The byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field.

The remote NewStart CGSL host, running version MAIN 4.05, has httpd packages installed that are affected by multiple vulnerabilities:

  - Off-by-one error in the mod_ssl Certificate Revocation     List (CRL) verification callback in Apache, when     configured to use a CRL, allows remote attackers to     cause a denial of service (child process crash) via a     CRL that causes a buffer overflow of one null byte.
    (CVE-2005-1268)

  - The Apache HTTP server before 1.3.34, and 2.0.x before     2.0.55, when acting as an HTTP proxy, allows remote     attackers to poison the web cache, bypass web     application firewall protection, and conduct XSS attacks     via an HTTP request with both a Transfer-Encoding:
    chunked header and a Content-Length header, which     causes Apache to incorrectly handle and forward the body     of the request in a way that causes the receiving server     to process it as a separate HTTP request, aka HTTP     Request Smuggling. (CVE-2005-2088)

  - ssl_engine_kernel.c in mod_ssl before 2.8.24, when using     SSLVerifyClient optional in the global virtual host     configuration, does not properly enforce     SSLVerifyClient require in a per-location context,     which allows remote attackers to bypass intended access     restrictions. (CVE-2005-2700)

  - The byte-range filter in Apache 2.0 before 2.0.54 allows     remote attackers to cause a denial of service (memory     consumption) via an HTTP header with a large Range     field. (CVE-2005-2728)

  - Cross-site scripting (XSS) vulnerability in the mod_imap     module of Apache httpd before 1.3.35-dev and Apache     httpd 2.0.x before 2.0.56-dev allows remote attackers to     inject arbitrary web script or HTML via the Referer when     using image maps. (CVE-2005-3352)

  - mod_ssl in Apache 2.0 up to 2.0.55, when configured with     an SSL vhost with access control and a custom error 400     error page, allows remote attackers to cause a denial of     service (application crash) via a non-SSL request to an     SSL port, which triggers a NULL pointer dereference.
    (CVE-2005-3357)

  - The TLS protocol, and the SSL protocol 3.0 and possibly     earlier, as used in Microsoft Internet Information     Services (IIS) 7.0, mod_ssl in the Apache HTTP Server     2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5     and earlier, Mozilla Network Security Services (NSS)     3.12.4 and earlier, multiple Cisco products, and other     products, does not properly associate renegotiation     handshakes with an existing connection, which allows     man-in-the-middle attackers to insert data into HTTPS     sessions, and possibly other types of sessions protected     by TLS or SSL, by sending an unauthenticated request     that is processed retroactively by a server in a post-     renegotiation context, related to a plaintext     injection attack, aka the Project Mogul issue.
    (CVE-2009-3555)

  - The (1) mod_cache and (2) mod_dav modules in the Apache     HTTP Server 2.2.x before 2.2.16 allow remote attackers     to cause a denial of service (process crash) via a     request that lacks a path. (CVE-2010-1452)

  - fs/ext4/extents.c in the Linux kernel before 3.0 does     not mark a modified extent as dirty in certain cases of     extent splitting, which allows local users to cause a     denial of service (system crash) via vectors involving     ext4 umount and mount operations. (CVE-2011-3638)

  - It was discovered that the HTTP parser in httpd     incorrectly allowed certain characters not permitted by     the HTTP protocol specification to appear unencoded in     HTTP request headers. If httpd was used in conjunction     with a proxy or backend server that interpreted those     characters differently, a remote attacker could possibly     use this flaw to inject data into HTTP responses,     resulting in proxy cache poisoning. (CVE-2016-8743)

  - It was discovered that the use of httpd's     ap_get_basic_auth_pw() API function outside of the     authentication phase could lead to authentication     bypass. A remote attacker could possibly use this flaw     to bypass required authentication if the API was used     incorrectly by one of the modules used by httpd.
    (CVE-2017-3167)

  - A NULL pointer dereference flaw was found in the httpd's     mod_ssl module. A remote attacker could use this flaw to     cause an httpd child process to crash if another module     used by httpd called a certain API function during the     processing of an HTTPS request. (CVE-2017-3169)

  - A buffer over-read flaw was found in the httpd's     ap_find_token() function. A remote attacker could use     this flaw to cause httpd child process to crash via a     specially crafted HTTP request. (CVE-2017-7668)

  - A buffer over-read flaw was found in the httpd's     mod_mime module. A user permitted to modify httpd's MIME     configuration could use this flaw to cause httpd child     process to crash. (CVE-2017-7679)

  - It was discovered that the httpd's mod_auth_digest     module did not properly initialize memory before using     it when processing certain headers related to digest     authentication. A remote attacker could possibly use     this flaw to disclose potentially sensitive information     or cause httpd child process to crash by sending     specially crafted requests to a server. (CVE-2017-9788)

  - A use-after-free flaw was found in the way httpd handled     invalid and previously unregistered HTTP methods     specified in the Limit directive used in an .htaccess     file. A remote attacker could possibly use this flaw to     disclose portions of the server memory, or cause httpd     child process to crash. (CVE-2017-9798)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host appears to be running a version of Apache that is prior to 2.0.55. It is, therefore affected by multiple vulnerabilities :

  - A security issue exists where 'SSLVerifyClient' is not     enforced in per-location context if 'SSLVerifyClient     optional' is configured in the vhost configuration.
    (CVE-2005-2700)

  - A denial of service vulnerability exists when processing     a large byte range request, as well as a flaw in the     'worker.c' module which could allow an attacker to force     this service to consume excessive amounts of memory.
    (CVE-2005-2970)

  - When Apache is acting as a proxy, it is possible for a     remote attacker to poison the web cache, bypass web     application firewall protection, and conduct cross-site     scripting attacks via an HTTP request with both a     'Transfer-Encoding: chunked' header and a     'Content-Length' header. (CVE-2005-2088)

  - Multiple integer overflows exists in PCRE in quantifier     parsing which could be triggered by a local user through     use of a specially crafted regex in an .htaccess file.
    (CVE-2005-2491)

  - An issue exists where the byte range filter buffers     responses into memory. (CVE-2005-2728)

  - An off-by-one overflow exists in mod_ssl while printing     CRL information at 'LogLevel debug' which could be     triggered if configured to use a 'malicious CRL'.
    (CVE-2005-1268)

Updated Apache httpd packages that correct two security issues are now available for Red Hat Enterprise Linux 3 and 4.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The Apache HTTP Server is a popular and freely-available Web server.

A flaw was discovered in mod_ssl's handling of the 'SSLVerifyClient' directive. This flaw occurs if a virtual host is configured using 'SSLVerifyClient optional' and a directive 'SSLVerifyClient required' is set for a specific location. For servers configured in this fashion, an attacker may be able to access resources that should otherwise be protected, by not supplying a client certificate when connecting. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2700 to this issue.

A flaw was discovered in Apache httpd where the byterange filter would buffer certain responses into memory. If a server has a dynamic resource such as a CGI script or PHP script that generates a large amount of data, an attacker could send carefully crafted requests in order to consume resources, potentially leading to a Denial of Service. (CVE-2005-2728)

Users of Apache httpd should update to these errata packages that contain backported patches to correct these issues.

s700_800 11.04 Webproxy server 2.1 (Apache 2.x) update : 

Potential security vulnerabilities have been identified with Apache running on HP-UX. These vulnerability could be exploited remotely to allow execution of arbitrary code, Denial of Service (DoS), or unauthorized access.

s700_800 11.04 Virtualvault 4.7 OWS (Apache 2.x) update : 

Potential security vulnerabilities have been identified with Apache running on HP-UX. These vulnerability could be exploited remotely to allow execution of arbitrary code, Denial of Service (DoS), or unauthorized access.

Apache did not honour the 'SSLVerifyClient require' directive within a <Location> block if the surrounding <VirtualHost> block contained a directive 'SSLVerifyClient optional'. This allowed clients to bypass client certificate validation on servers with the above configuration.
(CAN-2005-2700)

Filip Sneppe discovered a Denial of Service vulnerability in the byte range filter handler. By requesting certain large byte ranges, a remote attacker could cause memory exhaustion in the server.
(CAN-2005-2728)

The updated libapache-mod-ssl also fixes two older Denial of Service vulnerabilities: A format string error in the ssl_log() function which could be exploited to crash the server (CAN-2004-0700), and a flaw in the SSL cipher negotiation which could be exploited to terminate a session (CAN-2004-0885). Please note that Apache 1.3 and libapache-mod-ssl are not officially supported (they are in the 'universe' component of the Ubuntu archive).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is running Apple Mac OS X, but lacks Security Update 2005-009. This security update contains fixes for the following applications :
- Apache2
- Apache_mod_ssl
- CoreFoundation
- curl
- iodbcadmintool
- OpenSSL
- passwordserver
- Safari
- sudo
- syslog 

A flaw was discovered in mod_ssl's handling of the 'SSLVerifyClient' directive. This flaw occurs if a virtual host is configured using 'SSLVerifyClient optional' and a directive 'SSLVerifyClient required' is set for a specific location. For servers configured in this fashion, an attacker may be able to access resources that should otherwise be protected, by not supplying a client certificate when connecting. (CVE-2005-2700)

A flaw was discovered in Apache httpd where the byterange filter would buffer certain responses into memory. If a server has a dynamic resource such as a CGI script or PHP script that generates a large amount of data, an attacker could send carefully crafted requests in order to consume resources, potentially leading to a Denial of Service. (CVE-2005-2728)

The updated packages have been patched to address these issues.

The remote Redhat Enterprise Linux 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2005:608 advisory.

  - security flaw (CVE-2005-2700, CVE-2005-2728)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Several problems have been discovered in Apache2, the next generation, scalable, extendable web server. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CAN-2005-1268     Marc Stern discovered an off-by-one error in the mod_ssl     Certificate Revocation List (CRL) verification callback.
    When Apache is configured to use a CRL this can be used     to cause a denial of service.

  - CAN-2005-2088

    A vulnerability has been discovered in the Apache web     server. When it is acting as an HTTP proxy, it allows     remote attackers to poison the web cache, bypass web     application firewall protection, and conduct cross-site     scripting attacks, which causes Apache to incorrectly     handle and forward the body of the request.

  - CAN-2005-2700

    A problem has been discovered in mod_ssl, which provides     strong cryptography (HTTPS support) for Apache that     allows remote attackers to bypass access restrictions.

  - CAN-2005-2728

    The byte-range filter in Apache 2.0 allows remote     attackers to cause a denial of service via an HTTP     header with a large Range field.

The remote host is affected by the vulnerability described in GLSA-200508-15 (Apache 2.0: Denial of Service vulnerability)

    Filip Sneppe discovered that Apache improperly handles byterange     requests to CGI scripts.
  Impact :

    A remote attacker may access vulnerable scripts in a malicious way,     exhausting all RAM and swap space on the server, resulting in a Denial     of Service of the Apache server.
  Workaround :

    There is no known workaround at this time.

The remote host is running Apple Mac OS X, but lacks Security Update 2005-009. This security update contains fixes for the following applications :
- Apache2
- Apache_mod_ssl
- CoreFoundation
- curl
- iodbcadmintool
- OpenSSL
- passwordserver
- Safari
- sudo
- syslog

ID	Name	Product	Family	Severity
127360	NewStart CGSL MAIN 4.05 : httpd Multiple Vulnerabilities (NS-SA-2019-0118)	Nessus	NewStart CGSL Local Security Checks	critical
31656	Apache < 2.0.55 Multiple Vulnerabilities	Nessus	Web Servers	high
21845	CentOS 3 / 4 : httpd (CESA-2005:608)	Nessus	CentOS Local Security Checks	critical
21108	HP-UX PHSS_34163 : Apache-based Web Server on HP-UX mod_ssl, proxy_http, Remote Execution of Arbitrary Code, Denial of Service (DoS), and Unauthorized Access (HPSBUX02074 SSRT051251 rev.2)	Nessus	HP-UX Local Security Checks	high
21107	HP-UX PHSS_34123 : Apache-based Web Server on HP-UX mod_ssl, proxy_http, Remote Execution of Arbitrary Code, Denial of Service (DoS), and Unauthorized Access (HPSBUX02074 SSRT051251 rev.2)	Nessus	HP-UX Local Security Checks	high
20587	Ubuntu 4.10 / 5.04 : apache2, libapache-mod-ssl vulnerabilities (USN-177-1)	Nessus	Ubuntu Local Security Checks	critical
3308	Mac OS X Multiple Vulnerabilities (Security Update 2005-009)	Nessus Network Monitor	Operating System Detection	high
19916	Mandrake Linux Security Advisory : apache2 (MDKSA-2005:161)	Nessus	Mandriva Local Security Checks	critical
19673	RHEL 4 : httpd (RHSA-2005:608)	Nessus	Red Hat Local Security Checks	high
19612	Debian DSA-805-1 : apache2 - several vulnerabilities	Nessus	Debian Local Security Checks	critical
19535	GLSA-200508-15 : Apache 2.0: Denial of Service vulnerability	Nessus	Gentoo Local Security Checks	medium
800798	Mac OS X Multiple Vulnerabilities (Security Update 2005-009)	Log Correlation Engine	Operating System Detection	high

Detections

Analytics

CVE-2005-2728

high

Tenable Plugins

critical

high

critical

high

high

critical

high

critical

high

critical

medium

high