mod_proxy_ajp.c in the mod_proxy_ajp module in the Apache HTTP Server 2.2.11 allows remote attackers to obtain sensitive response data, intended for a client that sent an earlier POST request with no request body, via an HTTP request.

A vulnerability has been found and corrected in apache :

mod_proxy_ajp.c in the mod_proxy_ajp module in the Apache HTTP Server 2.2.11 allows remote attackers to obtain sensitive response data, intended for a client that sent an earlier POST request with no request body, via an HTTP request (CVE-2009-1191).

This update provides fixes for that vulnerability.

Multiple vulnerabilities has been found and corrected in apache :

Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server mod_ssl that specify a compression algorithm (CVE-2008-1678).
Note that this security issue does not really apply as zlib compression is not enabled in the openssl build provided by Mandriva, but apache is patched to address this issue anyway (conserns 2008.1 only).

mod_proxy_ajp.c in the mod_proxy_ajp module in the Apache HTTP Server 2.2.11 allows remote attackers to obtain sensitive response data, intended for a client that sent an earlier POST request with no request body, via an HTTP request (CVE-2009-1191).

Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via wildcards in a pathname in an FTP URI (CVE-2008-2939). Note that this security issue was initially addressed with MDVSA-2008:195 but the patch fixing the issue was added but not applied in 2009.0.

The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly handle Options=IncludesNOEXEC in the AllowOverride directive, which allows local users to gain privileges by configuring (1) Options Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a .htaccess file, and then inserting an exec element in a .shtml file (CVE-2009-1195).

The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured, does not properly handle an amount of streamed data that exceeds the Content-Length value, which allows remote attackers to cause a denial of service (CPU consumption) via crafted requests (CVE-2009-1890).

Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects (CVE-2009-1891).

The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13 allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command (CVE-2009-3094).

The mod_proxy_ftp module in the Apache HTTP Server allows remote attackers to bypass intended access restrictions and send arbitrary commands to an FTP server via vectors related to the embedding of these commands in the Authorization HTTP header, as demonstrated by a certain module in VulnDisco Pack Professional 8.11. NOTE: as of 20090903, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes (CVE-2009-3095).

Apache is affected by SSL injection or man-in-the-middle attacks due to a design flaw in the SSL and/or TLS protocols. A short term solution was released Sat Nov 07 2009 by the ASF team to mitigate these problems. Apache will now reject in-session renegotiation (CVE-2009-3555).

Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers

This update provides a solution to these vulnerabilities.

The remote host is running a version of Mac OS X 10.6 that is older than version 10.6.2.  Mac OS X 10.6.2 contains security fixes for the following products : 

  - Adaptive Firewall

  - Apache

  - Apache Protable Runtime

  - Certificate Assistant

  - CoreMedia

  - CUPS

  - DoveCot

  - fetchmail

  - file

  - FTP Server

  - Help Viewer

  - ImageIO

  - IOKit

  - IPSec

  - Kernel

  - Launch Services

  - libsecurity

  - libxml

 Login Window

  - OpenLDAP

  - QuickDraw Manager

QuickTime

  - Screen Sharing

  - Subversion

The remote host is running a version of Mac OS X 10.6.x that is prior to 10.6.2.

Mac OS X 10.6.2 contains security fixes for the following products :

  - Adaptive Firewall
  - Apache
  - Apache Portable Runtime
  - Certificate Assistant
  - CoreMedia
  - CUPS
  - Dovecot
  - fetchmail
  - file
  - FTP Server
  - Help Viewer
  - ImageIO
  - IOKit
  - IPSec
  - Kernel
  - Launch Services
  - libsecurity
  - libxml
  - Login Window
  - OpenLDAP
  - QuickDraw Manager
  - QuickTime
  - Screen Sharing
  - Subversion

The remote host is running a version of Mac OS X 10.5 that does not have Security Update 2009-006 applied.

This security update contains fixes for the following products :

  - AFP Client
  - Adaptive Firewall
  - Apache
  - Apache Portable Runtime
  - ATS
  - Certificate Assistant
  - CoreGraphics
  - CUPS
  - Dictionary
  - DirectoryService
  - Disk Images
  - Event Monitor
  - fetchmail
  - FTP Server
  - Help Viewer
  - International Components for Unicode
  - IOKit
  - IPSec
  - libsecurity
  - libxml
  - OpenLDAP
  - OpenSSH
  - PHP
  - QuickDraw Manager
  - QuickLook
  - FreeRADIUS
  - Screen Sharing
  - Spotlight
  - Subversion

Apache ChangeLog reports :

CVE-2009-1891: Fix a potential Denial-of-Service attack against mod_deflate or other modules.

CVE-2009-1195: Prevent the 'Includes' Option from being enabled in an .htaccess file if the AllowOverride restrictions do not permit it.

CVE-2009-1890: Fix a potential Denial-of-Service attack against mod_proxy in a reverse proxy configuration.

CVE-2009-1191: mod_proxy_ajp: Avoid delivering content from a previous request which failed to send a request body.

CVE-2009-0023, CVE-2009-1955, CVE-2009-1956: The bundled copy of the APR-util library has been updated, fixing three different security issues which may affect particular configurations and third-party modules (was already fixed in 2.2.11_5).

According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.12.  Such versions may be affected by several issues : 

  - A denial-of-service vulnerability in the 'mod_proxy' module could be exploited to cause the process to consume large amounts of CPU resources. (CVE-2009-1890)

  - The 'mod_deflate' module is prone to a remote denial-of-service vulnerability when large file downloads are terminated before completing. (CVE-2009-1891)

NNM cannot determine whether the affected modules are in use.

New httpd packages are available for Slackware 12.0, 12.1, 12.2, and
-current to fix security issues.

According to its banner, the version of Apache 2.2.x. running on the remote host is prior to 2.2.12. It is, therefore, affected by the following vulnerabilities :

  - A heap-based buffer underwrite flaw exists in the     function 'apr_strmatch_precompile()' in the bundled copy     of the APR-util library, which could be triggered when     parsing configuration data to crash the daemon.
    (CVE-2009-0023)

  - A flaw in the mod_proxy_ajp module in version 2.2.11     only may allow a remote attacker to obtain sensitive     response data intended for a client that sent an     earlier POST request with no request body.
    (CVE-2009-1191)

  - The server does not limit the use of directives in a     .htaccess file as expected based on directives such     as 'AllowOverride' and 'Options' in the configuration     file, which could enable a local user to bypass     security restrictions. (CVE-2009-1195)

  - Failure to properly handle an amount of streamed data     that exceeds the Content-Length value allows a remote     attacker to force a proxy process to consume CPU time     indefinitely when mod_proxy is used in a reverse proxy     configuration. (CVE-2009-1890)

  - Failure of mod_deflate to stop compressing a file when     the associated network connection is closed may allow a     remote attacker to consume large amounts of CPU if     there is a large (>10 MB) file available that has     mod_deflate enabled. (CVE-2009-1891)

  - Using a specially crafted XML document with a large     number of nested entities, a remote attacker may be     able to consume an excessive amount of memory due to     a flaw in the bundled expat XML parser used by the     mod_dav and mod_dav_svn modules. (CVE-2009-1955)

  - There is an off-by-one overflow in the function     'apr_brigade_vprintf()' in the bundled copy of the     APR-util library in the way it handles a variable list     of arguments, which could be leveraged on big-endian     platforms to perform information disclosure or denial     of service attacks. (CVE-2009-1956)

Note that Nessus has relied solely on the version in the Server response header and did not try to check for the issues themselves or even whether the affected modules are in use.

The remote host is affected by the vulnerability described in GLSA-200907-04 (Apache: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in the Apache HTTP     server:
    Jonathan Peatfield reported that the     'Options=IncludesNoEXEC' argument to the 'AllowOverride' directive is     not processed properly (CVE-2009-1195).
    Sander de Boer     discovered that the AJP proxy module (mod_proxy_ajp) does not correctly     handle POST requests that do not contain a request body     (CVE-2009-1191).
    The vendor reported that the HTTP proxy     module (mod_proxy_http), when being used as a reverse proxy, does not     properly handle requests containing more data as stated in the     'Content-Length' header (CVE-2009-1890).
    Francois Guerraz     discovered that mod_deflate does not abort the compression of large     files even when the requesting connection is closed prematurely     (CVE-2009-1891).
  Impact :

    A local attacker could circumvent restrictions put up by the server     administrator and execute arbitrary commands with the privileges of the     user running the Apache server. A remote attacker could send multiple     requests to a server with the AJP proxy module, possibly resulting in     the disclosure of a request intended for another client, or cause a     Denial of Service by sending specially crafted requests to servers     running mod_proxy_http or mod_deflate.
  Workaround :

    Remove 'include', 'proxy_ajp', 'proxy_http' and 'deflate' from     APACHE2_MODULES in make.conf and rebuild Apache, or disable the     aforementioned modules in the Apache configuration.

Matthew Palmer discovered an underflow flaw in apr-util as included in Apache. An attacker could cause a denial of service via application crash in Apache using a crafted SVNMasterURI directive, .htaccess file, or when using mod_apreq2. This issue only affected Ubuntu 6.06 LTS. (CVE-2009-0023)

Sander de Boer discovered that mod_proxy_ajp would reuse connections when a client closed a connection without sending a request body. A remote attacker could exploit this to obtain sensitive response data.
This issue only affected Ubuntu 9.04. (CVE-2009-1191)

Jonathan Peatfield discovered that Apache did not process Includes options correctly. With certain configurations of Options and AllowOverride, a local attacker could use an .htaccess file to override intended restrictions and execute arbitrary code via a Server-Side-Include file. This issue affected Ubuntu 8.04 LTS, 8.10 and 9.04. (CVE-2009-1195)

It was discovered that the XML parser did not properly handle entity expansion. A remote attacker could cause a denial of service via memory resource consumption by sending a crafted request to an Apache server configured to use mod_dav or mod_dav_svn. This issue only affected Ubuntu 6.06 LTS. (CVE-2009-1955)

C. Michael Pilato discovered an off-by-one buffer overflow in apr-util when formatting certain strings. For big-endian machines (powerpc, hppa and sparc in Ubuntu), a remote attacker could cause a denial of service or information disclosure leak. All other architectures for Ubuntu are not considered to be at risk. This issue only affected Ubuntu 6.06 LTS. (CVE-2009-1956).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
48144	Mandriva Linux Security Advisory : apache (MDVSA-2009:102)	Nessus	Mandriva Local Security Checks	medium
43042	Mandriva Linux Security Advisory : apache (MDVSA-2009:323)	Nessus	Mandriva Local Security Checks	high
5227	Mac OS X 10.6 < 10.6.2 Multiple Vulnerabilities	Nessus Network Monitor	Generic	critical
42434	Mac OS X 10.6.x < 10.6.2 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical
42433	Mac OS X Multiple Vulnerabilities (Security Update 2009-006)	Nessus	MacOS X Local Security Checks	critical
40760	FreeBSD : apache22 -- several vulnerabilities (e15f2356-9139-11de-8f42-001aa0166822)	Nessus	FreeBSD Local Security Checks	high
5111	Apache < 2.2.12 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	medium
40459	Slackware 12.0 / 12.1 / 12.2 / current : httpd (SSA:2009-214-01)	Nessus	Slackware Local Security Checks	high
40467	Apache 2.2.x < 2.2.12 Multiple Vulnerabilities	Nessus	Web Servers	high
39775	GLSA-200907-04 : Apache: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
39371	Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : apache2 vulnerabilities (USN-787-1)	Nessus	Ubuntu Local Security Checks	high

Detections

Analytics

CVE-2009-1191

high

Tenable Plugins

medium

high

critical

critical

critical

high

medium

high

high

high

high