Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary web script or HTML by uploading a file with a name containing XSS sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.

According to its banner, the version of Apache 2.4.x running on the remote host is prior 2.4.3. It is, therefore, affected by the following vulnerabilities :

 - An input validation error exists related to 'mod_negotiation', 'Multiviews' and untrusted uploads that can allow cross-site scripting attacks. (CVE-2012-2687)

 - An error exists related to 'mod_proxy_ajp' and 'mod_proxy_http' that can allow connections to remain open. This condition can allow information disclosure when combined with specially crafted requests. (CVE-2012-3502)

Note that the scanner did not actually test for these issues, but instead has relied on the version in the server's banner.

Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary web script or HTML by uploading a file with a name containing XSS sequences and a file extension, which leads to injection within a (1) '406 Not Acceptable' or (2) '300 Multiple Choices' HTTP response when the extension is omitted in a request for the file.

From Red Hat Security Advisory 2013:0512 :

Updated httpd packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The httpd packages contain the Apache HTTP Server (httpd), which is the namesake project of The Apache Software Foundation.

An input sanitization flaw was found in the mod_negotiation Apache HTTP Server module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use this flaw to conduct cross-site scripting attacks against users visiting the site. (CVE-2008-0455, CVE-2012-2687)

It was discovered that mod_proxy_ajp, when used in configurations with mod_proxy in load balancer mode, would mark a back-end server as failed when request processing timed out, even when a previous AJP (Apache JServ Protocol) CPing request was responded to by the back-end. A remote attacker able to make a back-end use an excessive amount of time to process a request could cause mod_proxy to not send requests to back-end AJP servers for the retry timeout period or until all back-end servers were marked as failed. (CVE-2012-4557)

These updated httpd packages include numerous bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.4 Technical Notes, linked to in the References, for information on the most significant of these changes.

All users of httpd are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. After installing the updated packages, the httpd daemon will be restarted automatically.

From Red Hat Security Advisory 2013:0130 :

Updated httpd packages that fix multiple security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The httpd packages contain the Apache HTTP Server (httpd), which is the namesake project of The Apache Software Foundation.

Input sanitization flaws were found in the mod_negotiation module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use these flaws to conduct cross-site scripting and HTTP response splitting attacks against users visiting the site. (CVE-2008-0455, CVE-2008-0456, CVE-2012-2687)

Bug fixes :

* Previously, no check was made to see if the /etc/pki/tls/private/localhost.key file was a valid key prior to running the '%post' script for the 'mod_ssl' package. Consequently, when /etc/pki/tls/certs/localhost.crt did not exist and 'localhost.key' was present but invalid, upgrading the Apache HTTP Server daemon (httpd) with mod_ssl failed. The '%post' script has been fixed to test for an existing SSL key. As a result, upgrading httpd with mod_ssl now proceeds as expected. (BZ#752618)

* The 'mod_ssl' module did not support operation under FIPS mode.
Consequently, when operating Red Hat Enterprise Linux 5 with FIPS mode enabled, httpd failed to start. An upstream patch has been applied to disable non-FIPS functionality if operating under FIPS mode and httpd now starts as expected. (BZ#773473)

* Prior to this update, httpd exit status codes were not Linux Standard Base (LSB) compliant. When the command 'service httpd reload' was run and httpd failed, the exit status code returned was '0' and not in the range 1 to 6 as expected. A patch has been applied to the init script and httpd now returns '1' as an exit status code.
(BZ#783242)

* Chunked Transfer Coding is described in RFC 2616. Previously, the Apache server did not correctly handle a chunked encoded POST request with a 'chunk-size' or 'chunk-extension' value of 32 bytes or more.
Consequently, when such a POST request was made the server did not respond. An upstream patch has been applied and the problem no longer occurs. (BZ#840845)

* Due to a regression, when mod_cache received a non-cacheable 304 response, the headers were served incorrectly. Consequently, compressed data could be returned to the client without the cached headers to indicate the data was compressed. An upstream patch has been applied to merge response and cached headers before data from the cache is served to the client. As a result, cached data is now correctly interpreted by the client. (BZ#845532)

* In a proxy configuration, certain response-line strings were not handled correctly. If a response-line without a 'description' string was received from the origin server, for a non-standard status code, such as the '450' status code, a '500 Internal Server Error' would be returned to the client. This bug has been fixed so that the original response line is returned to the client. (BZ#853128)

Enhancements :

* The configuration directive 'LDAPReferrals' is now supported in addition to the previously introduced 'LDAPChaseReferrals'.
(BZ#727342)

* The AJP support module for 'mod_proxy', 'mod_proxy_ajp', now supports the 'ProxyErrorOverride' directive. Consequently, it is now possible to configure customized error pages for web applications running on a backend server accessed via AJP. (BZ#767890)

* The '%posttrans' scriptlet which automatically restarts the httpd service after a package upgrade can now be disabled. If the file /etc/sysconfig/httpd-disable-posttrans exists, the scriptlet will not restart the daemon. (BZ#833042)

* The output of 'httpd -S' now includes configured alias names for each virtual host. (BZ#833043)

* New certificate variable names are now exposed by 'mod_ssl' using the '_DN_userID' suffix, such as 'SSL_CLIENT_S_DN_userID', which use the commonly used object identifier (OID) definition of 'userID', OID 0.9.2342.19200300.100.1.1. (BZ#840036)

All users of httpd are advised to upgrade to these updated packages, which fix these issues and add these enhancements.

Updated httpd packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The httpd packages contain the Apache HTTP Server (httpd), which is the namesake project of The Apache Software Foundation.

An input sanitization flaw was found in the mod_negotiation Apache HTTP Server module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use this flaw to conduct cross-site scripting attacks against users visiting the site. (CVE-2008-0455, CVE-2012-2687)

It was discovered that mod_proxy_ajp, when used in configurations with mod_proxy in load balancer mode, would mark a back-end server as failed when request processing timed out, even when a previous AJP (Apache JServ Protocol) CPing request was responded to by the back-end. A remote attacker able to make a back-end use an excessive amount of time to process a request could cause mod_proxy to not send requests to back-end AJP servers for the retry timeout period or until all back-end servers were marked as failed. (CVE-2012-4557)

These updated httpd packages include numerous bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.4 Technical Notes, linked to in the References, for information on the most significant of these changes.

All users of httpd are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. After installing the updated packages, the httpd daemon will be restarted automatically.

An input sanitization flaw was found in the mod_negotiation Apache HTTP Server module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use this flaw to conduct cross-site scripting attacks against users visiting the site. (CVE-2008-0455, CVE-2012-2687)

It was discovered that mod_proxy_ajp, when used in configurations with mod_proxy in load balancer mode, would mark a back-end server as failed when request processing timed out, even when a previous AJP (Apache JServ Protocol) CPing request was responded to by the back-end. A remote attacker able to make a back-end use an excessive amount of time to process a request could cause mod_proxy to not send requests to back-end AJP servers for the retry timeout period or until all back-end servers were marked as failed. (CVE-2012-4557)

After installing the updated packages, the httpd daemon will be restarted automatically.

This update contains the 2.2.23 release of the Apache HTTP Server.

http://www.eu.apache.org/dist/httpd/CHANGES_2.2.23

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated JBoss Enterprise Application Platform 6.0.1 packages that fix multiple security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7.

This release serves as a replacement for JBoss Enterprise Application Platform 6.0.0, and includes bug fixes and enhancements. Refer to the 6.0.1 Release Notes for information on the most significant of these changes, available shortly from https://access.redhat.com/knowledge/docs/

This update removes unused signed JARs; unused SHA1 checksums from JAR MANIFEST.MF files to reduce the Server memory footprint; adds MANIFEST.MF to JAR files where it was previously missing; and removes redundant Javadoc files from the main packages. (BZ#830291)

Security fixes :

Apache CXF checked to ensure XML elements were signed or encrypted by a Supporting Token, but not whether the correct token was used. A remote attacker could transmit confidential information without the appropriate security, and potentially circumvent access controls on web services exposed via Apache CXF. (CVE-2012-2379)

When using role-based authorization to configure EJB access, JACC permissions should be used to determine access; however, due to a flaw the configured authorization modules (JACC, XACML, etc.) were not called, and the JACC permissions were not used to determine access to an EJB. (CVE-2012-4550)

A flaw in the way Apache CXF enforced child policies of WS-SecurityPolicy 1.1 on the client side could, in certain cases, lead to a client failing to sign or encrypt certain elements as directed by the security policy, leading to information disclosure and insecure information transmission. (CVE-2012-2378)

A flaw was found in the way IronJacamar authenticated credentials and returned a valid datasource connection when configured to 'allow-multiple-users'. A remote attacker, provided the correct subject, could obtain a datasource connection that might belong to a privileged user. (CVE-2012-3428)

It was found that Apache CXF was vulnerable to SOAPAction spoofing attacks under certain conditions. Note that WS-Policy validation is performed against the operation being invoked, and an attack must pass validation to be successful. (CVE-2012-3451)

When there are no allowed roles for an EJB method invocation, the invocation should be denied for all users. It was found that the processInvocation() method in org.jboss.as.ejb3.security.AuthorizationInterceptor incorrectly authorizes all method invocations to proceed when the list of allowed roles is empty. (CVE-2012-4549)

It was found that in Mojarra, the FacesContext that is made available during application startup is held in a ThreadLocal. The reference is not properly cleaned up in all cases. As a result, if a JavaServer Faces (JSF) WAR calls FacesContext.getCurrentInstance() during application startup, another WAR can get access to the leftover context and thus get access to the other WAR's resources. A local attacker could use this flaw to access another WAR's resources using a crafted, deployed application. (CVE-2012-2672)

An input sanitization flaw was found in the mod_negotiation Apache HTTP Server module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use this flaw to conduct cross-site scripting attacks against users visiting the site. (CVE-2008-0455, CVE-2012-2687)

Red Hat would like to thank the Apache CXF project for reporting CVE-2012-2379, CVE-2012-2378, and CVE-2012-3451. The CVE-2012-4550 issue was discovered by Josef Cacek of the Red Hat JBoss EAP Quality Engineering team; CVE-2012-3428 and CVE-2012-4549 were discovered by Arun Neelicattu of the Red Hat Security Response Team; and CVE-2012-2672 was discovered by Marek Schmidt and Stan Silvert of Red Hat.

Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications. Refer to the Solution section for further details.

Updated JBoss Enterprise Application Platform 6.0.1 packages that fix multiple security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7.

This release serves as a replacement for JBoss Enterprise Application Platform 6.0.0, and includes bug fixes and enhancements. Refer to the 6.0.1 Release Notes for information on the most significant of these changes, available shortly from https://access.redhat.com/knowledge/docs/

This update removes unused signed JARs; unused SHA1 checksums from JAR MANIFEST.MF files to reduce the Server memory footprint; adds MANIFEST.MF to JAR files where it was previously missing; and removes redundant Javadoc files from the main packages. (BZ#853551)

Security fixes :

Apache CXF checked to ensure XML elements were signed or encrypted by a Supporting Token, but not whether the correct token was used. A remote attacker could transmit confidential information without the appropriate security, and potentially circumvent access controls on web services exposed via Apache CXF. (CVE-2012-2379)

When using role-based authorization to configure EJB access, JACC permissions should be used to determine access; however, due to a flaw the configured authorization modules (JACC, XACML, etc.) were not called, and the JACC permissions were not used to determine access to an EJB. (CVE-2012-4550)

A flaw in the way Apache CXF enforced child policies of WS-SecurityPolicy 1.1 on the client side could, in certain cases, lead to a client failing to sign or encrypt certain elements as directed by the security policy, leading to information disclosure and insecure information transmission. (CVE-2012-2378)

A flaw was found in the way IronJacamar authenticated credentials and returned a valid datasource connection when configured to 'allow-multiple-users'. A remote attacker, provided the correct subject, could obtain a datasource connection that might belong to a privileged user. (CVE-2012-3428)

It was found that Apache CXF was vulnerable to SOAPAction spoofing attacks under certain conditions. Note that WS-Policy validation is performed against the operation being invoked, and an attack must pass validation to be successful. (CVE-2012-3451)

When there are no allowed roles for an EJB method invocation, the invocation should be denied for all users. It was found that the processInvocation() method in org.jboss.as.ejb3.security.AuthorizationInterceptor incorrectly authorizes all method invocations to proceed when the list of allowed roles is empty. (CVE-2012-4549)

It was found that in Mojarra, the FacesContext that is made available during application startup is held in a ThreadLocal. The reference is not properly cleaned up in all cases. As a result, if a JavaServer Faces (JSF) WAR calls FacesContext.getCurrentInstance() during application startup, another WAR can get access to the leftover context and thus get access to the other WAR's resources. A local attacker could use this flaw to access another WAR's resources using a crafted, deployed application. (CVE-2012-2672)

An input sanitization flaw was found in the mod_negotiation Apache HTTP Server module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use this flaw to conduct cross-site scripting attacks against users visiting the site. (CVE-2008-0455, CVE-2012-2687)

Red Hat would like to thank the Apache CXF project for reporting CVE-2012-2379, CVE-2012-2378, and CVE-2012-3451. The CVE-2012-4550 issue was discovered by Josef Cacek of the Red Hat JBoss EAP Quality Engineering team; CVE-2012-3428 and CVE-2012-4549 were discovered by Arun Neelicattu of the Red Hat Security Response Team; and CVE-2012-2672 was discovered by Marek Schmidt and Stan Silvert of Red Hat.

Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications. Refer to the Solution section for further details.

Input sanitization flaws were found in the mod_negotiation module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use these flaws to conduct cross-site scripting and HTTP response splitting attacks against users visiting the site. (CVE-2008-0455, CVE-2008-0456, CVE-2012-2687)

Bug fixes :

  - Previously, no check was made to see if the     /etc/pki/tls/private/localhost.key file was a valid key     prior to running the '%post' script for the 'mod_ssl'     package. Consequently, when     /etc/pki/tls/certs/localhost.crt did not exist and     'localhost.key' was present but invalid, upgrading the     Apache HTTP Server daemon (httpd) with mod_ssl failed.
    The '%post' script has been fixed to test for an     existing SSL key. As a result, upgrading httpd with     mod_ssl now proceeds as expected.

  - The 'mod_ssl' module did not support operation under     FIPS mode. Consequently, when operating Scientific Linux     5 with FIPS mode enabled, httpd failed to start. An     upstream patch has been applied to disable non-FIPS     functionality if operating under FIPS mode and httpd now     starts as expected.

  - Prior to this update, httpd exit status codes were not     Linux Standard Base (LSB) compliant. When the command     'service httpd reload' was run and httpd failed, the     exit status code returned was '0' and not in the range 1     to 6 as expected. A patch has been applied to the init     script and httpd now returns '1' as an exit status code.

  - Chunked Transfer Coding is described in RFC 2616.
    Previously, the Apache server did not correctly handle a     chunked encoded POST request with a 'chunk- size' or     'chunk-extension' value of 32 bytes or more.
    Consequently, when such a POST request was made the     server did not respond. An upstream patch has been     applied and the problem no longer occurs.

  - Due to a regression, when mod_cache received a     non-cacheable 304 response, the headers were served     incorrectly. Consequently, compressed data could be     returned to the client without the cached headers to     indicate the data was compressed. An upstream patch has     been applied to merge response and cached headers before     data from the cache is served to the client. As a     result, cached data is now correctly interpreted by the     client.

  - In a proxy configuration, certain response-line strings     were not handled correctly. If a response-line without a     'description' string was received from the origin     server, for a non-standard status code, such as the     '450' status code, a '500 Internal Server Error' would     be returned to the client. This bug has been fixed so     that the original response line is returned to the     client.

Enhancements :

  - The configuration directive 'LDAPReferrals' is now     supported in addition to the previously introduced     'LDAPChaseReferrals'.

  - The AJP support module for 'mod_proxy', 'mod_proxy_ajp',     now supports the 'ProxyErrorOverride' directive.
    Consequently, it is now possible to configure customized     error pages for web applications running on a backend     server accessed via AJP.

  - The '%posttrans' scriptlet which automatically restarts     the httpd service after a package upgrade can now be     disabled. If the file /etc/sysconfig/httpd-     disable-posttrans exists, the scriptlet will not restart     the daemon.

  - The output of 'httpd -S' now includes configured alias     names for each virtual host.

  - New certificate variable names are now exposed by     'mod_ssl' using the '_DN_userID' suffix, such as     'SSL_CLIENT_S_DN_userID', which use the commonly used     object identifier (OID) definition of 'userID', OID     0.9.2342.19200300.100.1.1.

Updated httpd packages that fix multiple security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The httpd packages contain the Apache HTTP Server (httpd), which is the namesake project of The Apache Software Foundation.

Input sanitization flaws were found in the mod_negotiation module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use these flaws to conduct cross-site scripting and HTTP response splitting attacks against users visiting the site. (CVE-2008-0455, CVE-2008-0456, CVE-2012-2687)

Bug fixes :

* Previously, no check was made to see if the /etc/pki/tls/private/localhost.key file was a valid key prior to running the '%post' script for the 'mod_ssl' package. Consequently, when /etc/pki/tls/certs/localhost.crt did not exist and 'localhost.key' was present but invalid, upgrading the Apache HTTP Server daemon (httpd) with mod_ssl failed. The '%post' script has been fixed to test for an existing SSL key. As a result, upgrading httpd with mod_ssl now proceeds as expected. (BZ#752618)

* The 'mod_ssl' module did not support operation under FIPS mode.
Consequently, when operating Red Hat Enterprise Linux 5 with FIPS mode enabled, httpd failed to start. An upstream patch has been applied to disable non-FIPS functionality if operating under FIPS mode and httpd now starts as expected. (BZ#773473)

* Prior to this update, httpd exit status codes were not Linux Standard Base (LSB) compliant. When the command 'service httpd reload' was run and httpd failed, the exit status code returned was '0' and not in the range 1 to 6 as expected. A patch has been applied to the init script and httpd now returns '1' as an exit status code.
(BZ#783242)

* Chunked Transfer Coding is described in RFC 2616. Previously, the Apache server did not correctly handle a chunked encoded POST request with a 'chunk-size' or 'chunk-extension' value of 32 bytes or more.
Consequently, when such a POST request was made the server did not respond. An upstream patch has been applied and the problem no longer occurs. (BZ#840845)

* Due to a regression, when mod_cache received a non-cacheable 304 response, the headers were served incorrectly. Consequently, compressed data could be returned to the client without the cached headers to indicate the data was compressed. An upstream patch has been applied to merge response and cached headers before data from the cache is served to the client. As a result, cached data is now correctly interpreted by the client. (BZ#845532)

* In a proxy configuration, certain response-line strings were not handled correctly. If a response-line without a 'description' string was received from the origin server, for a non-standard status code, such as the '450' status code, a '500 Internal Server Error' would be returned to the client. This bug has been fixed so that the original response line is returned to the client. (BZ#853128)

Enhancements :

* The configuration directive 'LDAPReferrals' is now supported in addition to the previously introduced 'LDAPChaseReferrals'.
(BZ#727342)

* The AJP support module for 'mod_proxy', 'mod_proxy_ajp', now supports the 'ProxyErrorOverride' directive. Consequently, it is now possible to configure customized error pages for web applications running on a backend server accessed via AJP. (BZ#767890)

* The '%posttrans' scriptlet which automatically restarts the httpd service after a package upgrade can now be disabled. If the file /etc/sysconfig/httpd-disable-posttrans exists, the scriptlet will not restart the daemon. (BZ#833042)

* The output of 'httpd -S' now includes configured alias names for each virtual host. (BZ#833043)

* New certificate variable names are now exposed by 'mod_ssl' using the '_DN_userID' suffix, such as 'SSL_CLIENT_S_DN_userID', which use the commonly used object identifier (OID) definition of 'userID', OID 0.9.2342.19200300.100.1.1. (BZ#840036)

All users of httpd are advised to upgrade to these updated packages, which fix these issues and add these enhancements.

According to its banner, the version of Apache running on the remote host does not properly escape filenames in 406 responses. A remote attacker can exploit this to inject arbitrary HTTP headers or conduct cross-site scripting attacks by uploading a file with a specially crafted name. 

Note that the remote web server may not actually be affected by these vulnerabilities as Nessus has relied solely on the version number in the server's banner.

The remote host is affected by the vulnerability described in GLSA-200803-19 (Apache: Multiple vulnerabilities)

    Adrian Pastor and Amir Azam (ProCheckUp) reported that the HTTP Method     specifier header is not properly sanitized when the HTTP return code is     '413 Request Entity too large' (CVE-2007-6203). The mod_proxy_balancer     module does not properly check the balancer name before using it     (CVE-2007-6422). The mod_proxy_ftp does not define a charset in its     answers (CVE-2008-0005). Stefano Di Paola (Minded Security) reported     that filenames are not properly sanitized within the mod_negotiation     module (CVE-2008-0455, CVE-2008-0456).
  Impact :

    A remote attacker could entice a user to visit a malicious URL or send     specially crafted HTTP requests (i.e using Adobe Flash) to perform     Cross-Site Scripting and HTTP response splitting attacks, or conduct a     Denial of Service attack on the vulnerable web server.
  Workaround :

    There is no known workaround at this time.

ID	Name	Product	Family	Severity
98901	Apache 2.4.x < 2.4.3 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
85708	F5 Networks BIG-IP : Apache HTTP server vulnerability (SOL17201)	Nessus	F5 Networks Local Security Checks	medium
68750	Oracle Linux 6 : httpd (ELSA-2013-0512)	Nessus	Oracle Linux Local Security Checks	medium
68701	Oracle Linux 5 : httpd (ELSA-2013-0130)	Nessus	Oracle Linux Local Security Checks	medium
65145	CentOS 6 : httpd (CESA-2013:0512)	Nessus	CentOS Local Security Checks	medium
64952	Scientific Linux Security Update : httpd on SL6.x i386/x86_64 (20130221)	Nessus	Scientific Linux Local Security Checks	medium
64761	RHEL 6 : httpd (RHSA-2013:0512)	Nessus	Red Hat Local Security Checks	medium
64595	Fedora 17 : httpd-2.2.23-1.fc17 (2013-1661)	Nessus	Fedora Local Security Checks	medium
64072	RHEL 6 : JBoss EAP (RHSA-2012:1592)	Nessus	Red Hat Local Security Checks	critical
64071	RHEL 5 : JBoss EAP (RHSA-2012:1591)	Nessus	Red Hat Local Security Checks	critical
63597	Scientific Linux Security Update : httpd on SL5.x i386/x86_64 (20130108)	Nessus	Scientific Linux Local Security Checks	medium
63575	CentOS 5 : httpd (CESA-2013:0130)	Nessus	CentOS Local Security Checks	medium
63411	RHEL 5 : httpd (RHSA-2013:0130)	Nessus	Red Hat Local Security Checks	medium
17692	Apache mod_negotiation Multi-Line Filename Upload Vulnerabilities	Nessus	Web Servers	medium
31445	GLSA-200803-19 : Apache: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium

Detections

Analytics

CVE-2008-0455

medium

Tenable Plugins

high

medium

medium

medium

medium

medium

medium

medium

critical

critical

medium

medium

medium

medium

medium