This script is Copyright (C) 2014-2016 Tenable Network Security, Inc.
The remote web server is affected by multiple vulnerabilities.
According to its banner, the version of Apache 2.2.x running on the
remote host is prior to 2.2.28. It is, therefore, affected by the
following vulnerabilities :
- An flaw exists within the 'mod_headers' module which
allows a remote attacker to inject arbitrary headers.
This is done by placing a header in the trailer portion
of data being sent using chunked transfer encoding.
- An flaw exists within the 'mod_deflate' module when
handling highly compressed bodies. Using a specially
crafted request, a remote attacker can exploit this to
cause a denial of service by exhausting memory and CPU
- The 'mod_status' module contains a race condition that
can be triggered when handling the scoreboard. A remote
attacker can exploit this to cause a denial of service,
execute arbitrary code, or obtain sensitive credential
- The 'mod_cgid' module lacks a time out mechanism. Using
a specially crafted request, a remote attacker can use
this flaw to cause a denial of service by causing child
processes to linger indefinitely, eventually filling up
the scoreboard. (CVE-2014-0231)
Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.
See also :
Upgrade to Apache version 2.2.29 or later.
Note that version 2.2.28 was never officially released.
Risk factor :
High / CVSS Base Score : 7.5
CVSS Temporal Score : 5.9
Public Exploit Available : true