lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0208092206342.7834-100000@dell1.moose.awe.com>
From: mjc at apache.org (Mark J Cox)
Subject: Apache 2.0 vulnerability affects non-Unix platforms

-----BEGIN PGP SIGNED MESSAGE-----

For Immediate Disclosure

=============== SUMMARY ================

        Title: Apache 2.0 vulnerability affects non-Unix platforms
         Date: 9th August 2002
     Revision: 2
 Product Name: Apache HTTP server 2.0
  OS/Platform: Windows, OS2, Netware
Permanent URL: http://httpd.apache.org/info/security_bulletin_20020809a.txt
  Vendor Name: Apache Software Foundation
   Vendor URL: http://httpd.apache.org/
      Affects: All Released versions of 2.0 through 2.0.39
     Fixed in: 2.0.40
  Identifiers: CAN-2002-0661

=============== DESCRIPTION ================

Apache is a powerful, full-featured, efficient, and freely-available Web
server.  On the 7th August 2002, The Apache Software Foundation was
notified of the discovery of a significant vulnerability, identified by
Auriemma Luigi <bugtest@...overde.com>.

This vulnerability has the potential to allow an attacker to inflict
serious damage to a server, and reveal sensitive data.  This vulnerability
affects default installations of the Apache web server.

Unix and other variant platforms appear unaffected.  Cygwin users are
likely to be affected.

=============== SOLUTION ================

A simple one line workaround in the httpd.conf file will close the
vulnerability.  Prior to the first 'Alias' or 'Redirect' directive, add
the following directive to the global server configuration:

   RedirectMatch 400 "\\\.\."

Fixes for this vulnerability are also included in Apache HTTP server
version 2.0.40.  The 2.0.40 release also contains fixes for two minor
path-revealing exposures.  This release of Apache is available at
http://www.apache.org/dist/httpd/

More information will be made available by the Apache Software
Foundation and Auriemma Luigi <bugtest@...overde.com> in the
coming weeks.

=============== REFERENCES ================

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0661 to this issue.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0661

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iQCVAwUBPVQvLO6tTP1JpWPZAQEYwgQAqdRDauIcFcBpjwWqLuqPhyHthtOk8Vms
WSKd5Q4wS8tCX4c1wUskKVyGGVEqACkzqd0Gm3W1I34Q7iJlwBYosVl/00d0IlGY
tNj+XFB2R2ORT35H0oVjf+La99V1KPmed0+2HzxM6KbSeLWh/H1tRpMHtC0Q9EBK
GAs3seQmHRI=
=MfPR
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ