remote client which is authorized to use the LOCK method\ncould force an httpd child process to crash by sending a particular\nsequence of LOCK requests. This issue does not allow execution of\narbitrary code. This issue also does not represent a significant\nDenial of Service attack as requests will continue to be handled by\nother Apache child processes. The Common Vulnerabilities and Exposures\nproject (cve.mitre.org) has assigned the name CVE-2004-0809 to this\nissue.\n\nUsers of the Apache HTTP server should upgrade to these updated\npackages, which contain backported patches that address these issues.", "edition": 28, "published": "2004-09-15T00:00:00", "title": "RHEL 3 : httpd (RHSA-2004:463)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0786", "CVE-2004-0747", "CVE-2004-0809", "CVE-2004-0751"], "modified": "2004-09-15T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:3", "p-cpe:/a:redhat:enterprise_linux:mod_ssl", "p-cpe:/a:redhat:enterprise_linux:httpd", "p-cpe:/a:redhat:enterprise_linux:httpd-devel"], "id": "REDHAT-RHSA-2004-463.NASL", "href": "https://www.tenable.com/plugins/nessus/14736", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2004:463. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14736);\n script_version(\"1.29\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2004-0747\", \"CVE-2004-0751\", \"CVE-2004-0786\", \"CVE-2004-0809\");\n script_xref(name:\"RHSA\", value:\"2004:463\");\n\n script_name(english:\"RHEL 3 : httpd (RHSA-2004:463)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated httpd packages that include fixes for security issues are now\navailable.\n\nThe Apache HTTP server is a powerful, full-featured, efficient, and\nfreely-available Web server.\n\nFour issues have been discovered affecting releases of the Apache HTTP\n2.0 Server, up to and including version 2.0.50 :\n\nTesting using the Codenomicon HTTP Test Tool performed by the Apache\nSoftware Foundation security group and Red Hat uncovered an input\nvalidation issue in the IPv6 URI parsing routines in the apr-util\nlibrary. If a remote attacker sent a request including a carefully\ncrafted URI, an httpd child process could be made to crash. This issue\nis not believed to allow arbitrary code execution on Red Hat\nEnterprise Linux. This issue also does not represent a significant\ndenial of service attack as requests will continue to be handled by\nother Apache child processes. The Common Vulnerabilities and Exposures\nproject (cve.mitre.org) has assigned the name CVE-2004-0786 to this\nissue.\n\nThe Swedish IT Incident Centre (SITIC) reported a buffer overflow in\nthe expansion of environment variables during configuration file\nparsing. This issue could allow a local user to gain 'apache'\nprivileges if an httpd process can be forced to parse a carefully\ncrafted .htaccess file written by a local user. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the\nname CVE-2004-0747 to this issue.\n\nAn issue was discovered in the mod_ssl module which could be triggered\nif the server is configured to allow proxying to a remote SSL server.\nA malicious remote SSL server could force an httpd child process to\ncrash by sending a carefully crafted response header. This issue is\nnot believed to allow execution of arbitrary code. This issue also\ndoes not represent a significant Denial of Service attack as requests\nwill continue to be handled by other Apache child processes. The\nCommon Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CVE-2004-0751 to this issue.\n\nAn issue was discovered in the mod_dav module which could be triggered\nfor a location where WebDAV authoring access has been configured. A\nmalicious remote client which is authorized to use the LOCK method\ncould force an httpd child process to crash by sending a particular\nsequence of LOCK requests. This issue does not allow execution of\narbitrary code. This issue also does not represent a significant\nDenial of Service attack as requests will continue to be handled by\nother Apache child processes. The Common Vulnerabilities and Exposures\nproject (cve.mitre.org) has assigned the name CVE-2004-0809 to this\nissue.\n\nUsers of the Apache HTTP server should upgrade to these updated\npackages, which contain backported patches that address these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2004-0747\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2004-0751\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2004-0786\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2004-0809\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2004:463\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected httpd, httpd-devel and / or mod_ssl packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/09/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/09/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^3([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 3.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2004:463\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL3\", reference:\"httpd-2.0.46-40.ent\")) flag++;\n if (rpm_check(release:\"RHEL3\", reference:\"httpd-devel-2.0.46-40.ent\")) flag++;\n if (rpm_check(release:\"RHEL3\", reference:\"mod_ssl-2.0.46-40.ent\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-devel / mod_ssl\");\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-07T10:51:51", "description": "The remote host is affected by the vulnerability described in GLSA-200409-21\n(Apache 2, mod_dav: Multiple vulnerabilities)\n\n A potential infinite loop has been found in the input filter of mod_ssl\n (CAN-2004-0748) as well as a possible segmentation fault in the\n char_buffer_read function if reverse proxying to a SSL server is being used\n (CAN-2004-0751). Furthermore, mod_dav, as shipped in Apache httpd 2 or\n mod_dav 1.0.x for Apache 1.3, contains a NULL pointer dereference which can\n be triggered remotely (CAN-2004-0809). The third issue is an input\n validation error found in the IPv6 URI parsing routines within the apr-util\n library (CAN-2004-0786). Additionally a possible buffer overflow has been\n reported when expanding environment variables during the parsing of\n configuration files (CAN-2004-0747).\n \nImpact :\n\n A remote attacker could cause a Denial of Service either by aborting a SSL\n connection in a special way, resulting in CPU consumption, by exploiting\n the segmentation fault in mod_ssl or the mod_dav flaw. A remote attacker\n could also crash a httpd child process by sending a specially crafted URI.\n The last vulnerability could be used by a local user to gain the privileges\n of a httpd child, if the server parses a carefully prepared .htaccess file.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 24, "published": "2004-09-17T00:00:00", "title": "GLSA-200409-21 : Apache 2, mod_dav: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0786", "CVE-2004-0747", "CVE-2004-0748", "CVE-2004-0809", "CVE-2004-0751"], "modified": "2004-09-17T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:mod_dav", "p-cpe:/a:gentoo:linux:apache"], "id": "GENTOO_GLSA-200409-21.NASL", "href": "https://www.tenable.com/plugins/nessus/14766", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200409-21.\n#\n# The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14766);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2004-0747\", \"CVE-2004-0748\", \"CVE-2004-0751\", \"CVE-2004-0786\", \"CVE-2004-0809\");\n script_xref(name:\"GLSA\", value:\"200409-21\");\n\n script_name(english:\"GLSA-200409-21 : Apache 2, mod_dav: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200409-21\n(Apache 2, mod_dav: Multiple vulnerabilities)\n\n A potential infinite loop has been found in the input filter of mod_ssl\n (CAN-2004-0748) as well as a possible segmentation fault in the\n char_buffer_read function if reverse proxying to a SSL server is being used\n (CAN-2004-0751). Furthermore, mod_dav, as shipped in Apache httpd 2 or\n mod_dav 1.0.x for Apache 1.3, contains a NULL pointer dereference which can\n be triggered remotely (CAN-2004-0809). The third issue is an input\n validation error found in the IPv6 URI parsing routines within the apr-util\n library (CAN-2004-0786). Additionally a possible buffer overflow has been\n reported when expanding environment variables during the parsing of\n configuration files (CAN-2004-0747).\n \nImpact :\n\n A remote attacker could cause a Denial of Service either by aborting a SSL\n connection in a special way, resulting in CPU consumption, by exploiting\n the segmentation fault in mod_ssl or the mod_dav flaw. A remote attacker\n could also crash a httpd child process by sending a specially crafted URI.\n The last vulnerability could be used by a local user to gain the privileges\n of a httpd child, if the server parses a carefully prepared .htaccess file.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200409-21\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Apache 2 users should upgrade to the latest version:\n # emerge sync\n # emerge -pv '>=www-servers/apache-2.0.51'\n # emerge '>=www-servers/apache-2.0.51'\n All mod_dav users should upgrade to the latest version:\n # emerge sync\n # emerge -pv '>=net-www/mod_dav-1.0.3-r2'\n # emerge '>=net-www/mod_dav-1.0.3-r2'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:mod_dav\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/09/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/17\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/09/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-www/mod_dav\", unaffected:make_list(\"ge 1.0.3-r2\"), vulnerable:make_list(\"le 1.0.3-r1\"))) flag++;\nif (qpkg_check(package:\"www-servers/apache\", unaffected:make_list(\"ge 2.0.51\", \"lt 2.0\"), vulnerable:make_list(\"lt 2.0.51\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Apache 2 / mod_dav\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-01T01:20:49", "description": "According to its Server response header, the remote host is running a\nversion of Apache 2.0.x prior to 2.0.51. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An input validation issue in apr-util can be triggered\n by malformed IPv6 literal addresses and result in a \n buffer overflow (CVE-2004-0786).\n\n - There is a buffer overflow that can be triggered when\n expanding environment variables during configuration\n file parsing (CVE-2004-0747).\n\n - A segfault in mod_dav_ds when handling an indirect lock\n refresh can lead to a process crash (CVE-2004-0809).\n\n - A segfault in the SSL input filter can be triggered\n if using 'speculative' mode by, for instance, a proxy\n request to an SSL server (CVE-2004-0751).\n\n - There is the potential for an infinite loop in mod_ssl\n (CVE-2004-0748).", "edition": 27, "cvss3": {"score": 5.6, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2004-09-16T00:00:00", "title": "Apache 2.0.x < 2.0.51 Multiple Vulnerabilities (OF, DoS)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0786", "CVE-2004-0747", "CVE-2004-0748", "CVE-2004-0809", "CVE-2004-0751"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:apache:http_server"], "id": "APACHE_2_0_51.NASL", "href": "https://www.tenable.com/plugins/nessus/14748", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(14748);\n script_cvs_date(\"Date: 2018/11/15 20:50:25\");\n script_version(\"1.30\");\n\n script_cve_id(\"CVE-2004-0747\", \"CVE-2004-0748\", \"CVE-2004-0751\", \"CVE-2004-0786\", \"CVE-2004-0809\");\n script_bugtraq_id(11185, 11187);\n\n script_name(english:\"Apache 2.0.x < 2.0.51 Multiple Vulnerabilities (OF, DoS)\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by multiple vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"According to its Server response header, the remote host is running a\nversion of Apache 2.0.x prior to 2.0.51. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An input validation issue in apr-util can be triggered\n by malformed IPv6 literal addresses and result in a \n buffer overflow (CVE-2004-0786).\n\n - There is a buffer overflow that can be triggered when\n expanding environment variables during configuration\n file parsing (CVE-2004-0747).\n\n - A segfault in mod_dav_ds when handling an indirect lock\n refresh can lead to a process crash (CVE-2004-0809).\n\n - A segfault in the SSL input filter can be triggered\n if using 'speculative' mode by, for instance, a proxy\n request to an SSL server (CVE-2004-0751).\n\n - There is the potential for an infinite loop in mod_ssl\n (CVE-2004-0748).\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://bz.apache.org/bugzilla/show_bug.cgi?id=31183\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://archive.apache.org/dist/httpd/CHANGES_2.0\" );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Apache 2.0.51 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/09/16\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2004/07/08\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:http_server\");\nscript_end_attributes();\n\n \n summary[\"english\"] = \"Checks version of Apache\";\n \n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_GATHER_INFO);\n \n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Web Servers\");\n script_dependencie(\"apache_http_version.nasl\");\n script_require_keys(\"installed_sw/Apache\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"audit.inc\");\ninclude(\"install_func.inc\");\n\nget_install_count(app_name:\"Apache\", exit_if_zero:TRUE);\nport = get_http_port(default:80);\ninstall = get_single_install(app_name:\"Apache\", port:port, exit_if_unknown_ver:TRUE);\n\n# Check if we could get a version first, then check if it was\n# backported\nversion = get_kb_item_or_exit('www/apache/'+port+'/version', exit_code:1);\nbackported = get_kb_item_or_exit('www/apache/'+port+'/backported', exit_code:1);\n\nif (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, \"Apache\");\nsource = get_kb_item_or_exit('www/apache/'+port+'/source', exit_code:1);\n\n# Check if the version looks like either ServerTokens Major/Minor\n# was used\nif (version =~ '^2(\\\\.0)?$') exit(1, \"The banner from the Apache server listening on port \"+port+\" - \"+source+\" - is not granular enough to make a determination.\");\nif (version !~ \"^\\d+(\\.\\d+)*$\") exit(1, \"The version of Apache listening on port \" + port + \" - \" + version + \" - is non-numeric and, therefore, cannot be used to make a determination.\");\nif (version =~ '^2\\\\.0' && ver_compare(ver:version, fix:'2.0.51') == -1)\n{\n if (report_verbosity > 0)\n {\n report = \n '\\n Version source : ' + source +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 2.0.51\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"Apache\", port, install[\"version\"]);\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:05:43", "description": " - Tue Sep 21 2004 Joe Orton <jorton at redhat.com>\n 2.0.51-2.7\n\n - ap_rgetline_core fix from Rici Lake\n\n - Tue Sep 21 2004 Joe Orton <jorton at redhat.com>\n 2.0.51-2.6\n\n - fix 2.0.51 regression in Satisfy merging (CVE-2004-0811)\n\n - Thu Sep 16 2004 Joe Orton <jorton at redhat.com>\n 2.0.51-2.5\n\n - mod_ssl: prevent SIGHUP-triggers-SIGSEGV after upgrade\n from 2.0.50\n\n - revert mod_ldap/mod_auth_ldap changes likewise\n\n - Wed Sep 15 2004 Joe Orton <jorton at redhat.com>\n 2.0.51-2.1\n\n - update to 2.0.51, including security fixes for :\n\n - core: CVE-2004-0747\n\n - mod_dav_fs: CVE-2004-0809\n\n - mod_ssl: CVE-2004-0751, CVE-2004-0748\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2004-09-24T00:00:00", "title": "Fedora Core 2 : httpd-2.0.51-2.7 (2004-313)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0747", "CVE-2004-0748", "CVE-2004-0809", "CVE-2004-0811", "CVE-2004-0751"], "modified": "2004-09-24T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora_core:2", "p-cpe:/a:fedoraproject:fedora:httpd", "p-cpe:/a:fedoraproject:fedora:httpd-devel", "p-cpe:/a:fedoraproject:fedora:httpd-manual", "p-cpe:/a:fedoraproject:fedora:httpd-debuginfo", "p-cpe:/a:fedoraproject:fedora:mod_ssl"], "id": "FEDORA_2004-313.NASL", "href": "https://www.tenable.com/plugins/nessus/14807", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2004-313.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14807);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2004-0811\");\n script_xref(name:\"FEDORA\", value:\"2004-313\");\n\n script_name(english:\"Fedora Core 2 : httpd-2.0.51-2.7 (2004-313)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora Core host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Tue Sep 21 2004 Joe Orton <jorton at redhat.com>\n 2.0.51-2.7\n\n - ap_rgetline_core fix from Rici Lake\n\n - Tue Sep 21 2004 Joe Orton <jorton at redhat.com>\n 2.0.51-2.6\n\n - fix 2.0.51 regression in Satisfy merging (CVE-2004-0811)\n\n - Thu Sep 16 2004 Joe Orton <jorton at redhat.com>\n 2.0.51-2.5\n\n - mod_ssl: prevent SIGHUP-triggers-SIGSEGV after upgrade\n from 2.0.50\n\n - revert mod_ldap/mod_auth_ldap changes likewise\n\n - Wed Sep 15 2004 Joe Orton <jorton at redhat.com>\n 2.0.51-2.1\n\n - update to 2.0.51, including security fixes for :\n\n - core: CVE-2004-0747\n\n - mod_dav_fs: CVE-2004-0809\n\n - mod_ssl: CVE-2004-0751, CVE-2004-0748\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/announce/2004-September/000303.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?eabde590\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:httpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora_core:2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/09/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^2([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 2.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC2\", reference:\"httpd-2.0.51-2.7\")) flag++;\nif (rpm_check(release:\"FC2\", reference:\"httpd-debuginfo-2.0.51-2.7\")) flag++;\nif (rpm_check(release:\"FC2\", reference:\"httpd-devel-2.0.51-2.7\")) flag++;\nif (rpm_check(release:\"FC2\", reference:\"httpd-manual-2.0.51-2.7\")) flag++;\nif (rpm_check(release:\"FC2\", reference:\"mod_ssl-2.0.51-2.7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-debuginfo / httpd-devel / httpd-manual / mod_ssl\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T11:51:22", "description": "Two Denial of Service conditions were discovered in the input filter\nof mod_ssl, the module that enables apache to handle HTTPS requests.\n\nAnother vulnerability was discovered by the ASF security team using\nthe Codenomicon HTTP Test Tool. This vulnerability, in the apr-util\nlibrary, can possibly lead to arbitrary code execution if certain\nnon-default conditions are met (enabling the AP_ENABLE_EXCEPTION_HOOK\ndefine).\n\nAs well, the SITIC have discovered a buffer overflow when Apache\nexpands environment variables in configuration files such as .htaccess\nand httpd.conf, which can lead to possible privilege escalation. This\ncan only be done, however, if an attacker is able to place malicious\nconfiguration files on the server.\n\nFinally, a crash condition was discovered in the mod_dav module by\nJulian Reschke, where sending a LOCK refresh request to an indirectly\nlocked resource could crash the server.\n\nThe updated packages have been patched to protect against these\nvulnerabilities.", "edition": 24, "published": "2004-09-16T00:00:00", "title": "Mandrake Linux Security Advisory : apache2 (MDKSA-2004:096)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0786", "CVE-2004-0747", "CVE-2004-0748", "CVE-2004-0809", "CVE-2004-0783", "CVE-2004-0751"], "modified": "2004-09-16T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:apache2-mod_dav", "p-cpe:/a:mandriva:linux:apache2-mod_ssl", "p-cpe:/a:mandriva:linux:apache2-mod_ldap", "p-cpe:/a:mandriva:linux:apache2", "p-cpe:/a:mandriva:linux:lib64apr0", "cpe:/o:mandrakesoft:mandrake_linux:10.0", "p-cpe:/a:mandriva:linux:apache2-mod_disk_cache", "p-cpe:/a:mandriva:linux:apache2-common", "p-cpe:/a:mandriva:linux:apache2-devel", "p-cpe:/a:mandriva:linux:apache2-modules", "cpe:/o:mandrakesoft:mandrake_linux:9.2", "p-cpe:/a:mandriva:linux:apache2-mod_mem_cache", "p-cpe:/a:mandriva:linux:apache2-manual", "p-cpe:/a:mandriva:linux:apache2-mod_file_cache", "p-cpe:/a:mandriva:linux:apache2-mod_proxy", "p-cpe:/a:mandriva:linux:apache2-mod_cache", "p-cpe:/a:mandriva:linux:libapr0", "p-cpe:/a:mandriva:linux:apache2-mod_deflate", "p-cpe:/a:mandriva:linux:apache2-source"], "id": "MANDRAKE_MDKSA-2004-096.NASL", "href": "https://www.tenable.com/plugins/nessus/14752", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2004:096. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14752);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2004-0747\", \"CVE-2004-0748\", \"CVE-2004-0751\", \"CVE-2004-0783\", \"CVE-2004-0786\", \"CVE-2004-0809\");\n script_xref(name:\"MDKSA\", value:\"2004:096\");\n\n script_name(english:\"Mandrake Linux Security Advisory : apache2 (MDKSA-2004:096)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Two Denial of Service conditions were discovered in the input filter\nof mod_ssl, the module that enables apache to handle HTTPS requests.\n\nAnother vulnerability was discovered by the ASF security team using\nthe Codenomicon HTTP Test Tool. This vulnerability, in the apr-util\nlibrary, can possibly lead to arbitrary code execution if certain\nnon-default conditions are met (enabling the AP_ENABLE_EXCEPTION_HOOK\ndefine).\n\nAs well, the SITIC have discovered a buffer overflow when Apache\nexpands environment variables in configuration files such as .htaccess\nand httpd.conf, which can lead to possible privilege escalation. This\ncan only be done, however, if an attacker is able to place malicious\nconfiguration files on the server.\n\nFinally, a crash condition was discovered in the mod_dav module by\nJulian Reschke, where sending a LOCK refresh request to an indirectly\nlocked resource could crash the server.\n\nThe updated packages have been patched to protect against these\nvulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.uniras.gov.uk/vuls/2004/403518/index.htm\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2-mod_cache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2-mod_dav\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2-mod_deflate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2-mod_disk_cache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2-mod_file_cache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2-mod_ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2-mod_mem_cache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2-mod_proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2-mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache2-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64apr0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libapr0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:9.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/09/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-2.0.48-6.6.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-common-2.0.48-6.6.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-devel-2.0.48-6.6.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-manual-2.0.48-6.6.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-mod_cache-2.0.48-6.6.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-mod_dav-2.0.48-6.6.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-mod_deflate-2.0.48-6.6.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-mod_disk_cache-2.0.48-6.6.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-mod_file_cache-2.0.48-6.6.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-mod_ldap-2.0.48-6.6.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-mod_mem_cache-2.0.48-6.6.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-mod_proxy-2.0.48-6.6.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-mod_ssl-2.0.48-6.6.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-modules-2.0.48-6.6.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"apache2-source-2.0.48-6.6.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", cpu:\"amd64\", reference:\"lib64apr0-2.0.48-6.6.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", cpu:\"i386\", reference:\"libapr0-2.0.48-6.6.100mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-2.0.47-6.9.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-common-2.0.47-6.9.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-devel-2.0.47-6.9.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-manual-2.0.47-6.9.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-mod_cache-2.0.47-6.9.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-mod_dav-2.0.47-6.9.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-mod_deflate-2.0.47-6.9.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-mod_disk_cache-2.0.47-6.9.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-mod_file_cache-2.0.47-6.9.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-mod_ldap-2.0.47-6.9.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-mod_mem_cache-2.0.47-6.9.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-mod_proxy-2.0.47-6.9.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-mod_ssl-2.0.47-6.9.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-modules-2.0.47-6.9.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"apache2-source-2.0.47-6.9.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", cpu:\"amd64\", reference:\"lib64apr0-2.0.47-6.9.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", cpu:\"i386\", reference:\"libapr0-2.0.47-6.9.92mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T03:25:05", "description": "The remote host is missing Security Update 2004-12-02. This security\nupdate contains a number of fixes for the following programs :\n\n - Apache\n - Apache2\n - AppKit\n - Cyrus IMAP\n - HIToolbox\n - Kerberos\n - Postfix\n - PSNormalizer\n - QuickTime Streaming Server\n - Safari\n - Terminal\n\nThese programs contain multiple vulnerabilities that could allow a\nremote attacker to execute arbitrary code.", "edition": 23, "published": "2004-12-02T00:00:00", "title": "Mac OS X Multiple Vulnerabilities (Security Update 2004-12-02)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-1121", "CVE-2004-0644", "CVE-2004-1123", "CVE-2004-0786", "CVE-2004-0747", "CVE-2003-0987", "CVE-2004-0643", "CVE-2004-0885", "CVE-2004-1122", "CVE-2004-0804", "CVE-2004-1086", "CVE-2004-0642", "CVE-2004-0748", "CVE-2004-1088", "CVE-2004-1087", "CVE-2004-0803", "CVE-2004-1084", "CVE-2004-1081", "CVE-2004-0940", "CVE-2004-1082", "CVE-2004-0772", "CVE-2004-0174", "CVE-2004-1089", "CVE-2004-0488", "CVE-2004-1083", "CVE-2004-0492", "CVE-2003-0020", "CVE-2004-1085", "CVE-2004-0886", "CVE-2004-0751"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x"], "id": "MACOSX_SECUPD20041202.NASL", "href": "https://www.tenable.com/plugins/nessus/15898", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif (NASL_LEVEL < 3004) exit(0); # a large number of xrefs.\nif ( ! defined_func(\"bn_random\") ) exit(0);\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(15898);\n script_version (\"1.24\");\n script_cvs_date(\"Date: 2018/07/14 1:59:35\");\n\n script_cve_id(\"CVE-2004-1082\", \"CVE-2003-0020\", \"CVE-2003-0987\", \"CVE-2004-0174\", \"CVE-2004-0488\", \n \"CVE-2004-0492\", \"CVE-2004-0885\", \"CVE-2004-0940\", \"CVE-2004-1083\", \"CVE-2004-1084\", \n \"CVE-2004-0747\", \"CVE-2004-0786\", \"CVE-2004-0751\", \"CVE-2004-0748\", \"CVE-2004-1081\", \n \"CVE-2004-0803\", \"CVE-2004-0804\", \"CVE-2004-0886\", \"CVE-2004-1089\", \"CVE-2004-1085\", \n \"CVE-2004-0642\", \"CVE-2004-0643\", \"CVE-2004-0644\", \"CVE-2004-0772\", \"CVE-2004-1088\", \n \"CVE-2004-1086\", \"CVE-2004-1123\", \"CVE-2004-1121\", \"CVE-2004-1122\", \"CVE-2004-1087\");\n script_bugtraq_id(9921, 9930, 9571, 11471, 11360, 11469, 10508, 11802);\n\n script_name(english:\"Mac OS X Multiple Vulnerabilities (Security Update 2004-12-02)\");\n script_summary(english:\"Check for Security Update 2004-12-02\");\n \n script_set_attribute( attribute:\"synopsis\", value:\n\"The remote host is missing a Mac OS X update that fixes a security\nissue.\" );\n script_set_attribute( attribute:\"description\", value:\n\"The remote host is missing Security Update 2004-12-02. This security\nupdate contains a number of fixes for the following programs :\n\n - Apache\n - Apache2\n - AppKit\n - Cyrus IMAP\n - HIToolbox\n - Kerberos\n - Postfix\n - PSNormalizer\n - QuickTime Streaming Server\n - Safari\n - Terminal\n\nThese programs contain multiple vulnerabilities that could allow a\nremote attacker to execute arbitrary code.\" );\n # http://web.archive.org/web/20080915104713/http://support.apple.com/kb/HT1646?\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?210abeb5\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install Security Update 2004-12-02.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(119);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/12/02\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2003/02/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2004/12/02\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/MacOSX/packages\");\n exit(0);\n}\n\n\npackages = get_kb_item(\"Host/MacOSX/packages\");\nif ( ! packages ) exit(0);\n\nuname = get_kb_item(\"Host/uname\");\n# MacOS X 10.2.8, 10.3.6 only\nif ( egrep(pattern:\"Darwin.* (6\\.8\\.|7\\.6\\.)\", string:uname) )\n{\n if ( ! egrep(pattern:\"^SecUpd(Srvr)?2004-12-02\", string:packages) ) security_hole(0);\n\telse non_vuln = 1;\n}\nelse if ( egrep(pattern:\"Darwin.* (6\\.9|[0-9][0-9]\\.|7\\.([7-9]|[0-9][0-9]\\.|[8-9]\\.))\", string:uname) ) non_vuln = 1;\n\nif ( non_vuln )\n{\n set_kb_item(name:\"CVE-2004-1082\", value:TRUE);\n set_kb_item(name:\"CVE-2003-0020\", value:TRUE);\n set_kb_item(name:\"CVE-2003-0987\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0174\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0488\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0492\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0885\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0940\", value:TRUE);\n set_kb_item(name:\"CVE-2004-1083\", value:TRUE);\n set_kb_item(name:\"CVE-2004-1084\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0747\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0786\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0751\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0748\", value:TRUE);\n set_kb_item(name:\"CVE-2004-1081\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0803\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0804\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0886\", value:TRUE);\n set_kb_item(name:\"CVE-2004-1089\", value:TRUE);\n set_kb_item(name:\"CVE-2004-1085\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0642\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0643\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0644\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0772\", value:TRUE);\n set_kb_item(name:\"CVE-2004-1088\", value:TRUE);\n set_kb_item(name:\"CVE-2004-1086\", value:TRUE);\n set_kb_item(name:\"CVE-2004-1123\", value:TRUE);\n set_kb_item(name:\"CVE-2004-1121\", value:TRUE);\n set_kb_item(name:\"CVE-2004-1122\", value:TRUE);\n set_kb_item(name:\"CVE-2004-1087\", value:TRUE);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:35:13", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0747"], "description": "\nSITIC discovered a vulnerability in Apache 2's handling of\n\t environmental variable settings in the httpd configuration\n\t files (the main `httpd.conf' and `.htaccess' files).\n\t According to a SITIC advisory:\n\nThe buffer overflow occurs when expanding ${ENVVAR}\n\t constructs in .htaccess or httpd.conf files. The function\n\t ap_resolve_env() in server/util.c copies data from\n\t environment variables to the character array tmp with\n\t strcat(3), leading to a buffer overflow.\n\n", "edition": 4, "modified": "2004-09-15T00:00:00", "published": "2004-09-15T00:00:00", "id": "4D49F4BA-071F-11D9-B45D-000C41E2CDAD", "href": "https://vuxml.freebsd.org/freebsd/4d49f4ba-071f-11d9-b45d-000c41e2cdad.html", "title": "apache -- ap_resolve_env buffer overflow", "type": "freebsd", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:05", "bulletinFamily": "software", "cvelist": ["CVE-2004-0747"], "edition": 1, "description": "## Vulnerability Description\nApache HTTP Server and IBM HTTP Server contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when function ap_resolve_env() in server/util.c expands environment variable constructs from configuration files such as .htaccess or httpd.conf. For an attacker to exploit the flaw they would need to carefully craft malicious configuration files and have write access to the legitimate copies. This flaw may lead to a loss of confidentiality.\n## Solution Description\nUpgrade to version 2.0.51 or higher or apply the patch from IBM, as it has been reported to fix this vulnerability.\n## Short Description\nApache HTTP Server and IBM HTTP Server contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when function ap_resolve_env() in server/util.c expands environment variable constructs from configuration files such as .htaccess or httpd.conf. For an attacker to exploit the flaw they would need to carefully craft malicious configuration files and have write access to the legitimate copies. This flaw may lead to a loss of confidentiality.\n## References:\nVendor URL: http://httpd.apache.org/\nVendor URL: http://www.ibm.com/us/\nVendor Specific Solution URL: http://www.apache.org/dist/httpd/patches/apply_to_2.0.50/CAN-2004-0747.patch\n[Vendor Specific Advisory URL](http://www-1.ibm.com/support/docview.wss?rs=177&uid=swg24007795)\n[Vendor Specific Advisory URL](http://www.apacheweek.com/features/security-20)\n[Vendor Specific Advisory URL](http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01090)\n[Vendor Specific Advisory URL](http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBOV01083)\nSecurity Tracker: 1011303\n[Secunia Advisory ID:13025](https://secuniaresearch.flexerasoftware.com/advisories/13025/)\n[Secunia Advisory ID:13027](https://secuniaresearch.flexerasoftware.com/advisories/13027/)\n[Secunia Advisory ID:12540](https://secuniaresearch.flexerasoftware.com/advisories/12540/)\n[Secunia Advisory ID:12922](https://secuniaresearch.flexerasoftware.com/advisories/12922/)\n[Related OSVDB ID: 9994](https://vulners.com/osvdb/OSVDB:9994)\nRedHat RHSA: RHSA-2004:463\nOther Advisory URL: http://www.uniras.gov.uk/l1/l2/l3/alerts2004/alert-3404.txt\nOther Advisory URL: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:096\nOther Advisory URL: http://www.suse.de/de/security/2004_32_apache2.html\nOther Advisory URL: http://www.sitic.se/rad_och_rekommendationer/sa04-002.html\nOther Advisory URL: http://security.gentoo.org/glsa/glsa-200409-21.xml\nOther Advisory URL: http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000868\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0501.html\nKeyword: PQ94086\nISS X-Force ID: 17384\n[CVE-2004-0747](https://vulners.com/cve/CVE-2004-0747)\n", "modified": "2004-09-15T12:54:16", "published": "2004-09-15T12:54:16", "href": "https://vulners.com/osvdb/OSVDB:9991", "id": "OSVDB:9991", "type": "osvdb", "title": "Apache HTTP Server ap_resolve_env Environment Variable Local Overflow", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cert": [{"lastseen": "2020-09-18T20:43:50", "bulletinFamily": "info", "cvelist": ["CVE-2004-0747"], "description": "### Overview \n\nThere is a buffer overflow vulnerability in ap_resolve_env() function of Apache that could allow a local user to gain elevated privileges.\n\n### Description \n\nThe [Apache HTTP Server](<http://httpd.apache.org/>) is a freely available web server that runs on a variety of operating systems including Unix, Linux, and Microsoft Windows. The `ap_resolve_env()` function is responsible for expanding environment variables when parsing configurations files such as `.htaccess` or `httpd.conf`. There is a vulnerability in this function that could allow a local user to trigger a buffer overflow.\n\nThe Apache Software Foundation notes that in order to exploit this vulnerability, a local user would need to install the malicious configuration file on the server and force the server to parse this file. \n \n--- \n \n### Impact \n\nA local user with the ability to force a vulnerable to server to parse a malicious configuration file could gain elevated privileges. \n \n--- \n \n### Solution \n\n**Upgrade or Apply Patch** \nUpgrade or apply patch as specified by your vendor. This issue is resolved in Apache version 2.0.51. \n \n--- \n \n### Vendor Information\n\n481998\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Apache __ Affected\n\nUpdated: September 17, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease refer to the [Apache Security Announcement](<http://www.apache.org/dist/httpd/Announcement2.html>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23481998 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://www.apache.org/dist/httpd/Announcement2.html>\n * <http://www.uniras.gov.uk/vuls/2004/403518/index.htm>\n * <http://secunia.com/advisories/12540/>\n * <http://www.securitytracker.com/alerts/2004/Sep/1011303.html>\n * <http://rhn.redhat.com/errata/RHSA-2004-463.html>\n\n### Acknowledgements\n\nThis vulnerability was reported by the Swedish IT Incident Centre within the National Post and Telecom Agency (SITIC).\n\nThis document was written by Damon Morda.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2004-0747](<http://web.nvd.nist.gov/vuln/detail/CVE-2004-0747>) \n---|--- \n**Severity Metric:** | 3.38 \n**Date Public:** | 2004-09-15 \n**Date First Published:** | 2004-09-17 \n**Date Last Updated: ** | 2004-09-17 20:09 UTC \n**Document Revision: ** | 11 \n", "modified": "2004-09-17T20:09:00", "published": "2004-09-17T00:00:00", "id": "VU:481998", "href": "https://www.kb.cert.org/vuls/id/481998", "type": "cert", "title": "Apache vulnerable to buffer overflow when expanding environment variables", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:44:44", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0747", "CVE-2004-0751", "CVE-2004-0786", "CVE-2004-0809"], "description": "The Apache HTTP server is a powerful, full-featured, efficient, and\nfreely-available Web server.\n\nFour issues have been discovered affecting releases of the Apache HTTP 2.0\nServer, up to and including version 2.0.50:\n\nTesting using the Codenomicon HTTP Test Tool performed by the Apache\nSoftware Foundation security group and Red Hat uncovered an input\nvalidation issue in the IPv6 URI parsing routines in the apr-util library. \nIf a remote attacker sent a request including a carefully crafted URI, an\nhttpd child process could be made to crash. This issue is not believed to\nallow arbitrary code execution on Red Hat Enterprise Linux. This issue\nalso does not represent a significant denial of service attack as requests\nwill continue to be handled by other Apache child processes. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the name\nCAN-2004-0786 to this issue.\n\nThe Swedish IT Incident Centre (SITIC) reported a buffer overflow in the\nexpansion of environment variables during configuration file parsing. This\nissue could allow a local user to gain 'apache' privileges if an httpd\nprocess can be forced to parse a carefully crafted .htaccess file written\nby a local user. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2004-0747 to this issue.\n\nAn issue was discovered in the mod_ssl module which could be triggered if\nthe server is configured to allow proxying to a remote SSL server. A\nmalicious remote SSL server could force an httpd child process to crash by\nsending a carefully crafted response header. This issue is not believed to\nallow execution of arbitrary code. This issue also does not represent a\nsignificant Denial of Service attack as requests will continue to be\nhandled by other Apache child processes. The Common Vulnerabilities and\nExposures project (cve.mitre.org) has assigned the name CAN-2004-0751 to\nthis issue.\n\nAn issue was discovered in the mod_dav module which could be triggered for\na location where WebDAV authoring access has been configured. A malicious\nremote client which is authorized to use the LOCK method could force an\nhttpd child process to crash by sending a particular sequence of LOCK\nrequests. This issue does not allow execution of arbitrary code. This\nissue also does not represent a significant Denial of Service attack as\nrequests will continue to be handled by other Apache child processes. The\nCommon Vulnerabilities and Exposures project (cve.mitre.org) has assigned\nthe name CAN-2004-0809 to this issue. \n\nUsers of the Apache HTTP server should upgrade to these updated packages,\nwhich contain backported patches that address these issues.", "modified": "2017-07-29T20:32:43", "published": "2004-09-15T04:00:00", "id": "RHSA-2004:463", "href": "https://access.redhat.com/errata/RHSA-2004:463", "type": "redhat", "title": "(RHSA-2004:463) httpd security update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:10", "bulletinFamily": "software", "cvelist": ["CVE-2004-0786", "CVE-2004-0747", "CVE-2004-0748", "CVE-2004-0751"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n\r\n Mandrakelinux Security Update Advisory\r\n _______________________________________________________________________\r\n\r\n Package name: apache2\r\n Advisory ID: MDKSA-2004:096\r\n Date: September 15th, 2004\r\n\r\n Affected versions: 10.0, 9.2\r\n ______________________________________________________________________\r\n\r\n Problem Description:\r\n\r\n Two Denial of Service conditions were discovered in the input filter\r\n of mod_ssl, the module that enables apache to handle HTTPS requests.\r\n \r\n Another vulnerability was discovered by the ASF security team using\r\n the Codenomicon HTTP Test Tool. This vulnerability, in the apr-util\r\n library, can possibly lead to arbitray code execution if certain\r\n non-default conditions are met &#40;enabling the AP_ENABLE_EXCEPTION_HOOK\r\n define&#41;.\r\n \r\n As well, the SITIC have discovered a buffer overflow when Apache\r\n expands environment variables in configuration files such as .htaccess\r\n and httpd.conf, which can lead to possible privilege escalation. This\r\n can only be done, however, if an attacker is able to place malicious\r\n configuration files on the server.\r\n \r\n Finally, a crash condition was discovered in the mod_dav module by\r\n Julian Reschke, where sending a LOCK refresh request to an indirectly\r\n locked resource could crash the server.\r\n \r\n The updated packages have been patched to protect against these\r\n vulnerabilities.\r\n _______________________________________________________________________\r\n\r\n References:\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0747\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0748\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0751\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0786\r\n http://www.uniras.gov.uk/vuls/2004/403518/index.htm\r\n ______________________________________________________________________\r\n\r\n Updated Packages:\r\n \r\n Mandrakelinux 10.0:\r\n 577abf316e5d985744e3a55c00ba1ed3 10.0/RPMS/apache2-2.0.48-6.6.100mdk.i586.rpm\r\n 0f57531ce5bfd8034f1d485d55a8dc36 \r\n10.0/RPMS/apache2-common-2.0.48-6.6.100mdk.i586.rpm\r\n 8931749f97b852f34500348a4d1f3ae0 \r\n10.0/RPMS/apache2-devel-2.0.48-6.6.100mdk.i586.rpm\r\n abd6661337d00c261462d9dc4a7e7a27 \r\n10.0/RPMS/apache2-manual-2.0.48-6.6.100mdk.i586.rpm\r\n d4ece1caa7d12cdcad37fc179a3a507a \r\n10.0/RPMS/apache2-mod_cache-2.0.48-6.6.100mdk.i586.rpm\r\n b33b960cc734861a8b12f157c2754d37 \r\n10.0/RPMS/apache2-mod_dav-2.0.48-6.6.100mdk.i586.rpm\r\n c49321208ca8c4e3f867acf481b56aea \r\n10.0/RPMS/apache2-mod_deflate-2.0.48-6.6.100mdk.i586.rpm\r\n f03a0281374080c36351c6994ca83fef \r\n10.0/RPMS/apache2-mod_disk_cache-2.0.48-6.6.100mdk.i586.rpm\r\n e6d2e946c1a4006d7da12e0d4970efdf \r\n10.0/RPMS/apache2-mod_file_cache-2.0.48-6.6.100mdk.i586.rpm\r\n 4b121a7f3ac76c4d6d47b3b2dd303afc \r\n10.0/RPMS/apache2-mod_ldap-2.0.48-6.6.100mdk.i586.rpm\r\n fabdc95624a9d4863ce6a0773ba41769 \r\n10.0/RPMS/apache2-mod_mem_cache-2.0.48-6.6.100mdk.i586.rpm\r\n 386f4203719e4dbed7ec22c2b2416a6f \r\n10.0/RPMS/apache2-mod_proxy-2.0.48-6.6.100mdk.i586.rpm\r\n 39fb6ee3fb9a25fe9fef386b10908300 \r\n10.0/RPMS/apache2-mod_ssl-2.0.48-6.6.100mdk.i586.rpm\r\n 8769f679dd2ff3fbc61a8d53bf7e1e95 \r\n10.0/RPMS/apache2-modules-2.0.48-6.6.100mdk.i586.rpm\r\n 22cdca5e2d82338cd0cf9fb2494f93e5 \r\n10.0/RPMS/apache2-source-2.0.48-6.6.100mdk.i586.rpm\r\n 6110769acb534f25eb2eca0240dc59c0 10.0/RPMS/libapr0-2.0.48-6.6.100mdk.i586.rpm\r\n a95799fa3e80c91b9c213e6938894004 10.0/SRPMS/apache2-2.0.48-6.6.100mdk.src.rpm\r\n\r\n Mandrakelinux 10.0/AMD64:\r\n 6147e89235b66d584b49aa29b1bdd48f \r\namd64/10.0/RPMS/apache2-2.0.48-6.6.100mdk.amd64.rpm\r\n 43227a23672e9e794ab9c2fdbfdc29af \r\namd64/10.0/RPMS/apache2-common-2.0.48-6.6.100mdk.amd64.rpm\r\n 0f4a26910cb8d3cef4f0c6990e2dd89a \r\namd64/10.0/RPMS/apache2-devel-2.0.48-6.6.100mdk.amd64.rpm\r\n 939b4a808c3d4d4aeec7353873fe70d2 \r\namd64/10.0/RPMS/apache2-manual-2.0.48-6.6.100mdk.amd64.rpm\r\n 636cb8f74e0fd9955924de1b8c9bcd33 \r\namd64/10.0/RPMS/apache2-mod_cache-2.0.48-6.6.100mdk.amd64.rpm\r\n 84440eadc0ca8e45caf80cc1c5a110ec \r\namd64/10.0/RPMS/apache2-mod_dav-2.0.48-6.6.100mdk.amd64.rpm\r\n bb8fc55c43ed023f41b2c9134b22112b \r\namd64/10.0/RPMS/apache2-mod_deflate-2.0.48-6.6.100mdk.amd64.rpm\r\n 059c1ded4088a77ca1379b37bf488d8a \r\namd64/10.0/RPMS/apache2-mod_disk_cache-2.0.48-6.6.100mdk.amd64.rpm\r\n 21e5578866e52cafb66a8810b80bb8ee \r\namd64/10.0/RPMS/apache2-mod_file_cache-2.0.48-6.6.100mdk.amd64.rpm\r\n b772fc49e45ba69cf54befd0c43b0478 \r\namd64/10.0/RPMS/apache2-mod_ldap-2.0.48-6.6.100mdk.amd64.rpm\r\n 8ab329afc0a8114022c2989f0da114e5 \r\namd64/10.0/RPMS/apache2-mod_mem_cache-2.0.48-6.6.100mdk.amd64.rpm\r\n 3dd9a74509e65083895a38a40b5737e8 \r\namd64/10.0/RPMS/apache2-mod_proxy-2.0.48-6.6.100mdk.amd64.rpm\r\n dd8c9c7a029a409f1a9c0498e9bdb0d4 \r\namd64/10.0/RPMS/apache2-mod_ssl-2.0.48-6.6.100mdk.amd64.rpm\r\n 9823808a0fd99a4285a742bc843f2a7f \r\namd64/10.0/RPMS/apache2-modules-2.0.48-6.6.100mdk.amd64.rpm\r\n 6a801d9aa2cd2b4b2702541a29b21adc \r\namd64/10.0/RPMS/apache2-source-2.0.48-6.6.100mdk.amd64.rpm\r\n c5b670cc38bfe405e581a4d82bfbc49d \r\namd64/10.0/RPMS/lib64apr0-2.0.48-6.6.100mdk.amd64.rpm\r\n a95799fa3e80c91b9c213e6938894004 \r\namd64/10.0/SRPMS/apache2-2.0.48-6.6.100mdk.src.rpm\r\n\r\n Mandrakelinux 9.2:\r\n a5022c41292c79824da685f40a84088f 9.2/RPMS/apache2-2.0.47-6.9.92mdk.i586.rpm\r\n f7bb47cfbaaed2b59cb75c1fd19334ba \r\n9.2/RPMS/apache2-common-2.0.47-6.9.92mdk.i586.rpm\r\n 1f71d90ac568f5e8f6ab1dfaa98cf4c3 \r\n9.2/RPMS/apache2-devel-2.0.47-6.9.92mdk.i586.rpm\r\n 5494d0648be5a27178b810980cb7f3e8 \r\n9.2/RPMS/apache2-manual-2.0.47-6.9.92mdk.i586.rpm\r\n 42f46e37fe2242947dceda9e0455bdfc \r\n9.2/RPMS/apache2-mod_cache-2.0.47-6.9.92mdk.i586.rpm\r\n 70b913fa54ddcfa696c1bd4251a79945 \r\n9.2/RPMS/apache2-mod_dav-2.0.47-6.9.92mdk.i586.rpm\r\n 5000116dac10fd53b04153b7380528a9 \r\n9.2/RPMS/apache2-mod_deflate-2.0.47-6.9.92mdk.i586.rpm\r\n 102a388f55bc59ad824e94913893bb97 \r\n9.2/RPMS/apache2-mod_disk_cache-2.0.47-6.9.92mdk.i586.rpm\r\n 4e80f75066f180226812ab89256ed651 \r\n9.2/RPMS/apache2-mod_file_cache-2.0.47-6.9.92mdk.i586.rpm\r\n 67c4d53ee756149485ee98fb4a0a3f98 \r\n9.2/RPMS/apache2-mod_ldap-2.0.47-6.9.92mdk.i586.rpm\r\n 5d33dc3247dee2d598534564245534e7 \r\n9.2/RPMS/apache2-mod_mem_cache-2.0.47-6.9.92mdk.i586.rpm\r\n 82d6c628240e4529555f5234f61ae465 \r\n9.2/RPMS/apache2-mod_proxy-2.0.47-6.9.92mdk.i586.rpm\r\n 162af1842efde8e25cee655c9a6074d8 \r\n9.2/RPMS/apache2-mod_ssl-2.0.47-6.9.92mdk.i586.rpm\r\n 57cfc8ec7a4f0748df2512a8cab871c1 \r\n9.2/RPMS/apache2-modules-2.0.47-6.9.92mdk.i586.rpm\r\n d2b611bd99ed5f0de8a211058ea5c9b3 \r\n9.2/RPMS/apache2-source-2.0.47-6.9.92mdk.i586.rpm\r\n 732529e90ba322a1af3e8cc52ed3b35d 9.2/RPMS/libapr0-2.0.47-6.9.92mdk.i586.rpm\r\n 0a407de570da4a4fa87f0ff01209e6cb 9.2/SRPMS/apache2-2.0.47-6.9.92mdk.src.rpm\r\n\r\n Mandrakelinux 9.2/AMD64:\r\n d38ea5529d580f08fd41e5d60e0e27f3 \r\namd64/9.2/RPMS/apache2-2.0.47-6.9.92mdk.amd64.rpm\r\n 71b971bfa2ee3c9892c474b52d25d013 \r\namd64/9.2/RPMS/apache2-common-2.0.47-6.9.92mdk.amd64.rpm\r\n 271807bfedd2e488fe8612c1eeac884c \r\namd64/9.2/RPMS/apache2-devel-2.0.47-6.9.92mdk.amd64.rpm\r\n 956499b5a87b862eba2a6cad34acbe73 \r\namd64/9.2/RPMS/apache2-manual-2.0.47-6.9.92mdk.amd64.rpm\r\n 385ba3c32e876db596afddc5e6115904 \r\namd64/9.2/RPMS/apache2-mod_cache-2.0.47-6.9.92mdk.amd64.rpm\r\n 7ae05ee04cb1a28e028fd6bae59ba2e8 \r\namd64/9.2/RPMS/apache2-mod_dav-2.0.47-6.9.92mdk.amd64.rpm\r\n 7c2a5dce49f994d8535344e284342a84 \r\namd64/9.2/RPMS/apache2-mod_deflate-2.0.47-6.9.92mdk.amd64.rpm\r\n 43540961c80877d932bbb71a21be2e96 \r\namd64/9.2/RPMS/apache2-mod_disk_cache-2.0.47-6.9.92mdk.amd64.rpm\r\n 1a0333f97501803238053c8bf0d1a536 \r\namd64/9.2/RPMS/apache2-mod_file_cache-2.0.47-6.9.92mdk.amd64.rpm\r\n df9db8eda897070aa85b9c39552ec353 \r\namd64/9.2/RPMS/apache2-mod_ldap-2.0.47-6.9.92mdk.amd64.rpm\r\n bda589312c97917e3febd6315d403533 \r\namd64/9.2/RPMS/apache2-mod_mem_cache-2.0.47-6.9.92mdk.amd64.rpm\r\n 93c3f05ab21020651aa2f3ec8dee77eb \r\namd64/9.2/RPMS/apache2-mod_proxy-2.0.47-6.9.92mdk.amd64.rpm\r\n 0184016e442847ca432a78ee488c14da \r\namd64/9.2/RPMS/apache2-mod_ssl-2.0.47-6.9.92mdk.amd64.rpm\r\n 2e73a720242ea4010cc783afd8eb30d8 \r\namd64/9.2/RPMS/apache2-modules-2.0.47-6.9.92mdk.amd64.rpm\r\n e33488dc979fc75ff33e82b4749ac87e \r\namd64/9.2/RPMS/apache2-source-2.0.47-6.9.92mdk.amd64.rpm\r\n cc7bc30bd8cc09da849d981701a96f6c \r\namd64/9.2/RPMS/lib64apr0-2.0.47-6.9.92mdk.amd64.rpm\r\n 0a407de570da4a4fa87f0ff01209e6cb \r\namd64/9.2/SRPMS/apache2-2.0.47-6.9.92mdk.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrakeUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n All packages are signed by Mandrakesoft for security. You can obtain\r\n the GPG public key of the Mandrakelinux Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\r\n\r\n You can view other update advisories for Mandrakelinux at:\r\n\r\n http://www.mandrakesoft.com/security/advisories\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_linux-mandrake.com\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team\r\n &lt;security linux-mandrake.com&gt;\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.0.7 &#40;GNU/Linux&#41;\r\n\r\niD8DBQFBSI5pmqjQ0CJFipgRAlxGAKCpPrt7/HB5YroIdx5J84y6E5opeQCg49dn\r\nNHBQlfivIH+fWpgnCv9/jVY=\r\n=ui8Y\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2004-09-16T00:00:00", "published": "2004-09-16T00:00:00", "id": "SECURITYVULNS:DOC:6813", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:6813", "title": "MDKSA-2004:096 - Updated apache2 packages fix multiple vulnerabilities", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:10", "bulletinFamily": "software", "cvelist": ["CVE-2004-0786", "CVE-2004-0747", "CVE-2004-0748", "CVE-2004-0809", "CVE-2004-0751"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nThe Apache Software Foundation and the The Apache HTTP Server Project\r\nare pleased to announce the release of version 2.0.51 of the Apache\r\nHTTP Server &#40;&quot;Apache&quot;&#41;. This Announcement notes the significant\r\nchanges in 2.0.51 as compared to 2.0.50.\r\n\r\nThis version of Apache is principally a bug fix release. Of\r\nparticular note is that 2.0.51 addresses five security\r\nvulnerabilities:\r\n\r\n An input validation issue in IPv6 literal address parsing which\r\n can result in a negative length parameter being passed to memcpy.\r\n [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0786]\r\n\r\n A buffer overflow in configuration file parsing could allow a\r\n local user to gain the privileges of a httpd child if the server\r\n can be forced to parse a carefully crafted .htaccess file.\r\n [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0747]\r\n\r\n A segfault in mod_ssl which can be triggered by a malicious\r\n remote server, if proxying to SSL servers has been configured.\r\n [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0751]\r\n\r\n A potential infinite loop in mod_ssl which could be triggered\r\n given particular timing of a connection abort.\r\n [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0748]\r\n\r\n A segfault in mod_dav_fs which can be remotely triggered by an\r\n indirect lock refresh request.\r\n [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0809]\r\n\r\nThe Apache HTTP Server Project would like to thank Codenomicon for\r\nsupplying copies of their &quot;HTTP Test Tool&quot; used to discover\r\nCAN-2004-0786, and to SITIC for reporting the discovery of\r\nCAN-2004-0747.\r\n\r\nThis release is compatible with modules compiled for 2.0.42 and\r\nlater versions. We consider this release to be the best version of\r\nApache available and encourage users of all prior versions to\r\nupgrade.\r\n\r\nApache HTTP Server 2.0.51 is available for download from\r\n\r\n http://httpd.apache.org/download.cgi?update=200409150645\r\n\r\nPlease see the CHANGES_2.0 file, linked from the above page, for\r\na full list of changes.\r\n\r\nApache 2.0 offers numerous enhancements, improvements, and performance\r\nboosts over the 1.3 codebase. For an overview of new features introduced\r\nafter 1.3 please see\r\n\r\n http://httpd.apache.org/docs-2.0/new_features_2_0.html\r\n\r\nWhen upgrading or installing this version of Apache, please keep\r\nin mind the following:\r\nIf you intend to use Apache with one of the threaded MPMs, you must\r\nensure that the modules &#40;and the libraries they depend on&#41; that you\r\nwill be using are thread-safe. Please contact the vendors of these\r\nmodules to obtain this information.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.2.3 &#40;GNU/Linux&#41;\r\n\r\niD8DBQFBSIdJZjW2wN6IXdMRAqbGAJsFz8XbVkQvpmreh8sHE3DeACXUKwCeJkpF\r\ngxDK5D1j00qUCzksg872i1c=\r\n=ghiQ\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "modified": "2004-09-16T00:00:00", "published": "2004-09-16T00:00:00", "id": "SECURITYVULNS:DOC:6814", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:6814", "title": "[ANNOUNCE] Apache HTTP Server 2.0.51 Released", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:59", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0786", "CVE-2004-0747", "CVE-2004-0748", "CVE-2004-0809", "CVE-2004-0751"], "description": "### Background\n\nThe Apache HTTP server is one of most popular web servers on the internet. mod_ssl provides SSL v2/v3 and TLS v1 support for it and mod_dav is the Apache module for Distributed Authoring and Versioning (DAV). \n\n### Description\n\nA potential infinite loop has been found in the input filter of mod_ssl (CAN-2004-0748) as well as a possible segmentation fault in the char_buffer_read function if reverse proxying to a SSL server is being used (CAN-2004-0751). Furthermore, mod_dav, as shipped in Apache httpd 2 or mod_dav 1.0.x for Apache 1.3, contains a NULL pointer dereference which can be triggered remotely (CAN-2004-0809). The third issue is an input validation error found in the IPv6 URI parsing routines within the apr-util library (CAN-2004-0786). Additionally a possible buffer overflow has been reported when expanding environment variables during the parsing of configuration files (CAN-2004-0747). \n\n### Impact\n\nA remote attacker could cause a Denial of Service either by aborting a SSL connection in a special way, resulting in CPU consumption, by exploiting the segmentation fault in mod_ssl or the mod_dav flaw. A remote attacker could also crash a httpd child process by sending a specially crafted URI. The last vulnerabilty could be used by a local user to gain the privileges of a httpd child, if the server parses a carefully prepared .htaccess file. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll Apache 2 users should upgrade to the latest version: \n \n \n # emerge sync\n \n # emerge -pv \">=www-servers/apache-2.0.51\"\n # emerge \">=www-servers/apache-2.0.51\"\n\nAll mod_dav users should upgrade to the latest version: \n \n \n # emerge sync\n \n # emerge -pv \">=net-www/mod_dav-1.0.3-r2\"\n # emerge \">=net-www/mod_dav-1.0.3-r2\"", "edition": 1, "modified": "2007-12-30T00:00:00", "published": "2004-09-16T00:00:00", "id": "GLSA-200409-21", "href": "https://security.gentoo.org/glsa/200409-21", "type": "gentoo", "title": "Apache 2, mod_dav: Multiple vulnerabilities", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "suse": [{"lastseen": "2016-09-04T11:57:20", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0788", "CVE-2004-0786", "CVE-2004-0765", "CVE-2004-0747", "CVE-2004-0762", "CVE-2004-0758", "CVE-2004-0784", "CVE-2004-0807", "CVE-2004-0718", "CVE-2004-0764", "CVE-2004-0757", "CVE-2004-0494", "CVE-2004-0808", "CVE-2004-0782", "CVE-2004-0783", "CVE-2004-0597", "CVE-2004-0722", "CVE-2004-0832", "CVE-2004-0785", "CVE-2004-0759", "CVE-2004-0754", "CVE-2004-0763", "CVE-2004-0761"], "description": "The Apache daemon is running on most of the web-servers used in the Internet today. The Red Hat ASF Security-Team and the Swedish IT Incident Center within the National Post and Telecom Agency (SITIC) have found a bug in apache2 each. The first vulnerability appears in the apr_uri_parse() function while handling IPv6 addresses. The affected code passes a negative length argument to the memcpy() function. On BSD systems this can lead to remote command execution due to the nature of the memcpy() implementation. On Linux this bug will result in a remote denial-of-service condition. The second bug is a local buffer overflow that occurs while expanding ${ENVVAR} in the .htaccess and httpd.conf file. Both files are not writeable by normal user by default.\n#### Solution\nThere is no known workaround.", "edition": 1, "modified": "2004-09-15T15:46:39", "published": "2004-09-15T15:46:39", "id": "SUSE-SA:2004:032", "href": "http://lists.opensuse.org/opensuse-security-announce/2004-09/msg00011.html", "title": "remote denial-of-service in apache2", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}