The (1) mod_cache and (2) mod_dav modules in the Apache HTTP Server 2.2.x before 2.2.16 allow remote attackers to cause a denial of service (process crash) via a request that lacks a path.

The remote NewStart CGSL host, running version MAIN 4.05, has httpd packages installed that are affected by multiple vulnerabilities:

  - Off-by-one error in the mod_ssl Certificate Revocation     List (CRL) verification callback in Apache, when     configured to use a CRL, allows remote attackers to     cause a denial of service (child process crash) via a     CRL that causes a buffer overflow of one null byte.
    (CVE-2005-1268)

  - The Apache HTTP server before 1.3.34, and 2.0.x before     2.0.55, when acting as an HTTP proxy, allows remote     attackers to poison the web cache, bypass web     application firewall protection, and conduct XSS attacks     via an HTTP request with both a Transfer-Encoding:
    chunked header and a Content-Length header, which     causes Apache to incorrectly handle and forward the body     of the request in a way that causes the receiving server     to process it as a separate HTTP request, aka HTTP     Request Smuggling. (CVE-2005-2088)

  - ssl_engine_kernel.c in mod_ssl before 2.8.24, when using     SSLVerifyClient optional in the global virtual host     configuration, does not properly enforce     SSLVerifyClient require in a per-location context,     which allows remote attackers to bypass intended access     restrictions. (CVE-2005-2700)

  - The byte-range filter in Apache 2.0 before 2.0.54 allows     remote attackers to cause a denial of service (memory     consumption) via an HTTP header with a large Range     field. (CVE-2005-2728)

  - Cross-site scripting (XSS) vulnerability in the mod_imap     module of Apache httpd before 1.3.35-dev and Apache     httpd 2.0.x before 2.0.56-dev allows remote attackers to     inject arbitrary web script or HTML via the Referer when     using image maps. (CVE-2005-3352)

  - mod_ssl in Apache 2.0 up to 2.0.55, when configured with     an SSL vhost with access control and a custom error 400     error page, allows remote attackers to cause a denial of     service (application crash) via a non-SSL request to an     SSL port, which triggers a NULL pointer dereference.
    (CVE-2005-3357)

  - The TLS protocol, and the SSL protocol 3.0 and possibly     earlier, as used in Microsoft Internet Information     Services (IIS) 7.0, mod_ssl in the Apache HTTP Server     2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5     and earlier, Mozilla Network Security Services (NSS)     3.12.4 and earlier, multiple Cisco products, and other     products, does not properly associate renegotiation     handshakes with an existing connection, which allows     man-in-the-middle attackers to insert data into HTTPS     sessions, and possibly other types of sessions protected     by TLS or SSL, by sending an unauthenticated request     that is processed retroactively by a server in a post-     renegotiation context, related to a plaintext     injection attack, aka the Project Mogul issue.
    (CVE-2009-3555)

  - The (1) mod_cache and (2) mod_dav modules in the Apache     HTTP Server 2.2.x before 2.2.16 allow remote attackers     to cause a denial of service (process crash) via a     request that lacks a path. (CVE-2010-1452)

  - fs/ext4/extents.c in the Linux kernel before 3.0 does     not mark a modified extent as dirty in certain cases of     extent splitting, which allows local users to cause a     denial of service (system crash) via vectors involving     ext4 umount and mount operations. (CVE-2011-3638)

  - It was discovered that the HTTP parser in httpd     incorrectly allowed certain characters not permitted by     the HTTP protocol specification to appear unencoded in     HTTP request headers. If httpd was used in conjunction     with a proxy or backend server that interpreted those     characters differently, a remote attacker could possibly     use this flaw to inject data into HTTP responses,     resulting in proxy cache poisoning. (CVE-2016-8743)

  - It was discovered that the use of httpd's     ap_get_basic_auth_pw() API function outside of the     authentication phase could lead to authentication     bypass. A remote attacker could possibly use this flaw     to bypass required authentication if the API was used     incorrectly by one of the modules used by httpd.
    (CVE-2017-3167)

  - A NULL pointer dereference flaw was found in the httpd's     mod_ssl module. A remote attacker could use this flaw to     cause an httpd child process to crash if another module     used by httpd called a certain API function during the     processing of an HTTPS request. (CVE-2017-3169)

  - A buffer over-read flaw was found in the httpd's     ap_find_token() function. A remote attacker could use     this flaw to cause httpd child process to crash via a     specially crafted HTTP request. (CVE-2017-7668)

  - A buffer over-read flaw was found in the httpd's     mod_mime module. A user permitted to modify httpd's MIME     configuration could use this flaw to cause httpd child     process to crash. (CVE-2017-7679)

  - It was discovered that the httpd's mod_auth_digest     module did not properly initialize memory before using     it when processing certain headers related to digest     authentication. A remote attacker could possibly use     this flaw to disclose potentially sensitive information     or cause httpd child process to crash by sending     specially crafted requests to a server. (CVE-2017-9788)

  - A use-after-free flaw was found in the way httpd handled     invalid and previously unregistered HTTP methods     specified in the Limit directive used in an .htaccess     file. A remote attacker could possibly use this flaw to     disclose portions of the server memory, or cause httpd     child process to crash. (CVE-2017-9798)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

From Red Hat Security Advisory 2010:0659 :

Updated httpd packages that fix two security issues and multiple bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The Apache HTTP Server is a popular web server.

A flaw was discovered in the way the mod_proxy module of the Apache HTTP Server handled the timeouts of requests forwarded by a reverse proxy to the back-end server. If the proxy was configured to reuse existing back-end connections, it could return a response intended for another user under certain timeout conditions, possibly leading to information disclosure. (CVE-2010-2791)

A flaw was found in the way the mod_dav module of the Apache HTTP Server handled certain requests. If a remote attacker were to send a carefully crafted request to the server, it could cause the httpd child process to crash. (CVE-2010-1452)

This update also fixes the following bugs :

* numerous issues in the INFLATE filter provided by mod_deflate.
'Inflate error -5 on flush' errors may have been logged. This update upgrades mod_deflate to the newer upstream version from Apache HTTP Server 2.2.15. (BZ#625435)

* the response would be corrupted if mod_filter applied the DEFLATE filter to a resource requiring a subrequest with an internal redirect.
(BZ#625451)

* the OID() function used in the mod_ssl 'SSLRequire' directive did not correctly evaluate extensions of an unknown type. (BZ#625452)

All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

Updated httpd packages that fix two security issues and multiple bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The Apache HTTP Server is a popular web server.

A flaw was discovered in the way the mod_proxy module of the Apache HTTP Server handled the timeouts of requests forwarded by a reverse proxy to the back-end server. If the proxy was configured to reuse existing back-end connections, it could return a response intended for another user under certain timeout conditions, possibly leading to information disclosure. (CVE-2010-2791)

A flaw was found in the way the mod_dav module of the Apache HTTP Server handled certain requests. If a remote attacker were to send a carefully crafted request to the server, it could cause the httpd child process to crash. (CVE-2010-1452)

This update also fixes the following bugs :

* numerous issues in the INFLATE filter provided by mod_deflate.
'Inflate error -5 on flush' errors may have been logged. This update upgrades mod_deflate to the newer upstream version from Apache HTTP Server 2.2.15. (BZ#625435)

* the response would be corrupted if mod_filter applied the DEFLATE filter to a resource requiring a subrequest with an internal redirect.
(BZ#625451)

* the OID() function used in the mod_ssl 'SSLRequire' directive did not correctly evaluate extensions of an unknown type. (BZ#625452)

All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

A flaw was discovered in the way the mod_proxy module of the Apache HTTP Server handled the timeouts of requests forwarded by a reverse proxy to the back-end server. If the proxy was configured to reuse existing back-end connections, it could return a response intended for another user under certain timeout conditions, possibly leading to information disclosure. (CVE-2010-2791)

A flaw was found in the way the mod_dav module of the Apache HTTP Server handled certain requests. If a remote attacker were to send a carefully crafted request to the server, it could cause the httpd child process to crash. (CVE-2010-1452)

This update also fixes the following bugs :

  - numerous issues in the INFLATE filter provided by     mod_deflate. 'Inflate error -5 on flush' errors may have     been logged. This update upgrades mod_deflate to the     newer upstream version from Apache HTTP Server 2.2.15.
    (BZ#625435)

  - the response would be corrupted if mod_filter applied     the DEFLATE filter to a resource requiring a subrequest     with an internal redirect. (BZ#625451)

  - the OID() function used in the mod_ssl 'SSLRequire'     directive did not correctly evaluate extensions of an     unknown type. (BZ#625452)

After installing the updatedpackages, the httpd daemon must be restarted for the update to take effect.

The remote host is affected by the vulnerability described in GLSA-201206-25 (Apache HTTP Server: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Apache HTTP Server.
      Please review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker might obtain sensitive information, gain privileges,       send requests to unintended servers behind proxies, bypass certain       security restrictions, obtain the values of HTTPOnly cookies, or cause a       Denial of Service in various ways.
    A local attacker could gain escalated privileges.
  Workaround :

    There is no known workaround at this time.

According to the web server's banner, the version of HP System Management Homepage (SMH) hosted on the remote host is earlier than 7.0.  As such, it is reportedly affected by the following vulnerabilities :

 - An error exists in the 'generate-id' function in the    bundled libxslt library that can allow disclosure of    heap memory addresses. (CVE-2011-0195)

 - An unspecified input validation error exists and can    allow cross-site request forgery attacks. (CVE-2011-3846)

 - Unspecified errors can allow attackers to carry out    denial of service attacks via unspecified vectors.
   (CVE-2012-0135, CVE-2012-1993)

 - The bundled version of PHP contains multiple    vulnerabilities. (CVE-2010-3436, CVE-2010-4409,    CVE-2010-4645, CVE-2011-1148, CVE-2011-1153,    CVE-2011-1464, CVE-2011-1467, CVE-2011-1468,    CVE-2011-1470, CVE-2011-1471, CVE-2011-1938,    CVE-2011-2202, CVE-2011-2483, CVE-2011-3182,    CVE-2011-3189, CVE-2011-3267, CVE-2011-3268)

 - The bundled version of Apache contains multiple    vulnerabilities. (CVE-2010-1452, CVE-2010-1623,    CVE-2010-2068,  CVE-2010-2791, CVE-2011-0419,    CVE-2011-1928, CVE-2011-3192, CVE-2011-3348,    CVE-2011-3368, CVE-2011-3639)

 - OpenSSL libraries are contained in several of the    bundled components and contain multiple vulnerabilities.
   (CVE-2011-0014, CVE-2011-1468, CVE-2011-1945,    CVE-2011-3207,CVE-2011-3210)

 - Curl libraries are contained in several of the bundled    components and contain multiple vulnerabilities.
   (CVE-2009-0037, CVE-2010-0734, CVE-2011-2192)

This update fixes a remote denial of service bug (memory exhaustion) in the Apache 2 HTTP server, that could be triggered by remote attackers using multiple overlapping Request Ranges. (CVE-2011-3192)

It also fixes a issue in mod_dav, where the (1) mod_cache and (2) mod_dav modules in the Apache HTTP Server 2.2.x allowed remote attackers to cause a denial of service (process crash) via a request that lacks a path. (CVE-2010-1452)

Also following bugs were fixed :

  - recommend the default MPM (prefork) via Recommends: in     .spec

  - apache not sending error 304 if mod_deflate is enabled.

  - take LimitRequestFieldsize config option into account     when parsing headers from backend.

Two issues have been found in the Apache HTTPD web server :

  - CVE-2011-3192     A vulnerability has been found in the way the multiple     overlapping ranges are handled by the Apache HTTPD     server. This vulnerability allows an attacker to cause     Apache HTTPD to use an excessive amount of memory,     causing a denial of service.

  - CVE-2010-1452     A vulnerability has been found in mod_dav that allows an     attacker to cause a daemon crash, causing a denial of     service. This issue only affects the Debian 5.0     oldstable/lenny distribution.

The remote host is running a version of Mac OS X 10.6.x that is prior to 10.6.7.

Mac OS X 10.6.7 contains security fixes for the following products :

  - AirPort
  - Apache
  - AppleScript
  - ATS
  - bzip2
  - CarbonCore
  - ClamAV
  - CoreText
  - File Quarantine
  - HFS
  - ImageIO
  - Image RAW
  - Installer
  - Kerberos
  - Kernel
  - Libinfo
  - libxml
  - Mailman
  - PHP
  - QuickLook
  - QuickTime
  - Ruby
  - Samba
  - Subversion
  - Terminal
  - X11

The remote host is running a version of Mac OS X 10.5 that does not have Security Update 2011-001 applied. 

This security update contains fixes for the following products :

  - Apache
  - bzip2
  - ClamAV
  - ImageIO
  - Kerberos
  - Libinfo
  - libxml
  - Mailman
  - PHP
  - QuickLook
  - Ruby
  - X11

Versions of Mac OS X 10.6 earlier than 10.6.7 are potentially affected by a security issue.  Mac OS X 10.6.7 contains a security fix for the following products :

  - Airport

  - Apache

  - AppleScript

  - ATS

  - bzip2

  - CarbonCore

  - ClamAV

  - CoreText

  - HFS

  - ImageIO

  - Image RAW

  - Installer

  - Kerberos

  - Kernel

  - Libinfo

  - libxml

  - Mailman

  - PHP

  - QuickLook

  - QuickTime

  - Ruby

  - Samba

  - Subversion

  - Terminal

  - X11
IAVB Reference : 2010-B-0083
STIG Finding Severity : Category II

Versions of Mac OS X 10.6 earlier than 10.6.7 are potentially affected by a security issue.  Mac OS X 10.6.7 contains a security fix for the following products :

  - Airport

  - Apache

  - AppleScript

  - ATS

  - bzip2

  - CarbonCore

  - ClamAV

  - CoreText

  - HFS

  - ImageIO

  - Image RAW

  - Installer

  - Kerberos

  - Kernel

  - Libinfo

  - libxml

  - Mailman

  - PHP

  - QuickLook

  - QuickTime

  - Ruby

  - Samba

  - Subversion

  - Terminal

  - X11

It was discovered that Apache's mod_cache and mod_dav modules incorrectly handled requests that lacked a path. A remote attacker could exploit this with a crafted request and cause a denial of service. This issue affected Ubuntu 6.06 LTS, 8.04 LTS, 9.10 and 10.04 LTS. (CVE-2010-1452)

It was discovered that Apache did not properly handle memory when destroying APR buckets. A remote attacker could exploit this with crafted requests and cause a denial of service via memory exhaustion.
This issue affected Ubuntu 6.06 LTS and 10.10. (CVE-2010-1623).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of Apache 2.0.x running on the remote host is prior to 2.0.64. It is, therefore, affected by the following vulnerabilities :

  - An unspecified error exists in the handling of requests     without a path segment. (CVE-2010-1452)

  - Several modules, including 'mod_deflate', are     vulnerable to a denial of service attack as the     server can be forced to utilize CPU time compressing     a large file after client disconnect. (CVE-2009-1891)

  - An unspecified error exists in 'mod_proxy' related to     filtration of authentication credentials.     (CVE-2009-3095)  
  - A NULL pointer dereference issue exists in     'mod_proxy_ftp' in some error handling paths.
    (CVE-2009-3094)

  - An error exists in 'mod_ssl' making the server     vulnerable to the TLC renegotiation prefix injection     attack. (CVE-2009-3555)

  - An error exists in the handling of subrequests such     that the parent request headers may be corrupted.
    (CVE-2010-0434)

  - An error exists in 'mod_proxy_http' when handling excessive     interim responses making it vulnerable to a denial of     service attack. (CVE-2008-2364)

  - An error exists in 'mod_isapi' that allows the module     to be unloaded too early, which leaves orphaned callback     pointers. (CVE-2010-0425)

  - An error exists in 'mod_proxy_ftp' when wildcards are     in an FTP URL, which allows for cross-site scripting     attacks. (CVE-2008-2939)

Note that the remote web server may not actually be affected by these vulnerabilities.  Nessus did not try to determine whether the affected modules are in use or to check for the issues themselves.

New httpd packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix a security issue.

Multiple vulnerabilities has been found and corrected in apache :

The mod_cache and mod_dav modules in the Apache HTTP Server 2.2.x before 2.2.16 allow remote attackers to cause a denial of service (process crash) via a request that lacks a path (CVE-2010-1452).

mod_proxy in httpd in Apache HTTP Server 2.2.9, when running on Unix, does not close the backend connection if a timeout occurs when reading a response from a persistent connection, which allows remote attackers to obtain a potentially sensitive response intended for a different client in opportunistic circumstances via a normal HTTP request. NOTE:
this is the same issue as CVE-2010-2068, but for a different OS and set of affected versions (CVE-2010-2791).

Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=4 90

The updated packages have been patched to correct these issues.

A vulnerability has been found and corrected in apache :

The mod_cache and mod_dav modules in the Apache HTTP Server 2.2.x before 2.2.16 allow remote attackers to cause a denial of service (process crash) via a request that lacks a path (CVE-2010-1452).

Packages for 2008.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=4 90

The updated packages have been patched to correct this issue.

This update contains the latest stable release of the Apache HTTP Server. One security fix is included: CVE-2010-1452: mod_dav, mod_cache: Fix Handling of requests without a path segment. Several bugs are also fixed: http://www.apache.org/dist/httpd/CHANGES_2.2.16

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of Apache 2.2.x running on the remote host is prior to 2.2.16. It is, therefore, potentially affected by multiple vulnerabilities :

  - A denial of service vulnerability in mod_cache and     mod_dav. (CVE-2010-1452)   
  - An information disclosure vulnerability in mod_proxy_ajp,     mod_reqtimeout, and mod_proxy_http relating to timeout     conditions. Note that this issue only affects Apache on     Windows, Netware, and OS/2. (CVE-2010-2068)

Note that the remote web server may not actually be affected by these vulnerabilities.  Nessus did not try to determine whether the affected modules are in use or to check for the issues themselves.

Versions of Apache 2.2 earlier than 2.2.16 are potentially affected by multiple vulnerabilities :

  - A denial-of-service vulnerability in mod_cache and mod_dav. (CVE-2010-1452)

  - An information disclosure vulnerability in mod_proxy_http relating to timeout conditions. (CVE-2010-2068)

Apache ChangeLog reports :

mod_dav, mod_cache: Fix Handling of requests without a path segment.

ID	Name	Product	Family	Severity
127360	NewStart CGSL MAIN 4.05 : httpd Multiple Vulnerabilities (NS-SA-2019-0118)	Nessus	NewStart CGSL Local Security Checks	critical
68091	Oracle Linux 5 : httpd (ELSA-2010-0659)	Nessus	Oracle Linux Local Security Checks	medium
67078	CentOS 5 : httpd (CESA-2010:0659)	Nessus	CentOS Local Security Checks	medium
60847	Scientific Linux Security Update : httpd on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
59678	GLSA-201206-25 : Apache HTTP Server: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
58811	HP System Management Homepage < 7.0 Multiple Vulnerabilities	Nessus	Web Servers	critical
57088	SuSE 11.1 Security Update : Apache (SAT Patch Number 5090)	Nessus	SuSE Local Security Checks	high
55998	Debian DSA-2298-2 : apache2 - denial of service	Nessus	Debian Local Security Checks	high
52754	Mac OS X 10.6.x < 10.6.7 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	high
52753	Mac OS X Multiple Vulnerabilities (Security Update 2011-001)	Nessus	MacOS X Local Security Checks	high
800796	Mac OS X 10.6 < 10.6.7 Multiple Vulnerabilities	Log Correlation Engine	Operating System Detection	high
5826	Mac OS X 10.6 < 10.6.7 Multiple Vulnerabilities	Nessus Network Monitor	Generic	critical
50823	Ubuntu 6.06 LTS / 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : apache2 vulnerabilities (USN-1021-1)	Nessus	Ubuntu Local Security Checks	medium
50069	Apache 2.0.x < 2.0.64 Multiple Vulnerabilities	Nessus	Web Servers	high
48934	RHEL 5 : httpd (RHSA-2010:0659)	Nessus	Red Hat Local Security Checks	medium
48920	Slackware 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / current : httpd (SSA:2010-240-02)	Nessus	Slackware Local Security Checks	medium
48347	Mandriva Linux Security Advisory : apache (MDVSA-2010:153)	Nessus	Mandriva Local Security Checks	medium
48346	Mandriva Linux Security Advisory : apache (MDVSA-2010:152)	Nessus	Mandriva Local Security Checks	medium
48327	Fedora 13 : httpd-2.2.16-1.fc13 (2010-12478)	Nessus	Fedora Local Security Checks	medium
48205	Apache 2.2.x < 2.2.16 Multiple Vulnerabilities	Nessus	Web Servers	medium
800573	Apache 2.2 < 2.2.16 Multiple Vulnerabilities	Log Correlation Engine	Web Servers	high
5615	Apache 2.2 < 2.2.16 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	medium
47818	FreeBSD : apache -- Remote DoS bug in mod_cache and mod_dav (28a7310f-9855-11df-8d36-001aa0166822)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2010-1452

high

Tenable Plugins

critical

medium

medium

medium

high

critical

high

high

high

high

high

critical

medium

high

medium

medium

medium

medium

medium

medium

high

medium

medium