APPLE-SA-2009-05-12

RHSA-2013:0130

29348

35074

GLSA-200803-19

3575

1019256

http://support.apple.com/kb/HT3549

http://www.mindedsecurity.com/MSA01150108.html

20080122 Apache mod_negotiation Xss and Http Response Splitting

27409

TA09-133A

ADV-2009-1297

apache-modnegotiation-response-splitting(39893)

[httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

[httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) '406 Not Acceptable' or (2) '300 Multiple Choices' HTTP response when the extension is omitted in a request for the file.

The remote host is running a version of NSM (Network and Security Manager) Server that is prior to 2012.2R9. It is, therefore, affected by multiple vulnerabilities in the bundled version of Apache HTTP Server :

  - A flaw exists due to improper escaping of filenames in     406 and 300 HTTP responses. A remote attacker can     exploit this, by uploading a file with a specially     crafted name, to inject arbitrary HTTP headers or     conduct cross-site scripting attacks. (CVE-2008-0456)

  - Multiple cross-site scripting vulnerabilities exist in     the mod_negotiation module due to improper sanitization     of input passed via filenames. An attacker can exploit     this to execute arbitrary script code in a user's     browser. (CVE-2012-2687)

  - Multiple cross-site scripting vulnerabilities exist in     the mod_info, mod_status, mod_imagemap, mod_ldap, and     mod_proxy_ftp modules due to improper validation of     input passed via the URL or hostnames. An attacker can     exploit this to execute arbitrary script code in a     user's browser. (CVE-2012-3499)

  - A cross-site scripting vulnerability exists in the     mod_proxy_balancer module due to improper validation of     input passed via the URL or hostnames. An attacker can     exploit this to execute arbitrary script code in a     user's browser. (CVE-2012-4558)

  - A flaw exists in the do_rewritelog() function due to     improper sanitization of escape sequences written to log     files. A remote attacker can exploit this, via a     specially crafted HTTP request, to execute arbitrary     commands. (CVE-2013-1862)

  - A denial of service vulnerability exists in mod_dav.c     due to improper validation to determine if DAV is     enabled for a URI. A remote attacker can exploit this,     via a specially crafted MERGE request, to cause a     segmentation fault, resulting in a denial of service     condition. (CVE-2013-1896)

  - A denial of service vulnerability exists in the     dav_xml_get_cdata() function     due to improper removal of whitespace characters from     CDATA sections. A remote attacker can exploit this,     via a specially crafted DAV WRITE request, to cause a     daemon crash, resulting in a denial of service     condition. (CVE-2013-6438)

  - A flaw exists in log_cookie() function due to the     logging of cookies with an unassigned value. A remote     attacker can exploit this, via a specially crafted     request, to cause a segmentation fault, resulting in a     denial of service condition. (CVE-2014-0098)

  - A flaw exists in the deflate_in_filter() function when     request body decompression is configured. A remote     attacker can exploit this, via a specially crafted     request, to exhaust available memory and CPU resources,     resulting in a denial of service condition.
    (CVE-2014-0118)

  - A race condition exists in the mod_status module due to     improper validation of user-supplied input when handling     the scoreboard. A remote attacker can exploit this, via     a crafted request, to cause a heap-based buffer     overflow, resulting in a denial of service condition or     the execution of arbitrary code. (CVE-2014-0226)

  - A flaw exists in the mod_cgid module due to the lack of     a timeout mechanism. A remote attacker can exploit this,     via a request to a CGI script that does not read from     its stdin file descriptor, to cause a denial of service     condition. (CVE-2014-0231)

From Red Hat Security Advisory 2013:0130 :

Updated httpd packages that fix multiple security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The httpd packages contain the Apache HTTP Server (httpd), which is the namesake project of The Apache Software Foundation.

Input sanitization flaws were found in the mod_negotiation module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use these flaws to conduct cross-site scripting and HTTP response splitting attacks against users visiting the site. (CVE-2008-0455, CVE-2008-0456, CVE-2012-2687)

Bug fixes :

* Previously, no check was made to see if the /etc/pki/tls/private/localhost.key file was a valid key prior to running the '%post' script for the 'mod_ssl' package. Consequently, when /etc/pki/tls/certs/localhost.crt did not exist and 'localhost.key' was present but invalid, upgrading the Apache HTTP Server daemon (httpd) with mod_ssl failed. The '%post' script has been fixed to test for an existing SSL key. As a result, upgrading httpd with mod_ssl now proceeds as expected. (BZ#752618)

* The 'mod_ssl' module did not support operation under FIPS mode.
Consequently, when operating Red Hat Enterprise Linux 5 with FIPS mode enabled, httpd failed to start. An upstream patch has been applied to disable non-FIPS functionality if operating under FIPS mode and httpd now starts as expected. (BZ#773473)

* Prior to this update, httpd exit status codes were not Linux Standard Base (LSB) compliant. When the command 'service httpd reload' was run and httpd failed, the exit status code returned was '0' and not in the range 1 to 6 as expected. A patch has been applied to the init script and httpd now returns '1' as an exit status code.
(BZ#783242)

* Chunked Transfer Coding is described in RFC 2616. Previously, the Apache server did not correctly handle a chunked encoded POST request with a 'chunk-size' or 'chunk-extension' value of 32 bytes or more.
Consequently, when such a POST request was made the server did not respond. An upstream patch has been applied and the problem no longer occurs. (BZ#840845)

* Due to a regression, when mod_cache received a non-cacheable 304 response, the headers were served incorrectly. Consequently, compressed data could be returned to the client without the cached headers to indicate the data was compressed. An upstream patch has been applied to merge response and cached headers before data from the cache is served to the client. As a result, cached data is now correctly interpreted by the client. (BZ#845532)

* In a proxy configuration, certain response-line strings were not handled correctly. If a response-line without a 'description' string was received from the origin server, for a non-standard status code, such as the '450' status code, a '500 Internal Server Error' would be returned to the client. This bug has been fixed so that the original response line is returned to the client. (BZ#853128)

Enhancements :

* The configuration directive 'LDAPReferrals' is now supported in addition to the previously introduced 'LDAPChaseReferrals'.
(BZ#727342)

* The AJP support module for 'mod_proxy', 'mod_proxy_ajp', now supports the 'ProxyErrorOverride' directive. Consequently, it is now possible to configure customized error pages for web applications running on a backend server accessed via AJP. (BZ#767890)

* The '%posttrans' scriptlet which automatically restarts the httpd service after a package upgrade can now be disabled. If the file /etc/sysconfig/httpd-disable-posttrans exists, the scriptlet will not restart the daemon. (BZ#833042)

* The output of 'httpd -S' now includes configured alias names for each virtual host. (BZ#833043)

* New certificate variable names are now exposed by 'mod_ssl' using the '_DN_userID' suffix, such as 'SSL_CLIENT_S_DN_userID', which use the commonly used object identifier (OID) definition of 'userID', OID 0.9.2342.19200300.100.1.1. (BZ#840036)

All users of httpd are advised to upgrade to these updated packages, which fix these issues and add these enhancements.

Input sanitization flaws were found in the mod_negotiation module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use these flaws to conduct cross-site scripting and HTTP response splitting attacks against users visiting the site. (CVE-2008-0455, CVE-2008-0456, CVE-2012-2687)

Bug fixes :

  - Previously, no check was made to see if the     /etc/pki/tls/private/localhost.key file was a valid key     prior to running the '%post' script for the 'mod_ssl'     package. Consequently, when     /etc/pki/tls/certs/localhost.crt did not exist and     'localhost.key' was present but invalid, upgrading the     Apache HTTP Server daemon (httpd) with mod_ssl failed.
    The '%post' script has been fixed to test for an     existing SSL key. As a result, upgrading httpd with     mod_ssl now proceeds as expected.

  - The 'mod_ssl' module did not support operation under     FIPS mode. Consequently, when operating Scientific Linux     5 with FIPS mode enabled, httpd failed to start. An     upstream patch has been applied to disable non-FIPS     functionality if operating under FIPS mode and httpd now     starts as expected.

  - Prior to this update, httpd exit status codes were not     Linux Standard Base (LSB) compliant. When the command     'service httpd reload' was run and httpd failed, the     exit status code returned was '0' and not in the range 1     to 6 as expected. A patch has been applied to the init     script and httpd now returns '1' as an exit status code.

  - Chunked Transfer Coding is described in RFC 2616.
    Previously, the Apache server did not correctly handle a     chunked encoded POST request with a 'chunk- size' or     'chunk-extension' value of 32 bytes or more.
    Consequently, when such a POST request was made the     server did not respond. An upstream patch has been     applied and the problem no longer occurs.

  - Due to a regression, when mod_cache received a     non-cacheable 304 response, the headers were served     incorrectly. Consequently, compressed data could be     returned to the client without the cached headers to     indicate the data was compressed. An upstream patch has     been applied to merge response and cached headers before     data from the cache is served to the client. As a     result, cached data is now correctly interpreted by the     client.

  - In a proxy configuration, certain response-line strings     were not handled correctly. If a response-line without a     'description' string was received from the origin     server, for a non-standard status code, such as the     '450' status code, a '500 Internal Server Error' would     be returned to the client. This bug has been fixed so     that the original response line is returned to the     client.

Enhancements :

  - The configuration directive 'LDAPReferrals' is now     supported in addition to the previously introduced     'LDAPChaseReferrals'.

  - The AJP support module for 'mod_proxy', 'mod_proxy_ajp',     now supports the 'ProxyErrorOverride' directive.
    Consequently, it is now possible to configure customized     error pages for web applications running on a backend     server accessed via AJP.

  - The '%posttrans' scriptlet which automatically restarts     the httpd service after a package upgrade can now be     disabled. If the file /etc/sysconfig/httpd-     disable-posttrans exists, the scriptlet will not restart     the daemon.

  - The output of 'httpd -S' now includes configured alias     names for each virtual host.

  - New certificate variable names are now exposed by     'mod_ssl' using the '_DN_userID' suffix, such as     'SSL_CLIENT_S_DN_userID', which use the commonly used     object identifier (OID) definition of 'userID', OID     0.9.2342.19200300.100.1.1.

Updated httpd packages that fix multiple security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The httpd packages contain the Apache HTTP Server (httpd), which is the namesake project of The Apache Software Foundation.

Input sanitization flaws were found in the mod_negotiation module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use these flaws to conduct cross-site scripting and HTTP response splitting attacks against users visiting the site. (CVE-2008-0455, CVE-2008-0456, CVE-2012-2687)

Bug fixes :

* Previously, no check was made to see if the /etc/pki/tls/private/localhost.key file was a valid key prior to running the '%post' script for the 'mod_ssl' package. Consequently, when /etc/pki/tls/certs/localhost.crt did not exist and 'localhost.key' was present but invalid, upgrading the Apache HTTP Server daemon (httpd) with mod_ssl failed. The '%post' script has been fixed to test for an existing SSL key. As a result, upgrading httpd with mod_ssl now proceeds as expected. (BZ#752618)

* The 'mod_ssl' module did not support operation under FIPS mode.
Consequently, when operating Red Hat Enterprise Linux 5 with FIPS mode enabled, httpd failed to start. An upstream patch has been applied to disable non-FIPS functionality if operating under FIPS mode and httpd now starts as expected. (BZ#773473)

* Prior to this update, httpd exit status codes were not Linux Standard Base (LSB) compliant. When the command 'service httpd reload' was run and httpd failed, the exit status code returned was '0' and not in the range 1 to 6 as expected. A patch has been applied to the init script and httpd now returns '1' as an exit status code.
(BZ#783242)

* Chunked Transfer Coding is described in RFC 2616. Previously, the Apache server did not correctly handle a chunked encoded POST request with a 'chunk-size' or 'chunk-extension' value of 32 bytes or more.
Consequently, when such a POST request was made the server did not respond. An upstream patch has been applied and the problem no longer occurs. (BZ#840845)

* Due to a regression, when mod_cache received a non-cacheable 304 response, the headers were served incorrectly. Consequently, compressed data could be returned to the client without the cached headers to indicate the data was compressed. An upstream patch has been applied to merge response and cached headers before data from the cache is served to the client. As a result, cached data is now correctly interpreted by the client. (BZ#845532)

* In a proxy configuration, certain response-line strings were not handled correctly. If a response-line without a 'description' string was received from the origin server, for a non-standard status code, such as the '450' status code, a '500 Internal Server Error' would be returned to the client. This bug has been fixed so that the original response line is returned to the client. (BZ#853128)

Enhancements :

* The configuration directive 'LDAPReferrals' is now supported in addition to the previously introduced 'LDAPChaseReferrals'.
(BZ#727342)

* The AJP support module for 'mod_proxy', 'mod_proxy_ajp', now supports the 'ProxyErrorOverride' directive. Consequently, it is now possible to configure customized error pages for web applications running on a backend server accessed via AJP. (BZ#767890)

* The '%posttrans' scriptlet which automatically restarts the httpd service after a package upgrade can now be disabled. If the file /etc/sysconfig/httpd-disable-posttrans exists, the scriptlet will not restart the daemon. (BZ#833042)

* The output of 'httpd -S' now includes configured alias names for each virtual host. (BZ#833043)

* New certificate variable names are now exposed by 'mod_ssl' using the '_DN_userID' suffix, such as 'SSL_CLIENT_S_DN_userID', which use the commonly used object identifier (OID) definition of 'userID', OID 0.9.2342.19200300.100.1.1. (BZ#840036)

All users of httpd are advised to upgrade to these updated packages, which fix these issues and add these enhancements.

According to its banner, the version of Apache running on the remote host does not properly escape filenames in 406 responses. A remote attacker can exploit this to inject arbitrary HTTP headers or conduct cross-site scripting attacks by uploading a file with a specially crafted name. 

Note that the remote web server may not actually be affected by these vulnerabilities as Nessus has relied solely on the version number in the server's banner.

The remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.7. 

Mac OS X 10.5.7 contains security fixes for the following products :

  - Apache
  - ATS
  - BIND
  - CFNetwork
  - CoreGraphics
  - Cscope
  - CUPS
  - Disk Images
  - enscript
  - Flash Player plug-in
  - Help Viewer
  - iChat
  - International Components for Unicode
  - IPSec
  - Kerberos
  - Kernel
  - Launch Services
  - libxml
  - Net-SNMP
  - Network Time
  - Networking
  - OpenSSL
  - PHP
  - QuickDraw Manager
  - ruby
  - Safari
  - Spotlight
  - system_cmds
  - telnet
  - Terminal
  - WebKit
  - X11

The remote host is affected by the vulnerability described in GLSA-200803-19 (Apache: Multiple vulnerabilities)

    Adrian Pastor and Amir Azam (ProCheckUp) reported that the HTTP Method     specifier header is not properly sanitized when the HTTP return code is     '413 Request Entity too large' (CVE-2007-6203). The mod_proxy_balancer     module does not properly check the balancer name before using it     (CVE-2007-6422). The mod_proxy_ftp does not define a charset in its     answers (CVE-2008-0005). Stefano Di Paola (Minded Security) reported     that filenames are not properly sanitized within the mod_negotiation     module (CVE-2008-0455, CVE-2008-0456).
  Impact :

    A remote attacker could entice a user to visit a malicious URL or send     specially crafted HTTP requests (i.e using Adobe Flash) to perform     Cross-Site Scripting and HTTP response splitting attacks, or conduct a     Denial of Service attack on the vulnerable web server.
  Workaround :

    There is no known workaround at this time.

The remote host is running a version of Mac OS X 10.5 that is older than version 10.5.7.  Mac OS X 10.5.7 contains security fixes for the following products : 

- Apache
- ATS
- BIND
- CFNetwork
- CoreGraphics
-Cscope
- CUPS
- Disk Images
- enscript
- Flash player
- Help Viewer
- iChat
- Internation Components for Unicode
- IPSec
- Kerberos
- Kernel
- Launch Services
- libxml
- Net-SNMP
- Network Time
- Networking
- OpenSSL
- PHP
- QuickDraw Manager
- ruby
- Safari
- Spotlight
- system_cmds
- telnet
- WebKit
- X11
- Terminal

ID	Name	Product	Family	Severity
85697	F5 Networks BIG-IP : Apache HTTP server vulnerability (SOL17189)	Nessus	F5 Networks Local Security Checks	low
84878	Juniper NSM < 2012.2R9 Apache HTTP Server Multiple Vulnerabilities (JSA10685) (credentialed check)	Nessus	Misc.	medium
84877	Juniper NSM < 2012.2R9 Apache HTTP Server Multiple Vulnerabilities (JSA10685)	Nessus	Misc.	medium
68701	Oracle Linux 5 : httpd (ELSA-2013-0130)	Nessus	Oracle Linux Local Security Checks	medium
63597	Scientific Linux Security Update : httpd on SL5.x i386/x86_64 (20130108)	Nessus	Scientific Linux Local Security Checks	medium
63575	CentOS 5 : httpd (CESA-2013:0130)	Nessus	CentOS Local Security Checks	medium
63411	RHEL 5 : httpd (RHSA-2013:0130)	Nessus	Red Hat Local Security Checks	medium
17692	Apache mod_negotiation Multi-Line Filename Upload Vulnerabilities	Nessus	Web Servers	medium
38744	Mac OS X 10.5.x < 10.5.7 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical
31445	GLSA-200803-19 : Apache: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
5023	Mac OS X 10.5 < 10.5.7 Multiple Vulnerabilities	Nessus Network Monitor	Generic	critical
800792	Mac OS X 10.5 < 10.5.7 Multiple Vulnerabilities	Log Correlation Engine	Operating System Detection	high

CVE-2008-0456

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins