Forum Thread: Apache Information Disclosure and Denial of Service Vulnerabilities

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Vulnerabilities

See the original Secunia advisory:
Apache Information Disclosure and Denial of Service Vulnerabilities

Secunia Apache Information Disclosure and Denial of Service Vulnerabilities
Secunia Official 30th Jul, 2010 17:22
Ranking: 0
Posts: 0
User Since: -
System Score: -
Location: Copenhagen, DK
A security issue and some vulnerabilities have been reported in Apache httpd, which can be exploited by malicious people to disclose potentially sensitive information and by malicious users and malicious people to cause a DoS (Denial of Service).

1) The security issue is caused due to mod_proxy_http not properly handling certain timeout conditions, which can lead to responses being returned to the wrong users.

Note: This only affects configurations using proxy worker pools on Windows, Netware, and OS2 systems.

2) A vulnerability is caused due to an error within mod_cache when handling requests without a path segment, which can be exploited to cause a crash by sending specially crafted requests.

Note: Successful exploitation requires that the "CacheIgnoreURLSessionIdentifiers" configuration directive and the worker MPM is used.

3) A vulnerability is caused due to an error within mod_dav when handling requests without a path segment, which can be exploited to cause a crash by sending specially crafted requests.

Note: Successful exploitation requires that the worker MPM is used.

thor4242 RE: Apache Information Disclosure and Denial of Service Vulnerabilities
Member 30th Jul, 2010 17:22
Score: 1
Posts: 1
User Since: 30th Jul 2010
System Score: N/A
Location: DE
Last edited on 30th Jul, 2010 17:22
Update to 2.2.16 is not available for Windows Platform as Binary.
Only a patch for 1) is there as mod_proxy_http-CVE-2010-2068.zip
Was this reply relevant?
+1
-0