CERT-In Vulnerability Note CIVN-2008-86
Multiple vulnerabilities in Apache HTTP Server 2.2.x
Original Issue Date:
June 18, 2008
Severity Rating:
Medium
System Affected
- Apache, HTTP Server prior to 2.2.9
Overview
A vulnerability in Apache HTTP Server, mod_proxy_balancer module exists which could allow remote attackers to carry out Cross-Site Request Forgery (CSRF) attacks. Another vulnerability in Apache HTTP Server, mod_proxy_http module also exists which could be exploited by the attackers to cause a Denial-of-Service attack.
Description
1. Apache HTTP Server mod_proxy_balancer Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2007- 6420)
Balancer manager is an administrative interface which provides load balancing support for HTTP, FTP and AJP13 protocols. A Cross-Site Request Forgery (CSRF) vulnerability is present in balancer-manager of mod_proxy_balancer module which could allow remote attackers to gain privileges and perform Cross-Site Request Forgery attack.
2. Apache HTTP Server mod_proxy_http Interim Response Denial-of-Service Vulnerability (CVE-2008-2364)
The issue is caused due to an error in the "ap_proxy_http_process_response()" function of mod_proxy_http module when forwarding the interim responses. A remote attacker can exploit this vulnerability by tricking mod_proxy_http module into sending a large number of interim responses (i.e. "Expect: 100-continue" requests) to the client, which results in high consumption of memory resources.
Solution
Update to Apache, HTTP Server 2.2.9
Apache, HTTP Server 2.2.9 is available at
Apache Software Foundation httpd-2.2.9-win32-src.zip
http://apache.sunsite.ualberta.ca/httpd/httpd-2.2.9-win32-src.zip
Apache Software Foundation httpd-2.2.9.tar.gz
http://apache.sunsite.ualberta.ca/httpd/httpd-2.2.9.tar.gz
Vendor Information
Apache Software Foundation
http://httpd.apache.org/security/vulnerabilities_22.html
References Secunia
http://secunia.com/advisories/30621
XForce
http://xforce.iss.net/xforce/xfdb/42987
SecurityFocus
http://www.securityfocus.com/archive/1/archive/1/486169/
100/0/threaded
http://www.securityfocus.com/bid/29653
SecurityReason
http://securityreason.com/securityalert/3523
CVE Name
CVE-2007-6420
CVE-2008-2364
CWE Name
CWE-352
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
