Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Server/CGI)  >   Apache HTTPD Vendors:   Apache Software Foundation
Apache HTTPD mod_session Flaw Lets Remote Users Modify Data on the Target System
SecurityTracker Alert ID:  1040568
SecurityTracker URL:
CVE Reference:   CVE-2018-1283   (Links to External Site)
Date:  Mar 26 2018
Impact:   Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.4.0 to 2.4.29
Description:   A vulnerability was reported in Apache HTTPD. A remote user may be able to modify mod_session data on the target system.

On systems with mod_session configured with SessionEnv on to forward session data to CGI applications, a remote user can send a specially crafted 'Session' header value to potentially modify mod_session data on the target system.

Impact:   A remote user can modify mod_session data on the target system.
Solution:   The vendor has issued a fix (2.4.30).

The vendor advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  CVE-2018-1283: Tampering of mod_session data for CGI applications

CVE-2018-1283: Tampering of mod_session data for CGI applications.

Severity: Medium

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.0 to 2.4.29


When mod_session is configured to forward its session data to CGI
applications (SessionEnv on, not the default), a remote user may influence
their content by using a "Session" header. This comes from the "HTTP_SESSION"
variable name used by mod_session to forward its data to CGIs, since the
prefix "HTTP_" is also used by the Apache HTTP Server to pass HTTP header
fields, per CGI specifications.

The severity is set to Medium because "SessionEnv on" is not a default nor
common configuration, it should be considered High when this is the case
though, because of the possible remote exploitation.

All httpd users should upgrade to 2.4.30 or later.

The issue was discovered internally by the Apache HTTP Server team.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC