| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20030709171001.DEE8.SNSADV@lac.co.jp> Date: Wed, 09 Jul 2003 17:16:14 +0900 From: "Secure Net Service(SNS) Security Advisory" <snsadv@....co.jp> To: bugtraq@...urityfocus.com Subject: [SNS Advisory No.66] Apache HTTP Server v2 Causes a DoS When Parsing a Type-Map File ---------------------------------------------------------------------- SNS Advisory No.66 Apache HTTP Server v2 Causes a DoS When Parsing a Type-Map File Problem first discovered on: Thu, 26 Dec 2002 Published on: Wed, 09 Jul 2003 Reference: http://www.lac.co.jp/security/english/snsadv_e/66_e.html ---------------------------------------------------------------------- Overview: --------- Apache versions prior to 2.0.47 contain a locally exploitable DoS condition. Problem Description: -------------------- Apache HTTP Server v2 supports a content negotiation functionality, which can provide the best resources based on the browser-supplied preferences for media type, languages, character set and encoding. The type-map file is one of the methods used for resources negotiation. A local attacker can trigger an infinite loop and deplete the system's resources by causing the Apache HTTP Server to parse a malicious type-map file. Consequently, local exploitation can result in a denial of service condition. Tested Versions: ---------------- Apache 2.0.43 Apache 2.0.44 Apache 2.0.45 Apache 2.0.46 対策: ----- This vulnerability can be eliminated by upgrading to Apache 2.0.47. The Apache HTTP Server Project: http://httpd.apache.org/ Discovered by: -------------- Keigo Yamazaki Acknowledgements: ----------------- Thanks to: Apache Software Foundation http://www.apache.org/ CERT Coordination Center http://www.cert.org/ JPCERT Coordination Center http://www.jpcert.or.jp/ Disclaimer: ----------- The information contained in this advisory may be revised without prior notice and is provided as it is. Users shall take their own risk when taking any actions following reading this advisory. LAC Co., Ltd. shall take no responsibility for any problems, loss or damage caused by, or by the use of information provided here. This advisory can be found at the following URL: http://www.lac.co.jp/security/english/snsadv_e/66_e.html ------------------------------------------------------------------ Secure Net Service(SNS) Security Advisory <snsadv@....co.jp> Computer Security Laboratory, LAC http://www.lac.co.jp/security/
Powered by blists - more mailing lists