Cross-site scripting (XSS) vulnerability in the default error page of Apache 2.0 before 2.0.43, and 1.3.x up to 1.3.26, when UseCanonicalName is "Off" and support for wildcard DNS is present, allows remote attackers to execute script as other web page visitors via the Host: header, a different vulnerability than CAN-2002-1157.

The remote host is running Oracle Application Server. It was not possible to determine its version, so the version of Oracle Application Server installed on the remote host could potentially be affected by multiple vulnerabilities :

  - CVE-2000-0169: Remote command execution in the web     listener component.

  - CVE-2000-1235: Information disclosure in the port     listener component and modplsql.

  - CVE-2000-1236: SQL injection in mod_sql.

  - CVE-2001-0326: Information disclosure in the Java     Virtual Machine.

  - CVE-2001-0419: Buffer overflow in ndwfn4.so.

  - CVE-2001-0591: Directory traversal.

  - CVE-2001-1216: Buffer overflow in the PL/SQL Apache module.

  - CVE-2001-1217: Directory traversal vulnerability in the     PL/SQL Apache module.

  - CVE-2001-1371: Improper access control in the SOAP     service.

  - CVE-2001-1372: Information disclosure.

  - CVE-2002-0386: Denial of service through the     administration module for Oracle Web Cache.

  - CVE-2002-0559: Buffer overflows in the PL/SQL module.

  - CVE-2002-0560: Information disclosure in the PL/SQL     module.

  - CVE-2002-0561: Authentication bypass in the PL/SQL     Gateway web administration interface.

  - CVE-2002-0562: Information disclosure through     globals.jsa.

  - CVE-2002-0563: Improper access control on several     services.

  - CVE-2002-0564: Authentication bypass in the PL/SQL     module.

  - CVE-2002-0565: Information disclosure through JSP files     in the _pages directory.

  - CVE-2002-0566: Denial of service in the PL/SQL module.

  - CVE-2002-0568: Improper access control on XSQLConfig.xml     and soapConfig.xml.

  - CVE-2002-0569: Authentication bypass through     XSQLServlet.

  - CVE-2002-0655: Denial of service in OpenSSL.

  - CVE-2002-0656: Buffer overflows in OpenSSL.

  - CVE-2002-0659: Denial of service in OpenSSL.

  - CVE-2002-0840: Cross-site scripting in the default error     page of Apache.

  - CVE-2002-0842: Format string vulnerability in mod_dav.

  - CVE-2002-0843: Buffer overflows in ApacheBench.

  - CVE-2002-0947: Buffer overflow in rwcgi60.

  - CVE-2002-1089: Information disclosure in rwcgi60.

  - CVE-2002-1630: Improper access control on sendmail.jsp.

  - CVE-2002-1631: SQL injection in query.xsql.

  - CVE-2002-1632: Information disclosure through several     JSP pages.

  - CVE-2002-1635: Information disclosure in Apache.

  - CVE-2002-1636: Cross-site scripting in the htp PL/SQL     package.

  - CVE-2002-1637: Default credentials in multiple     components.

  - CVE-2002-1858: Information disclosure through the     WEB-INF directory.

  - CVE-2002-2153: Format string vulnerability in the     administrative pages of the PL/SQL module.

  - CVE-2002-2345: Credential leakage in the web cache     administrator interface.

  - CVE-2002-2347: Cross-site scripting in several JSP     pages.

  - CVE-2004-1362: Authentication bypass in the PL/SQL     module.

  - CVE-2004-1363: Buffer overflow in extproc.

  - CVE-2004-1364: Directory traversal in extproc.

  - CVE-2004-1365: Command execution in extproc.

  - CVE-2004-1366: Improper access control on     emoms.properties.

  - CVE-2004-1367: Credential leakage in Database Server.

  - CVE-2004-1368: Arbitrary file execution in ISQL*Plus.

  - CVE-2004-1369: Denial of service in TNS Listener.

  - CVE-2004-1370: Multiple SQL injection vulnerabilities in     PL/SQL.

  - CVE-2004-1371: Stack-based buffer overflow.

  - CVE-2004-1707: Privilege escalation in dbsnmp and nmo.

  - CVE-2004-1774: Buffer overflow in the MD2 package.

  - CVE-2004-1877: Phishing vulnerability in Single Sign-On     component.

  - CVE-2004-2134: Weak cryptography for passwords in the     toplink mapping workBench.

  - CVE-2004-2244: Denial of service in the XML parser.

  - CVE-2005-1383: Authentication bypass in HTTP Server.

  - CVE-2005-1495: Detection bypass.

  - CVE-2005-1496: Privilege escalation in the     DBMS_Scheduler.

  - CVE-2005-2093: Web cache poisoning.

  - CVE-2005-3204: Cross-site scripting.

  - CVE-2005-3445: Multiple unspecified vulnerabilities in     HTTP Server.

  - CVE-2005-3446: Unspecified vulnerability in Internet     Directory.

  - CVE-2005-3447: Unspecified vulnerability in Single     Sign-On.

  - CVE-2005-3448: Unspecified vulnerability in the OC4J     module.

  - CVE-2005-3449: Multiple unspecified vulnerabilities in     multiple components.

  - CVE-2005-3450: Unspecified vulnerability in HTTP Server.

  - CVE-2005-3451: Unspecified vulnerability in     SQL*ReportWriter.

  - CVE-2005-3452: Unspecified vulnerability in Web Cache.

  - CVE-2005-3453: Multiple unspecified vulnerabilities in     Web Cache.

  - CVE-2006-0273: Unspecified vulnerability in the Portal     component.

  - CVE-2006-0274: Unspecified vulnerability in the Oracle     Reports Developer component.

  - CVE-2006-0275: Unspecified vulnerability in the Oracle     Reports Developer component.

  - CVE-2006-0282: Unspecified vulnerability.

  - CVE-2006-0283: Unspecified vulnerability.

  - CVE-2006-0284: Multiple unspecified vulnerabilities.

  - CVE-2006-0285: Unspecified vulnerability in the Java Net     component.

  - CVE-2006-0286: Unspecified vulnerability in HTTP Server.

  - CVE-2006-0287: Unspecified vulnerability in HTTP Server.

  - CVE-2006-0288: Multiple unspecified vulnerabilities in     the Oracle Reports Developer component.

  - CVE-2006-0289: Multiple unspecified vulnerabilities.

  - CVE-2006-0290: Unspecified vulnerability in the Oracle     Workflow Cartridge component.

  - CVE-2006-0291: Multiple unspecified vulnerabilities in     the Oracle Workflow Cartridge component.

  - CVE-2006-0435: Unspecified vulnerability in Oracle     PL/SQL.

  - CVE-2006-0552: Unspecified vulnerability in the Net     Listener component.

  - CVE-2006-0586: Multiple SQL injection vulnerabilities.

  - CVE-2006-1884: Unspecified vulnerability in the Oracle     Thesaurus Management System component.

  - CVE-2006-3706: Unspecified vulnerability in Oracle     Containers for J2EE.

  - CVE-2006-3707: Unspecified vulnerability in Oracle     Containers for J2EE.

  - CVE-2006-3708: Unspecified vulnerability in Oracle     Containers for J2EE.

  - CVE-2006-3709: Unspecified vulnerability in Oracle     Containers for J2EE.

  - CVE-2006-3710: Unspecified vulnerability in Oracle     Containers for J2EE.

  - CVE-2006-3711: Unspecified vulnerability in Oracle     Containers for J2EE.

  - CVE-2006-3712: Unspecified vulnerability in Oracle     Containers for J2EE.

  - CVE-2006-3713: Unspecified vulnerability in Oracle     Containers for J2EE.

  - CVE-2006-3714: Unspecified vulnerability in Oracle     Containers for J2EE.

  - CVE-2006-5353: Unspecified vulnerability in HTTP Server.

  - CVE-2006-5354: Unspecified vulnerability in HTTP Server.

  - CVE-2006-5355: Unspecified vulnerability in Single     Sign-On.

  - CVE-2006-5356: Unspecified vulnerability in Oracle     Containers for J2EE.

  - CVE-2006-5357: Unspecified vulnerability in HTTP Server.

  - CVE-2006-5358: Unspecified vulnerability in the Oracle     Forms component.

  - CVE-2006-5359: Multiple unspecified vulnerabilities in     Oracle Reports Developer component.

  - CVE-2006-5360: Unspecified vulnerability in Oracle Forms     component.

  - CVE-2006-5361: Unspecified vulnerability in Oracle     Containers for J2EE.

  - CVE-2006-5362: Unspecified vulnerability in Oracle     Containers for J2EE.

  - CVE-2006-5363: Unspecified vulnerability in Single     Sign-On.

  - CVE-2006-5364: Unspecified vulnerability in Oracle     Containers for J2EE.

  - CVE-2006-5365: Unspecified vulnerability in Oracle     Forms.

  - CVE-2006-5366: Multiple unspecified vulnerabilities.

  - CVE-2007-0222: Directory traversal vulnerability in     EmChartBean.

  - CVE-2007-0275: Cross-site scripting vulnerability in     Oracle Reports Web Cartridge (RWCGI60).

  - CVE-2007-0280: Buffer overflow in Oracle Notification     Service.

  - CVE-2007-0281: Multiple unspecified vulnerabilities in     HTTP Server.

  - CVE-2007-0282: Unspecified vulnerability in OPMN02.

  - CVE-2007-0283: Unspecified vulnerability in Oracle     Containers for J2EE.

  - CVE-2007-0284: Multiple unspecified vulnerabilities in     Oracle Containers for J2EE.

  - CVE-2007-0285: Unspecified vulnerability in Oracle     Reports Developer.

  - CVE-2007-0286: Unspecified vulnerability in Oracle     Containers for J2EE.

  - CVE-2007-0287: Unspecified vulnerability in Oracle     Containers for J2EE.

  - CVE-2007-0288: Unspecified vulnerability in Oracle     Internet Directory.

  - CVE-2007-0289: Multiple unspecified vulnerabilities in     Oracle Containers for J2EE.

  - CVE-2007-1359: Improper access control in mod_security.

  - CVE-2007-1609: Cross-site scripting vulnerability in     servlet/Spy in Dynamic Monitoring Services (DMS).

  - CVE-2007-2119: Cross-site scripting vulnerability in the     Administration Front End for Oracle Enterprise (Ultra)     Search.

  - CVE-2007-2120: Denial of service in the Oracle     Discoverer servlet.

  - CVE-2007-2121: Unspecified vulnerability in the COREid     Access component.

  - CVE-2007-2122: Unspecified vulnerability in the Wireless     component.

  - CVE-2007-2123: Unspecified vulnerability in the Portal     component.

  - CVE-2007-2124: Unspecified vulnerability in the Portal     component.

  - CVE-2007-2130: Unspecified vulnerability in Workflow     Cartridge.

  - CVE-2007-3553: Cross-site scripting vulnerability in     Rapid Install Web Server.

  - CVE-2007-3854: Multiple unspecified vulnerabilities in     the Advanced Queuing component and the Spatial     component.

  - CVE-2007-3859: Unspecified vulnerability in the Oracle     Internet Directory component.

  - CVE-2007-3861: Unspecified vulnerability in Oracle     Jdeveloper.

  - CVE-2007-3862: Unspecified vulnerability in Single     Sign-On.

  - CVE-2007-3863: Unspecified vulnerability in Oracle     JDeveloper.

  - CVE-2007-5516: Unspecified vulnerability in the Oracle     Process Mgmt & Notification component.

  - CVE-2007-5517: Unspecified vulnerability in the Oracle     Portal component.

  - CVE-2007-5518: Unspecified vulnerability in HTTP Server.

  - CVE-2007-5519: Unspecified vulnerability in the Oracle     Portal component.

  - CVE-2007-5520: Unspecified vulnerability in the Oracle     Internet Directory component.

  - CVE-2007-5521: Unspecified vulnerability in Oracle     Containers for J2EE.

  - CVE-2007-5522: Unspecified vulnerability in the Oracle     Portal component.

  - CVE-2007-5523: Unspecified vulnerability in the Oracle     Internet Directory component.

  - CVE-2007-5524: Unspecified vulnerability in Single     Sign-On.

  - CVE-2007-5525: Unspecified vulnerability in Single     Sign-On.

  - CVE-2007-5526: Unspecified vulnerability in the Oracle     Portal component.

  - CVE-2007-5531: Unspecified vulnerability in Oracle Help     for Web.

  - CVE-2008-0340: Multiple unspecified vulnerabilities in     the Advanced Queuing component and Spatial component.

  - CVE-2008-0343: Unspecified vulnerability in the Oracle     Spatial component.

  - CVE-2008-0344: Unspecified vulnerability in the Oracle     Spatial component.

  - CVE-2008-0345: Unspecified vulnerability in the Core     RDBMS component.

  - CVE-2008-0346: Unspecified vulnerability in the Oracle     Jinitiator component.

  - CVE-2008-0347: Unspecified vulnerability in the Oracle     Ultra Search component.

  - CVE-2008-0348: Multiple unspecified vulnerabilities in     the PeopleTools component.

  - CVE-2008-0349: Unspecified vulnerability in the     PeopleTools component.

  - CVE-2008-1812: Unspecified vulnerability in the Oracle     Enterprise Manager component.

  - CVE-2008-1814: Unspecified vulnerability in the Oracle     Secure Enterprise Search or Ultrasearch component.

  - CVE-2008-1823: Unspecified vulnerability in the Oracle     Jinitiator component.

  - CVE-2008-1824: Unspecified vulnerability in the Oracle     Dynamic Monitoring Service component.

  - CVE-2008-1825: Unspecified vulnerability in the Oracle     Portal component.

  - CVE-2008-2583: Unspecified vulnerability in the sample     Discussion Forum Portlet for the Oracle Portal     component.

  - CVE-2008-2588: Unspecified vulnerability in the Oracle     JDeveloper component.

  - CVE-2008-2589: Unspecified vulnerability in the Oracle     Portal component.

  - CVE-2008-2593: Unspecified vulnerability in the Oracle     Portal component.

  - CVE-2008-2594: Unspecified vulnerability in the Oracle     Portal component.

  - CVE-2008-2595: Unspecified vulnerability in the Oracle     Internet Directory component.

  - CVE-2008-2609: Unspecified vulnerability in the Oracle     Portal component.

  - CVE-2008-2612: Unspecified vulnerability in the Hyperion     BI Plus component.

  - CVE-2008-2614: Unspecified vulnerability in HTTP Server.

  - CVE-2008-2619: Unspecified vulnerability in the Oracle     Reports Developer component.

  - CVE-2008-2623: Unspecified vulnerability in the Oracle     JDeveloper component.

  - CVE-2008-3975: Unspecified vulnerability in the Oracle     Portal component.

  - CVE-2008-3977: Unspecified vulnerability in the Oracle     Portal component.

  - CVE-2008-3986: Unspecified vulnerability in the Oracle     Discoverer Administrator component.

  - CVE-2008-3987: Unspecified vulnerability in the Oracle     Discoverer Desktop component.

  - CVE-2008-4014: Unspecified vulnerability in the Oracle     BPEL Process Manager component.

  - CVE-2008-4017: Unspecified vulnerability in the OC4J     component.

  - CVE-2008-5438: Unspecified vulnerability in the Oracle     Portal component.

  - CVE-2008-7233: Unspecified vulnerability in the Oracle     Jinitiator component.

  - CVE-2009-0217: Signature spoofing vulnerability in     multiple components.

  - CVE-2009-0989: Unspecified vulnerability in the BI     Publisher component.

  - CVE-2009-0990: Unspecified vulnerability in the BI     Publisher component.

  - CVE-2009-0994: Unspecified vulnerability in the BI     Publisher component.

  - CVE-2009-1008: Unspecified vulnerability in the Outside     In Technology component.

  - CVE-2009-1009: Unspecified vulnerability in the Outside     In Technology component.

  - CVE-2009-1010: Unspecified vulnerability in the Outside     In Technology component.

  - CVE-2009-1011: Unspecified vulnerability in the Outside     In Technology component.

  - CVE-2009-1017: Unspecified vulnerability in the BI     Publisher component.

  - CVE-2009-1976: Unspecified vulnerability in HTTP Server.

  - CVE-2009-1990: Unspecified vulnerability in the Business     Intelligence Enterprise Edition component.

  - CVE-2009-1999: Unspecified vulnerability in the Business     Intelligence Enterprise Edition component.

  - CVE-2009-3407: Unspecified vulnerability in the Portal     component.

  - CVE-2009-3412: Unspecified vulnerability in the Unzip     component.

  - CVE-2010-0066: Unspecified vulnerability in the Access     Manager Identity Server component.

  - CVE-2010-0067: Unspecified vulnerability in the Oracle     Containers for J2EE component.

  - CVE-2010-0070: Unspecified vulnerability in the Oracle     Containers for J2EE component.

  - CVE-2011-0789: Unspecified vulnerability in HTTP Server.

  - CVE-2011-0795: Unspecified vulnerability in Single     Sign-On.

  - CVE-2011-0884: Unspecified vulnerability in the Oracle     BPEL Process Manager component.

  - CVE-2011-2237: Unspecified vulnerability in the Oracle     Web Services Manager component.

  - CVE-2011-2314: Unspecified vulnerability in the Oracle     Containers for J2EE component.

  - CVE-2011-3523: Unspecified vulnerability in the Oracle     Web Services Manager component.

s700_800 11.04 Virtualvault 4.5 IWS Update : 

Potential vulnerability regarding ownership permissions of System V shared memory based scoreboards. (CERT VU#825353, CVE CAN-2002-0839) Potential cross-site scripting vulnerability in the default error page when using wildcard DNS. (CERT VU#240329, CVE CAN-2002-0840) Potential overflows in ab.c which could be exploited by a malicious server.
(CERT VU#858881, CVE CAN-2002-0843) Exposure of CGI source when a POST request is sent to a location where both DAV and CGI are enabled.
(CERT VU#91071, CVE CAN-2002-1156).

s700_800 11.04 Virtualvault 4.6 OWS update : 

Potential vulnerability regarding ownership permissions of System V shared memory based scoreboards. (CERT VU#825353, CVE CAN-2002-0839) Potential cross-site scripting vulnerability in the default error page when using wildcard DNS. (CERT VU#240329, CVE CAN-2002-0840) Potential overflows in ab.c which could be exploited by a malicious server.
(CERT VU#858881, CVE CAN-2002-0843) Exposure of CGI source when a POST request is sent to a location where both DAV and CGI are enabled.
(CERT VU#91071, CVE CAN-2002-1156).

s700_800 11.04 Virtualvault 4.5 OWS update : 

Potential vulnerability regarding ownership permissions of System V shared memory based scoreboards. (CERT VU#825353, CVE CAN-2002-0839) Potential cross-site scripting vulnerability in the default error page when using wildcard DNS. (CERT VU#240329, CVE CAN-2002-0840) Potential overflows in ab.c which could be exploited by a malicious server.
(CERT VU#858881, CVE CAN-2002-0843) Exposure of CGI source when a POST request is sent to a location where both DAV and CGI are enabled.
(CERT VU#91071, CVE CAN-2002-1156).

s700_800 11.04 Virtualvault 4.6 IWS update. : 

Potential vulnerability regarding ownership permissions of System V shared memory based scoreboards. (CERT VU#825353, CVE CAN-2002-0839) Potential cross-site scripting vulnerability in the default error page when using wildcard DNS. (CERT VU#240329, CVE CAN-2002-0840) Potential overflows in ab.c which could be exploited by a malicious server.
(CERT VU#858881, CVE CAN-2002-0843) Exposure of CGI source when a POST request is sent to a location where both DAV and CGI are enabled.
(CERT VU#91071, CVE CAN-2002-1156).

s700_800 11.X OV NNM6.2 Intermediate Patch, Feb 2003 : 

Potential vulnerability regarding ownership permissions of System V shared memory based scoreboards. (CERT VU#825353, CVE CAN-2002-0839) Potential cross-site scripting vulnerability in the default error page when using wildcard DNS. (CERT VU#240329, CVE CAN-2002-0840) Potential overflows in ab.c which could be exploited by a malicious server.
(CERT VU#858881, CVE CAN-2002-0843) Exposure of CGI source when a POST request is sent to a location where both DAV and CGI are enabled.
(CERT VU#91071, CVE CAN-2002-1156).

According to David Wagner, iDEFENSE and the Apache HTTP Server Project, several vulnerabilities have been found in the Apache server package, a commonly used webserver. Most of the code is shared between the Apache and Apache-Perl packages, so vulnerabilities are shared as well.

These vulnerabilities could allow an attacker to enact a denial of service against a server or execute a cross site scripting attack, or steal cookies from other website users. The Common Vulnerabilities and Exposures (CVE) project identified the following vulnerabilities :

  - CAN-2002-0839: A vulnerability exists on platforms using     System V shared memory based scoreboards. This     vulnerability allows an attacker to execute code under     the Apache UID to exploit the Apache shared memory     scoreboard format and send a signal to any process as     root or cause a local denial of service attack.
  - CAN-2002-0840: Apache is susceptible to a cross site     scripting vulnerability in the default 404 page of any     web server hosted on a domain that allows wildcard DNS     lookups.

  - CAN-2002-0843: There were some possible overflows in the     utility ApacheBench (ab) which could be exploited by a     malicious server. No such binary programs are     distributed by the Apache-Perl package, though.

  - CAN-2002-1233: A race condition in the htpasswd and     htdigest program enables a malicious local user to read     or even modify the contents of a password file or easily     create and overwrite files as the user running the     htpasswd (or htdigest respectively) program. No such     binary programs are distributed by the Apache-Perl     package, though.

  - CAN-2001-0131: htpasswd and htdigest in Apache 2.0a9,     1.3.14, and others allows local users to overwrite     arbitrary files via a symlink attack. No such binary     programs are distributed by the Apache-Perl package,     though.

  - NO-CAN: Several buffer overflows have been found in the     ApacheBench (ab) utility that could be exploited by a     remote server returning very long strings. No such     binary programs are distributed by the Apache-Perl     package, though.

These problems have been fixed in version 1.3.26-1-1.26-0woody2 for the current stable distribution (woody), in 1.3.9-14.1-1.21.20000309-1.1 for the old stable distribution (potato) and in version 1.3.26-1.1-1.27-3-1 for the unstable distribution (sid).

According to David Wagner, iDEFENSE and the Apache HTTP Server Project, several vulnerabilities have been found in the Apache package, a commonly used webserver. Most of the code is shared between the Apache and Apache-SSL packages, so vulnerabilities are shared as well. These vulnerabilities could allow an attacker to enact a denial of service against a server or execute a cross scripting attack, or steal cookies from other web site users. Vulnerabilities in the included legacy programs htdigest, htpasswd and ApacheBench can be exploited when called via CGI. Additionally the insecure temporary file creation in htdigest and htpasswd can also be exploited locally.
The Common Vulnerabilities and Exposures (CVE) project identified the following vulnerabilities :

  - CAN-2002-0839: A vulnerability exists on platforms using     System V shared memory based scoreboards. This     vulnerability allows an attacker to execute code under     the Apache UID to exploit the Apache shared memory     scoreboard format and send a signal to any process as     root or cause a local denial of service attack.
  - CAN-2002-0840: Apache is susceptible to a cross site     scripting vulnerability in the default 404 page of any     web server hosted on a domain that allows wildcard DNS     lookups.

  - CAN-2002-0843: There were some possible overflows in the     utility ApacheBench (ab) which could be exploited by a     malicious server.

  - CAN-2002-1233: A race condition in the htpasswd and     htdigest program enables a malicious local user to read     or even modify the contents of a password file or easily     create and overwrite files as the user running the     htpasswd (or htdigest respectively) program. (binaries     not included in apache-ssl package though)

  - CAN-2001-0131: htpasswd and htdigest in Apache 2.0a9,     1.3.14, and others allows local users to overwrite     arbitrary files via a symlink attack.

    This is the same vulnerability as CAN-2002-1233, which     was fixed in potato already but got lost later and was     never applied upstream. (binaries not included in     apache-ssl package though)

  - NO-CAN: Several buffer overflows have been found in the     ApacheBench (ab) utility that could be exploited by a     remote server returning very long strings. (binary not     included in apache-ssl package though) These problems have been fixed in version 1.3.26.1+1.48-0woody3 for the current stable distribution (woody) and in 1.3.9.13-4.2 for the old stable distribution (potato). Corrected packages for the unstable distribution (sid) are expected soon.

According to David Wagner, iDEFENSE and the Apache HTTP Server Project, several remotely exploitable vulnerabilities have been found in the Apache package, a commonly used webserver. These vulnerabilities could allow an attacker to enact a denial of service against a server or execute a cross scripting attack. The Common Vulnerabilities and Exposures (CVE) project identified the following vulnerabilities :

  - CAN-2002-0839: A vulnerability exists on platforms using     System V shared memory based scoreboards. This     vulnerability allows an attacker to execute code under     the Apache UID to exploit the Apache shared memory     scoreboard format and send a signal to any process as     root or cause a local denial of service attack.
  - CAN-2002-0840: Apache is susceptible to a cross site     scripting vulnerability in the default 404 page of any     web server hosted on a domain that allows wildcard DNS     lookups.

  - CAN-2002-0843: There were some possible overflows in the     utility ApacheBench (ab) which could be exploited by a     malicious server.

  - CAN-2002-1233: A race condition in the htpasswd and     htdigest program enables a malicious local user to read     or even modify the contents of a password file or easily     create and overwrite files as the user running the     htpasswd (or htdigest respectively) program.

  - CAN-2001-0131: htpasswd and htdigest in Apache 2.0a9,     1.3.14, and others allows local users to overwrite     arbitrary files via a symlink attack.

    This is the same vulnerability as CAN-2002-1233, which     was fixed in potato already but got lost later and was     never applied upstream.

  - NO-CAN: Several buffer overflows have been found in the     ApacheBench (ab) utility that could be exploited by a     remote server returning very long strings.
These problems have been fixed in version 1.3.26-0woody3 for the current stable distribution (woody) and in 1.3.9-14.3 for the old stable distribution (potato). Corrected packages for the unstable distribution (sid) are expected soon.

The remote host is running a version of Apache which is older than 1.3.27. This version contains several flaws that have been fixed in 1.3.27.

A number of vulnerabilities were discovered in Apache versions prior to 1.3.27. The first is regarding the use of shared memory (SHM) in Apache. An attacker that is able to execute code as the UID of the webserver (typically 'apache') is able to send arbitrary processes a USR1 signal as root. Using this vulnerability, the attacker can also cause the Apache process to continously span more children processes, thus causing a local DoS. Another vulnerability was discovered by Matthew Murphy regarding a cross site scripting vulnerability in the standard 404 error page. Finally, some buffer overflows were found in the 'ab' benchmark program that is included with Apache.

All of these vulnerabilities were fixed in Apache 1.3.27; the packages provided have these fixes applied.

Updated apache and httpd packages are available which fix a number of security issues for Red Hat Linux Advanced Server 2.1.

[Updated 06 Feb 2003] Added fixed packages for Advanced Workstation 2.1

The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server.

Buffer overflows in the ApacheBench support program (ab.c) in Apache versions prior to 1.3.27 allow a malicious Web server to cause a denial of service and possibly execute arbitrary code via a long response. The Common Vulnerabilities and Exposures project has assigned the name CVE-2002-0843 to this issue.

Two cross-site scripting vulnerabilities are present in the error pages for the default '404 Not Found' error, and for the error response when a plain HTTP request is received on an SSL port. Both of these issues are only exploitable if the 'UseCanonicalName' setting has been changed to 'Off', and wildcard DNS is in use. These issues would allow remote attackers to execute scripts as other Web page visitors, for instance, to steal cookies. These issues affect versions of Apache 1.3 before 1.3.26, and versions of mod_ssl before 2.8.12.
The Common Vulnerabilities and Exposures project has assigned the names CVE-2002-0840 and CVE-2002-1157 to these issues.

The shared memory scoreboard in the HTTP daemon for Apache 1.3, prior to version 1.3.27, allowed a user running as the 'apache' UID to send a SIGUSR1 signal to any process as root, resulting in a denial of service (process kill) or other such behavior that would not normally be allowed. The Common Vulnerabilities and Exposures project has assigned the name CVE-2002-0839 to this issue.

All users of the Apache HTTP server are advised to upgrade to the applicable errata packages. For Red Hat Linux Advanced Server 2.1 these packages include Apache version 1.3.27 which is not vulnerable to these issues.

Note that the instructions in the 'Solution' section of this errata contain additional steps required to complete the upgrade process.

The remote host is running a version of Apache web server prior to 1.3.27. It is, therefore, affected by multiple vulnerabilities :

  - There is a cross-site scripting vulnerability caused by     a failure to filter HTTP/1.1 'Host' headers that are     sent by browsers.

  - A vulnerability in the handling of the Apache scorecard     could allow an attacker to cause a denial of service.

  - A buffer overflow vulnerability exists in the     'support/ab.c' read_connection() function. The ab.c file     is a benchmarking support utility that is provided with     the Apache web server.

ID	Name	Product	Family	Severity
57619	Oracle Application Server Multiple Vulnerabilities	Nessus	Web Servers	critical
17492	HP-UX PHSS_28111 : HP-UX Running Apache, Increased Privileges or Denial of Service (DoS) or Execution of Arbitrary Code (HPSBUX00224 SSRT2393 rev.3)	Nessus	HP-UX Local Security Checks	high
17491	HP-UX PHSS_28099 : HP-UX Running Apache, Increased Privileges or Denial of Service (DoS) or Execution of Arbitrary Code (HPSBUX00224 SSRT2393 rev.3)	Nessus	HP-UX Local Security Checks	high
17490	HP-UX PHSS_28098 : HP-UX Running Apache, Increased Privileges or Denial of Service (DoS) or Execution of Arbitrary Code (HPSBUX00224 SSRT2393 rev.3)	Nessus	HP-UX Local Security Checks	high
17118	HP-UX PHSS_28090 : HP-UX Running Apache, Increased Privileges or Denial of Service (DoS) or Execution of Arbitrary Code (HPSBUX00224 SSRT2393 rev.3)	Nessus	HP-UX Local Security Checks	high
16993	HP-UX PHSS_28705 : HP-UX Running Apache, Increased Privileges or Denial of Service (DoS) or Execution of Arbitrary Code (HPSBUX00224 SSRT2393 rev.3)	Nessus	HP-UX Local Security Checks	high
15032	Debian DSA-195-1 : apache-perl - several vulnerabilities	Nessus	Debian Local Security Checks	high
15025	Debian DSA-188-1 : apache-ssl - several vulnerabilities	Nessus	Debian Local Security Checks	high
15024	Debian DSA-187-1 : apache - several vulnerabilities	Nessus	Debian Local Security Checks	high
1488	Apache < 1.3.27 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
13968	Mandrake Linux Security Advisory : apache (MDKSA-2002:068)	Nessus	Mandriva Local Security Checks	high
12332	RHEL 2.1 : apache (RHSA-2002:251)	Nessus	Red Hat Local Security Checks	high
11137	Apache < 1.3.27 Multiple Vulnerabilities (DoS, XSS)	Nessus	Web Servers	high

Detections

Analytics

CVE-2002-0840

medium

Tenable Plugins

critical

high

high

high

high

high

high

high

high

high

high

high

high