Buffer overflow in the get_tag function in mod_include for Apache 1.3.x to 1.3.32 allows local users who can create SSI documents to execute arbitrary code as the apache user via SSI (XSSI) documents that trigger a length calculation error.

There is a buffer overflow in a function used by mod_include that may enable a local user to gain privileges of a httpd child. Only users that are able to create SSI documents can take advantage of that vulnerability.

New apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current to fix a security issue. Apache has been upgraded to version 1.3.33 which fixes a buffer overflow which may allow local users to execute arbitrary code as the apache user. The mod_ssl package has also been upgraded to version 2.8.22_1.3.33.

Updated apache and mod_ssl packages that fix various minor security issues and bugs in the Apache Web server are now available for Red Hat Enterprise Linux 2.1.

The Apache HTTP Server is a powerful, full-featured, efficient, and freely-available Web server. The mod_ssl module provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.

A buffer overflow was discovered in the mod_include module. This flaw could allow a local user who is authorized to create server-side include (SSI) files to gain the privileges of a httpd child (user 'apache'). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0940 to this issue.

The mod_digest module does not properly verify the nonce of a client response by using a AuthNonce secret. This could allow a malicious user who is able to sniff network traffic to conduct a replay attack against a website using Digest protection. Note that mod_digest implements an older version of the MD5 Digest Authentication specification, which is known not to work with modern browsers. This issue does not affect mod_auth_digest. (CVE-2003-0987).

An issue has been discovered in the mod_ssl module when configured to use the 'SSLCipherSuite' directive in a directory or location context.
If a particular location context has been configured to require a specific set of cipher suites, then a client is able to access that location using any cipher suite allowed by the virtual host configuration. (CVE-2004-0885).

Several bugs in mod_ssl were also discovered, including :

  - memory leaks in SSL variable handling

  - possible crashes in the dbm and shmht session caches

Red Hat Enterprise Linux 2.1 users of the Apache HTTP Server should upgrade to these erratum packages, which contains Apache version 1.3.27 with backported patches correcting these issues.

The remote host is missing Security Update 2004-12-02. This security update contains a number of enhancements for the following programs :

 - Apache
 - Apache2
 - AppKit
 - Cyrus IMAP
 - HIToolbox
 - Kerberos
 - Postfix
 - PSNormalizer
 - QuickTime Streaming Server
 - Safari
 - Terminal

The remote host is missing Security Update 2004-12-02. This security update contains a number of fixes for the following programs :

  - Apache
  - Apache2
  - AppKit
  - Cyrus IMAP
  - HIToolbox
  - Kerberos
  - Postfix
  - PSNormalizer
  - QuickTime Streaming Server
  - Safari
  - Terminal

These programs contain multiple vulnerabilities that could allow a remote attacker to execute arbitrary code.

A possible buffer overflow exists in the get_tag() function of mod_include, and if SSI (Server Side Includes) are enabled, a local attacker may be able to run arbitrary code with the rights of an httpd child process. This could be done with a special HTML document using malformed SSI.

The updated packages have been patched to prevent this problem.

Two vulnerabilities have been identified in the Apache 1.3 webserver :

  - CAN-2004-0940     'Crazy Einstein' has discovered a vulnerability in the     'mod_include' module, which can cause a buffer to be     overflown and could lead to the execution of arbitrary     code.

  - NO VULN ID

    Larry Cashdollar has discovered a potential buffer     overflow in the htpasswd utility, which could be     exploited when user-supplied is passed to the program     via a CGI (or PHP, or ePerl, ...) program.

The remote host is affected by the vulnerability described in GLSA-200411-03 (Apache 1.3: Buffer overflow vulnerability in mod_include)

    A possible buffer overflow exists in the get_tag() function of     mod_include.c.
  Impact :

    If Server Side Includes (SSI) are enabled, a local attacker may be able to     run arbitrary code with the rights of an httpd child process by making use     of a specially crafted document with malformed SSI.
  Workaround :

    There is no known workaround at this time.

The remote web server appears to be running a version of Apache that is older than version 1.3.33.

This version is vulnerable to a local buffer overflow in the get_tag() function of the module 'mod_include' when a specially crafted document with malformed server-side includes is requested though an HTTP session.

Successful exploitation can lead to execution of arbitrary code with escalated privileges, but requires that server-side includes (SSI) is enabled.

ID	Name	Product	Family	Severity
37841	FreeBSD : apache mod_include buffer overflow vulnerability (6e6a6b8a-2fde-11d9-b3a2-0050fc56d258)	Nessus	FreeBSD Local Security Checks	medium
18788	Slackware 10.0 / 8.1 / 9.0 / 9.1 / current : apache+mod_ssl (SSA:2004-305-01)	Nessus	Slackware Local Security Checks	medium
15960	RHEL 2.1 : apache, mod_ssl (RHSA-2004:600)	Nessus	Red Hat Local Security Checks	high
2444	Mac OS X Multiple Vulnerabilities (Security Update 2004-12-02)	Nessus Network Monitor	Web Clients	high
15898	Mac OS X Multiple Vulnerabilities (Security Update 2004-12-02)	Nessus	MacOS X Local Security Checks	high
15739	Mandrake Linux Security Advisory : apache (MDKSA-2004:134)	Nessus	Mandriva Local Security Checks	medium
15729	Debian DSA-594-1 : apache - buffer overflows	Nessus	Debian Local Security Checks	medium
15606	GLSA-200411-03 : Apache 1.3: Buffer overflow vulnerability in mod_include	Nessus	Gentoo Local Security Checks	medium
15554	Apache mod_include get_tag() Function Local Overflow	Nessus	Web Servers	medium
800800	Mac OS X Multiple Vulnerabilities (Security Update 2004-12-02)	Log Correlation Engine	Operating System Detection	medium

Detections

Analytics

CVE-2004-0940

high

Tenable Plugins

medium

medium

high

high

high

medium

medium

medium

medium

medium