Bugzilla – Bug 62740
VUL-0: CVE-2004-0940: apache 1.3 mod_include local overflow
Last modified: 2021-10-04 10:21:24 UTC
From a customer (ticket 20041027430001574): > bin gestern per Zufall auf den Link gestossen: > <a href="http://www.xakep.ru/post/24453/exploit.txt">exploit</a> > Ist da was wahres dran, oder ist der Apache 1.3.x schon immun dagegen?
<!-- SBZ_reproduce --> n/a
Created attachment 25558 [details] exploit.txt above url content
This seems to be local only. I would like to see it fixed at one point in time for the released products.
Yes, it is a local vulnerability, but it can bite any web hoster who has enabled server side includes (SSI) and allows his users to upload their web pages without prior validation (which is the norm.). Taking into account that this bug is semi-public (I cannot find anything about it in my local archives of full-disclosure and bugtraq) I'd say that it is likely more serious than it might seem on the first look.
apache now announced an advisory and new release. http://www.apache.org/dist/httpd/Announcement.html CAN-2004-0940 (cve.mitre.org) Fix potential buffer overflow with escaped characters in SSI tag string. CAN-2004-0492 (cve.mitre.org) Reject responses from a remote server if sent an invalid (negative) Content-Length.
Do we do updates for this? We can fix the SSLCipherSuite problem (bug 62117) at the same time.
Considering Joergs argument about web hosters I'd say do the update.
Packages submitted: /work/SRC/old-versions/8.1/UL/all/apache -> /work/src/done/8.1 /work/SRC/old-versions/8.2/all/apache -> /work/src/done/8.2 /work/SRC/old-versions/9.0/all/apache -> /work/src/done/9.0 /work/SRC/old-versions/9.1/SLES/all/apache -> /work/src/done/9.1 ------------------------------------------------------------------- Wed Nov 10 12:16:56 CET 2004 - poeml@suse.de - security fix from 1.3.33: [CAN-2004-0940 (cve.mitre.org)]: mod_include: Fix potential buffer overflow with escaped characters in SSI tag string. [#47740] - security fix from mod_ssl 2.8.20: [CAN-2004-0885 (cve.mitre.org)]: fix SSLCipherSuite bypass in mod_ssl [#47117] ------------------------------------------------------------------- I will create the needed patchinfos.
Created attachment 25984 [details] apache.patch.box
Created attachment 25985 [details] apache.patch.maintained
Packages checked in, patchinfo files submitted. I am assigning to security-team for further processing.
approved
<!-- SBZ_reopen -->Reopened by thomas@suse.de at Fri Nov 19 16:07:48 2004, took initial reporter meissner@suse.de to cc
oops ome package is still missing. :( http://w2d.suse.de/abuildstat/patchinfo/pending/e2d9838c404c87687b26f66baa345567
approved now.
<!-- SBZ_reopen -->Reopened by meissner@suse.de at Wed Nov 24 18:10:55 2004, took initial reporter thomas@suse.de to cc
Peter, is apache2 affected by this problem too?
I don't think so (the parser in mod_include is completely rewritten)
CVE-2004-0940: CVSS v2 Base Score: 6.9 (AV:L/AC:M/Au:N/C:C/I:C/A:C)