SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   IBM HTTP Server (IHS) Vendors:   IBM
(IBM Issues Fix for IBM HTTP Server) Apache HTTPD scoreboard Protection Flaw Lets Local Users Terminate Arbitrary Processes
SecurityTracker Alert ID:  1018668
SecurityTracker URL:  http://securitytracker.com/id/1018668
CVE Reference:   CVE-2007-3304   (Links to External Site)
Date:  Sep 10 2007
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Apache HTTPD. A local user can cause denial of service conditions. IBM HTTP Server is affected.

The server does not verify that a process is actually an Apache child process before sending signals to the process. A local user with the ability to run scripts can modify the scoreboard arrays to reference arbitrary process IDs and cause arbitrary processes to be terminated.

The vendor was notified on May 16, 2006.

PSNC Security Team discovered this vulnerability.

Impact:   A local user with privileges to run scripts on the target system can terminate arbitrary processes on the target system.
Solution:   IBM has issued a fix for the IBM HTTP Server (PK50467), which is affected by this vulnerability.

The fix is planned for inclusion in fix pack 6.1.0.13 and fix pack 6.0.2.23.

The IBM advisory is available at:

http://www-1.ibm.com/support/docview.wss?uid=swg1PK50467

Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Jun 26 2007 Apache HTTPD scoreboard Protection Flaw Lets Local Users Terminate Arbitrary Processes



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC