Apache 2.4.x < 2.4.8 Multiple Vulnerabilities

This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.

Synopsis :

The remote web server is affected by multiple vulnerabilities.

Description :

According to its banner, the version of Apache 2.4.x running on the
remote host is a version prior to 2.4.8. It is, therefore, affected by
the following vulnerabilities :

- A flaw exists with the 'mod_dav' module that is caused
when tracking the length of CDATA that has leading white
space. A remote attacker with a specially crafted DAV
WRITE request can cause the service to stop responding.

- A flaw exists in 'mod_log_config' module that is caused
when logging a cookie that has an unassigned value. A
remote attacker with a specially crafted request can
cause the service to crash. (CVE-2014-0098)

Note that Nessus did not actually test for these issues, but instead
has relied on the version in the server's banner.

See also :


Solution :

Upgrade to Apache version 2.4.9 or later. Alternatively, ensure that
the affected modules are not in use.

Note that the issues were addressed in 2.4.8, although that version
was not released.

Risk factor :

Medium / CVSS Base Score : 4.3
CVSS Temporal Score : 3.7
Public Exploit Available : true

Family: Web Servers

Nessus Plugin ID: 73081 ()

Bugtraq ID: 66303

CVE ID: CVE-2013-6438