Apache-SSL ExpandCert() Function Certificate Handling Arbitrary Environment Variables Manipulation
High Nessus Plugin ID 31738
SynopsisThe remote web server is prone to a memory disclosure / privilege escalation attack.
DescriptionAccording to its banner, the version of Apache-SSL running on the remote host is older than apache_1.3.41+ssl_1.59. Such versions fail to properly sanitize certificate data before using it to populate environment variables. By sending a client certificate with special characters for the subject, a remote attacker can overwrite certain environment variables used by the web server, resulting in memory disclosure or potential privilege escalation in a web application.
SolutionUpgrade to apache_1.3.41+ssl_1.59 or later.