Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Apache-SSL Environment Variables Manipulation

Medium

Synopsis

The remote web server is prone to a memory disclosure / privilege escalation attack.

Description

According to its banner, the version of Apache-SSL installed on the remote host is older than apache_1.3.41+ssl_1.59. Such versions fail to properly sanitize certificate data before using it to populate environment variables. By sending a client certificate with special characters for the subject, a remote attacker can overwrite certain environment variables used by the web server, resulting in memory disclosure or potential privilege escalation in a web application.

Solution

Upgrade to apache_1.3.41+ssl_1.59 or higher.