Vulnerabilities > CVE-2003-1054 - Denial of Service vulnerability in MOD Access Referer MOD Access Referer 1.0.2
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
mod_access_referer 1.0.2 allows remote attackers to cause a denial of service (crash) via a malformed Referer header that is missing a hostname, as parsed by the ap_parse_uri_components function in Apache, which triggers a null dereference.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Exploit-Db
description | Apache Mod_Access_Referer 1.0.2 NULL Pointer Dereference Denial of Service Vulnerability. CVE-2003-1054. Dos exploits for multiple platform |
id | EDB-ID:22505 |
last seen | 2016-02-02 |
modified | 2003-04-16 |
published | 2003-04-16 |
reporter | zillion |
source | https://www.exploit-db.com/download/22505/ |
title | Apache Mod_Access_Referer 1.0.2 - NULL Pointer Dereference Denial of Service Vulnerability |
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_AF74738942BA11D9BD3700065BE4B5B6.NASL description A malformed Referer header field causes the Apache ap_parse_uri_components function to discard it with the result that a pointer is not initialized. The mod_access_referer module does not take this into account with the result that it may use such a pointer. The NULL pointer vulnerability may possibly be used in a remote denial of service attack against affected Apache servers. last seen 2020-06-01 modified 2020-06-02 plugin id 19081 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19081 title FreeBSD : mod_access_referer -- NULL pointer dereference vulnerability (af747389-42ba-11d9-bd37-00065be4b5b6) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(19081); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:36"); script_cve_id("CVE-2003-1054"); script_bugtraq_id(7375); script_xref(name:"Secunia", value:"8612"); script_name(english:"FreeBSD : mod_access_referer -- NULL pointer dereference vulnerability (af747389-42ba-11d9-bd37-00065be4b5b6)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "A malformed Referer header field causes the Apache ap_parse_uri_components function to discard it with the result that a pointer is not initialized. The mod_access_referer module does not take this into account with the result that it may use such a pointer. The NULL pointer vulnerability may possibly be used in a remote denial of service attack against affected Apache servers." ); # http://marc.theaimsgroup.com/?l=full-disclosure&m=105053485515811 script_set_attribute( attribute:"see_also", value:"https://marc.info/?l=full-disclosure&m=105053485515811" ); # https://vuxml.freebsd.org/freebsd/af747389-42ba-11d9-bd37-00065be4b5b6.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?0d722888" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:W/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:mod_access_referer"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/04/16"); script_set_attribute(attribute:"patch_publication_date", value:"2004/12/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"mod_access_referer<1.0.2_1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Web Servers NASL id MOD_ACCESS_REFERER.NASL description The remote web server may be using a mod_access_referer apache module which contains a NULL pointer dereference bug. Abuse of this vulnerability could allow an attacker to launch a denial of service attack against affected systems. last seen 2020-06-01 modified 2020-06-02 plugin id 11543 published 2003-04-18 reporter This script is Copyright (C) 2003-2018 Xue Yong Zhi source https://www.tenable.com/plugins/nessus/11543 title mod_access_referer 1.0.2 for Apache Malformed Referer DoS code # # This script was written by Xue Yong Zhi ([email protected]) # # Changes by Tenable: # - Revised plugin title, changed family, formatted desc/solution (6/24/09) # Ref: # Date: Wed, 16 Apr 2003 23:14:33 +0200 # From: zillion <[email protected]> # To: [email protected] # Subject: [VulnWatch] Apache mod_access_referer denial of service issue exit(0); # Temporarily disabled include("compat.inc"); if(description) { script_id(11543); script_version("1.28"); script_cve_id("CVE-2003-1054"); script_bugtraq_id(7375); script_name(english:"mod_access_referer 1.0.2 for Apache Malformed Referer DoS"); script_set_attribute(attribute:"synopsis", value: "The remote web server is using a module that is affected by a denial of service vulnerability." ); script_set_attribute(attribute:"description", value: "The remote web server may be using a mod_access_referer apache module which contains a NULL pointer dereference bug. Abuse of this vulnerability could allow an attacker to launch a denial of service attack against affected systems." ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2003/Apr/235" ); script_set_attribute(attribute:"solution", value: "There is no known solution at this time." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:W/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2003/04/18"); script_set_attribute(attribute:"vuln_publication_date", value: "2003/04/16"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english:"Apache module mod_access_referer 1.0.2 contains a NULL pointer dereference vulnerability"); script_category(ACT_DENIAL); script_copyright(english:"This script is Copyright (C) 2003-2020 Xue Yong Zhi"); script_family(english:"Web Servers"); script_dependencie("find_service1.nasl", "http_version.nasl"); script_require_ports("Services/www", 80); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_keys("www/apache"); exit(0); } include("http_func.inc"); include("http_keepalive.inc"); port = get_http_port(default:80, embedded:TRUE); b = get_http_banner(port: port); l = egrep(string: b, pattern: "^Server: Apache"); if (! l) exit(0); if ("Apache/" >< l && ! ereg(string: l, pattern: "Apache/(1\.3|2\.0)")) exit(0); function check(req) { local_var idx, r, soc; #As you see, the Referer part is malformed. #And it depends on configuration too -- there must be an IP #addresses based access list for mod_access_referer. soc = http_open_socket(port); if(!soc)exit(0); req = http_get(item:req, port:port); idx = stridx(req, string("\r\n\r\n")); req = insstr(req, string("\r\nReferer: ://www.nessus.org\r\n\r\n"), idx); send(socket:soc, data:req); r = http_recv(socket:soc); http_close_socket(soc); if ( "HTTP">< r ) return(0); security_warning(port); exit(0); } # first to make sure it's a working webserver req = http_get(item:"/", port:port); idx = stridx(req, string("\r\n\r\n")); req = insstr(req, string("\r\nReferer: http://www.nessus.org\r\n\r\n"), idx); r = http_keepalive_send_recv(port:port, data:req); if(r==NULL) exit(0); if("HTTP">!<r) exit(0); # We do not know which dir is under control of the # mod_access_reeferer, just try some... dirs = get_kb_item(string("www/", port, "/content/directories")); if(isnull(dirs))dirs = make_list("/"); foreach dir (make_list(cgi_dirs(),"/", dirs)) { if(dir && check(req:dir)) exit(0); }