Vulnerabilities > CVE-2004-0811 - Unspecified vulnerability in Apache Http Server 2.0.51
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN apache
nessus
Summary
Unknown vulnerability in Apache 2.0.51 prevents "the merging of the Satisfy directive," which could allow attackers to obtain access to restricted resources contrary to the specified authentication configuration.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Nessus
NASL family Web Servers NASL id APACHE_2_0_52.NASL description The remote host is running Apache web server 2.0.51. It is reported that this version of Apache is vulnerable to an access control bypass attack. This issue occurs when using the last seen 2020-06-01 modified 2020-06-02 plugin id 14803 published 2004-09-23 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14803 title Apache <= 2.0.51 Satisfy Directive Access Control Bypass code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(14803); script_cvs_date("Date: 2018/06/29 12:01:03"); script_version("1.26"); script_cve_id("CVE-2004-0811"); script_bugtraq_id(11239); script_xref(name:"Secunia", value:"12633"); script_xref(name:"Secunia", value:"12641"); script_xref(name:"Secunia", value:"13025"); script_name(english:"Apache <= 2.0.51 Satisfy Directive Access Control Bypass"); script_summary(english:"Checks for version of Apache"); script_set_attribute(attribute:"synopsis", value: "The remote web server is affected by an access control bypass vulnerability." ); script_set_attribute(attribute:"description", value: "The remote host is running Apache web server 2.0.51. It is reported that this version of Apache is vulnerable to an access control bypass attack. This issue occurs when using the 'Satisfy' directive. An attacker may gain unauthorized access to restricted resources if access control relies on this directive."); script_set_attribute(attribute:"solution", value: "Upgrade to Apache web server 2.0.52 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2004/09/23"); script_set_attribute(attribute:"vuln_publication_date", value: "2004/09/23"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:http_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_family(english:"Web Servers"); script_dependencie("apache_http_version.nasl"); script_require_keys("installed_sw/Apache"); script_require_ports("Services/www", 80); exit(0); } # # The script code starts here # if ( get_kb_item("CVE-2004-0811") ) exit(0); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("audit.inc"); include("webapp_func.inc"); get_install_count(app_name:"Apache", exit_if_zero:TRUE); port = get_http_port(default:80); install = get_single_install(app_name:"Apache", port:port, exit_if_unknown_ver:TRUE); # Check if we could get a version first, then check if it was # backported version = get_kb_item_or_exit('www/apache/'+port+'/version', exit_code:1); backported = get_kb_item_or_exit('www/apache/'+port+'/backported', exit_code:1); if (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, "Apache"); source = get_kb_item_or_exit('www/apache/'+port+'/source', exit_code:1); # Check if the version looks like either ServerTokens Major/Minor # was used if (version =~ '^2(\\.0)?$') exit(1, "The banner from the Apache server listening on port "+port+" - "+source+" - is not granular enough to make a determination."); if (version !~ "^\d+(\.\d+)*$") exit(1, "The version of Apache listening on port " + port + " - " + version + " - is non-numeric and, therefore, cannot be used to make a determination."); if (version =~ '^2\\.0' && ver_compare(ver:version, fix:'2.0.52') == -1) { if (report_verbosity > 0) { report = '\n Version source : ' + source + '\n Installed version : ' + version + '\n Fixed version : 2.0.52\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, "Apache", port, install["version"]);
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200409-33.NASL description The remote host is affected by the vulnerability described in GLSA-200409-33 (Apache: Exposure of protected directories) A bug in the way Apache handles the Satisfy directive, which is used to require that certain conditions (client host, client authentication, etc) be met before access to a certain directory is granted, could allow the exposure of protected directories to unauthorized clients. Impact : Directories containing protected data could be exposed to all visitors to the webserver. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 14811 published 2004-09-24 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/14811 title GLSA-200409-33 : Apache: Exposure of protected directories code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200409-33. # # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(14811); script_version("1.17"); script_cvs_date("Date: 2019/08/02 13:32:41"); script_cve_id("CVE-2004-0811"); script_xref(name:"GLSA", value:"200409-33"); script_name(english:"GLSA-200409-33 : Apache: Exposure of protected directories"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200409-33 (Apache: Exposure of protected directories) A bug in the way Apache handles the Satisfy directive, which is used to require that certain conditions (client host, client authentication, etc) be met before access to a certain directory is granted, could allow the exposure of protected directories to unauthorized clients. Impact : Directories containing protected data could be exposed to all visitors to the webserver. Workaround : There is no known workaround at this time." ); # http://issues.apache.org/bugzilla/show_bug.cgi?id=31315 script_set_attribute( attribute:"see_also", value:"https://bz.apache.org/bugzilla/show_bug.cgi?id=31315" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200409-33" ); script_set_attribute( attribute:"solution", value: "All Apache users should upgrade to the latest version: # emerge sync # emerge -pv '>=www-servers/apache-2.0.51-r1' # emerge '>=www-servers/apache-2.0.51-r1'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:apache"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2004/09/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"www-servers/apache", unaffected:make_list("ge 2.0.51-r1", "lt 2.0.51"), vulnerable:make_list("eq 2.0.51"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Apache"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2004-313.NASL description - Tue Sep 21 2004 Joe Orton <jorton at redhat.com> 2.0.51-2.7 - ap_rgetline_core fix from Rici Lake - Tue Sep 21 2004 Joe Orton <jorton at redhat.com> 2.0.51-2.6 - fix 2.0.51 regression in Satisfy merging (CVE-2004-0811) - Thu Sep 16 2004 Joe Orton <jorton at redhat.com> 2.0.51-2.5 - mod_ssl: prevent SIGHUP-triggers-SIGSEGV after upgrade from 2.0.50 - revert mod_ldap/mod_auth_ldap changes likewise - Wed Sep 15 2004 Joe Orton <jorton at redhat.com> 2.0.51-2.1 - update to 2.0.51, including security fixes for : - core: CVE-2004-0747 - mod_dav_fs: CVE-2004-0809 - mod_ssl: CVE-2004-0751, CVE-2004-0748 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 14807 published 2004-09-24 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14807 title Fedora Core 2 : httpd-2.0.51-2.7 (2004-313)
Seebug
bulletinFamily | exploit |
description | BUGTRAQ ID: 11239 CVE(CAN) ID: CVE-2004-0811 Apache是一款开放源代码WEB服务程序。 Apache Web Server中存在访问控制绕过漏洞,起因是在合并Satisfy命令时的未明错误。远程攻击者可以利用这个漏洞绕过访问控制,非授权访问受限的资源。 Apache Group Apache 2.0.51 HP HP-UX 11.23 HP HP-UX 11.22 HP HP-UX 11.11 HP HP-UX 11.00 HP Tru64 UNIX SWS < 6.3 临时解决方法: 如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁: --- httpd-2.0/server/core.c 2004/08/31 08:16:56 1.225.2.27 +++ httpd-2.0/server/core.c 2004/09/21 13:21:16 1.225.2.28 @@ -351,9 +351,13 @@ /* Otherwise we simply use the base->sec_file array */ + /* use a separate ->satisfy[] array either way */ + conf->satisfy = apr_palloc(a, sizeof(*conf->satisfy) * METHODS); for (i = 0; i < METHODS; ++i) { if (new->satisfy[i] != SATISFY_NOSPEC) { conf->satisfy[i] = new->satisfy[i]; + } else { + conf->satisfy[i] = base->satisfy[i]; } } 厂商补丁: Apache Group ------------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://httpd.apache.org/download.cgi target=_blank>http://httpd.apache.org/download.cgi</a> |
id | SSV:4146 |
last seen | 2017-11-19 |
modified | 2008-10-05 |
published | 2008-10-05 |
reporter | Root |
title | Apache Satisfy命令访问控制绕过漏洞 |
Statements
contributor Mark J Cox lastmodified 2008-07-02 organization Apache statement Fixed in Apache HTTP Server 2.0.52: http://httpd.apache.org/security/vulnerabilities_20.html contributor Mark J Cox lastmodified 2006-08-31 organization Red Hat statement Not Vulnerable. This issue only affected Apache 2.0.51, which was not shipped in any version of Red Hat Enterprise Linux.
References
- http://www.apacheweek.com/features/security-20
- http://www.apache.org/dist/httpd/patches/apply_to_2.0.51/CAN-2004-0811.patch
- http://fedoranews.org/updates/FEDORA-2004-313.shtml
- http://security.gentoo.org/glsa/glsa-200409-33.xml
- http://www.trustix.org/errata/2004/0049
- http://www.securityfocus.com/bid/11239
- https://exchange.xforce.ibmcloud.com/vulnerabilities/17473
- https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/re895fc1736d25c8cf57e102c871613b8aeec9ea26fd8a44e7942b5ab%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rd65d8ba68ba17e7deedafbf5bb4899f2ae4dad781d21b931c2941ac3%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r734a07156abf332d5ab27fb91d9d962cacfef4f3681e44056f064fa8%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6%40%3Ccvs.httpd.apache.org%3E