Vulnerabilities > CVE-2004-0811 - Unspecified vulnerability in Apache Http Server 2.0.51

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
apache
nessus

Summary

Unknown vulnerability in Apache 2.0.51 prevents "the merging of the Satisfy directive," which could allow attackers to obtain access to restricted resources contrary to the specified authentication configuration.

Vulnerable Configurations

Part Description Count
Application
Apache
1

Nessus

  • NASL familyWeb Servers
    NASL idAPACHE_2_0_52.NASL
    descriptionThe remote host is running Apache web server 2.0.51. It is reported that this version of Apache is vulnerable to an access control bypass attack. This issue occurs when using the
    last seen2020-06-01
    modified2020-06-02
    plugin id14803
    published2004-09-23
    reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14803
    titleApache <= 2.0.51 Satisfy Directive Access Control Bypass
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    if(description)
    {
     script_id(14803);
     script_cvs_date("Date: 2018/06/29 12:01:03");
     script_version("1.26");
    
     script_cve_id("CVE-2004-0811");
     script_bugtraq_id(11239);
     script_xref(name:"Secunia", value:"12633");
     script_xref(name:"Secunia", value:"12641");
     script_xref(name:"Secunia", value:"13025");
    
     script_name(english:"Apache <= 2.0.51 Satisfy Directive Access Control Bypass");
     script_summary(english:"Checks for version of Apache");
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote web server is affected by an access control bypass
    vulnerability." );
     script_set_attribute(attribute:"description", value:
    "The remote host is running Apache web server 2.0.51. It is reported
    that this version of Apache is vulnerable to an access control bypass
    attack. This issue occurs when using the 'Satisfy' directive. An
    attacker may gain unauthorized access to restricted resources if
    access control relies on this directive.");
     script_set_attribute(attribute:"solution", value:
    "Upgrade to Apache web server 2.0.52 or later.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L");
     script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2004/09/23");
     script_set_attribute(attribute:"vuln_publication_date", value: "2004/09/23");
    script_set_attribute(attribute:"plugin_type", value:"remote");
    script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:http_server");
    script_end_attributes();
    
     
     script_category(ACT_GATHER_INFO);
     
     script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
     script_family(english:"Web Servers");
     script_dependencie("apache_http_version.nasl");
     script_require_keys("installed_sw/Apache");
     script_require_ports("Services/www", 80);
     exit(0);
    }
    
    #
    # The script code starts here
    #
    
    if ( get_kb_item("CVE-2004-0811") ) exit(0);
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("audit.inc");
    include("webapp_func.inc");
    
    get_install_count(app_name:"Apache", exit_if_zero:TRUE);
    port = get_http_port(default:80);
    install = get_single_install(app_name:"Apache", port:port, exit_if_unknown_ver:TRUE);
    
    # Check if we could get a version first, then check if it was
    # backported
    version = get_kb_item_or_exit('www/apache/'+port+'/version', exit_code:1);
    backported = get_kb_item_or_exit('www/apache/'+port+'/backported', exit_code:1);
    
    if (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, "Apache");
    source = get_kb_item_or_exit('www/apache/'+port+'/source', exit_code:1);
    
    # Check if the version looks like either ServerTokens Major/Minor
    # was used
    if (version =~ '^2(\\.0)?$') exit(1, "The banner from the Apache server listening on port "+port+" - "+source+" - is not granular enough to make a determination.");
    if (version !~ "^\d+(\.\d+)*$") exit(1, "The version of Apache listening on port " + port + " - " + version + " - is non-numeric and, therefore, cannot be used to make a determination.");
    if (version =~ '^2\\.0' && ver_compare(ver:version, fix:'2.0.52') == -1)
    {
      if (report_verbosity > 0)
      {
        report = 
          '\n  Version source    : ' + source +
          '\n  Installed version : ' + version +
          '\n  Fixed version     : 2.0.52\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
      exit(0);
    }
    else audit(AUDIT_LISTEN_NOT_VULN, "Apache", port, install["version"]);
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200409-33.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200409-33 (Apache: Exposure of protected directories) A bug in the way Apache handles the Satisfy directive, which is used to require that certain conditions (client host, client authentication, etc) be met before access to a certain directory is granted, could allow the exposure of protected directories to unauthorized clients. Impact : Directories containing protected data could be exposed to all visitors to the webserver. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id14811
    published2004-09-24
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/14811
    titleGLSA-200409-33 : Apache: Exposure of protected directories
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200409-33.
    #
    # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(14811);
      script_version("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:41");
    
      script_cve_id("CVE-2004-0811");
      script_xref(name:"GLSA", value:"200409-33");
    
      script_name(english:"GLSA-200409-33 : Apache: Exposure of protected directories");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200409-33
    (Apache: Exposure of protected directories)
    
        A bug in the way Apache handles the Satisfy directive, which is used to
        require that certain conditions (client host, client authentication, etc)
        be met before access to a certain directory is granted, could allow the
        exposure of protected directories to unauthorized clients.
      
    Impact :
    
        Directories containing protected data could be exposed to all visitors to
        the webserver.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      # http://issues.apache.org/bugzilla/show_bug.cgi?id=31315
      script_set_attribute(
        attribute:"see_also",
        value:"https://bz.apache.org/bugzilla/show_bug.cgi?id=31315"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200409-33"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All Apache users should upgrade to the latest version:
        # emerge sync
        # emerge -pv '>=www-servers/apache-2.0.51-r1'
        # emerge '>=www-servers/apache-2.0.51-r1'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:apache");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2004/09/24");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/24");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"www-servers/apache", unaffected:make_list("ge 2.0.51-r1", "lt 2.0.51"), vulnerable:make_list("eq 2.0.51"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Apache");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2004-313.NASL
    description - Tue Sep 21 2004 Joe Orton <jorton at redhat.com> 2.0.51-2.7 - ap_rgetline_core fix from Rici Lake - Tue Sep 21 2004 Joe Orton <jorton at redhat.com> 2.0.51-2.6 - fix 2.0.51 regression in Satisfy merging (CVE-2004-0811) - Thu Sep 16 2004 Joe Orton <jorton at redhat.com> 2.0.51-2.5 - mod_ssl: prevent SIGHUP-triggers-SIGSEGV after upgrade from 2.0.50 - revert mod_ldap/mod_auth_ldap changes likewise - Wed Sep 15 2004 Joe Orton <jorton at redhat.com> 2.0.51-2.1 - update to 2.0.51, including security fixes for : - core: CVE-2004-0747 - mod_dav_fs: CVE-2004-0809 - mod_ssl: CVE-2004-0751, CVE-2004-0748 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id14807
    published2004-09-24
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14807
    titleFedora Core 2 : httpd-2.0.51-2.7 (2004-313)

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 11239 CVE(CAN) ID: CVE-2004-0811 Apache是一款开放源代码WEB服务程序。 Apache Web Server中存在访问控制绕过漏洞,起因是在合并Satisfy命令时的未明错误。远程攻击者可以利用这个漏洞绕过访问控制,非授权访问受限的资源。 Apache Group Apache 2.0.51 HP HP-UX 11.23 HP HP-UX 11.22 HP HP-UX 11.11 HP HP-UX 11.00 HP Tru64 UNIX SWS &lt; 6.3 临时解决方法: 如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁: --- httpd-2.0/server/core.c 2004/08/31 08:16:56 1.225.2.27 +++ httpd-2.0/server/core.c 2004/09/21 13:21:16 1.225.2.28 @@ -351,9 +351,13 @@ /* Otherwise we simply use the base-&gt;sec_file array */ + /* use a separate -&gt;satisfy[] array either way */ + conf-&gt;satisfy = apr_palloc(a, sizeof(*conf-&gt;satisfy) * METHODS); for (i = 0; i &lt; METHODS; ++i) { if (new-&gt;satisfy[i] != SATISFY_NOSPEC) { conf-&gt;satisfy[i] = new-&gt;satisfy[i]; + } else { + conf-&gt;satisfy[i] = base-&gt;satisfy[i]; } } 厂商补丁: Apache Group ------------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://httpd.apache.org/download.cgi target=_blank>http://httpd.apache.org/download.cgi</a>
idSSV:4146
last seen2017-11-19
modified2008-10-05
published2008-10-05
reporterRoot
titleApache Satisfy命令访问控制绕过漏洞

Statements

  • contributorMark J Cox
    lastmodified2008-07-02
    organizationApache
    statementFixed in Apache HTTP Server 2.0.52: http://httpd.apache.org/security/vulnerabilities_20.html
  • contributorMark J Cox
    lastmodified2006-08-31
    organizationRed Hat
    statementNot Vulnerable. This issue only affected Apache 2.0.51, which was not shipped in any version of Red Hat Enterprise Linux.

References