HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2009-66
Apache "Options" and "AllowOverride" Security Bypass Vulnerability

Original Issue Date:June 01, 2009

Severity Rating: Medium

System Affected

  • Apache versions 2.2.x through 2.2.11

Overview

The vulnerability is due to an error when processing "AllowOverride" directives and certain "Options" arguments in ".htaccess" files, which can be exploited to execute commands via Server Side Includes.

Description

The vulnerability is due to an error when processing "AllowOverride" directives and certain "Options" arguments in ".htaccess" files, which can be exploited to execute commands via Server Side Includes.

Solution

Apply patch as mentioned in SVN repository
http://svn.apache.org/viewvc?view=rev&revision=772997

Vendor Information

apache.org
http://svn.apache.org/viewvc?view=rev&revision=772997

References

apache.org
http://svn.apache.org/viewvc?view=rev&revision=772997

bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=489436

VUPEN Security
http://www.vupen.com/english/advisories/2009/1444

SecurityFocus
http://www.securityfocus.com/bid/35115/

Secunia
http://secunia.com/advisories/35261/

SecurityTracker
http://www.securitytracker.com/alerts/2009/May/1022296.html

CVE Name
CVE-2009-1195

CWE Name
CWE-16

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003