Apache mod_cgid May Disclose CGI Output to Another Client
|
|
SecurityTracker Alert ID: 1008028
|
|
CVE Reference: CAN-2003-0789
(Links to External Site)
|
Date: Oct 29 2003
|
Impact: Disclosure of user information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 2.0.47 and prior versions
|
Description: A vulnerability was reported in the Apache web server in the mod_cgid component. CGI output may be disclosed to another client in certain situations.
It is reported that mod_cgid may mishandle CGI redirect paths. As a result, CGI output may be returned to the wrong requesting client when a threaded MPM is used.
|
Impact: A remote user may receive CGI output intended for a different client.
|
Solution: The vendor has issued a fixed version of Apache (2.0.48), available at:
http://httpd.apache.org/download.cgi
|
Vendor URL: httpd.apache.org/ (Links to External Site)
|
Cause: State error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 29 Oct 2003 08:42:05 -0500
Subject: Apache 2.0.48 Released
|
> Apache 2.0.48 Released
> Of particular note is that 2.0.48 addresses two security vulnerabilities:
> mod_cgid mishandling of CGI redirect paths could result in CGI output going to the wrong
> client when a threaded MPM is used.
> [CAN-2003-0789]
> A buffer overflow could occur in mod_alias and mod_rewrite when a regular expression
> with more than 9 captures is configured.
> [CAN-2003-0542]
> Apache 2.0.48 is available for download from
>
> http://httpd.apache.org/download.cgi
|
|
