Vulnerabilities > CVE-2005-1268 - Off-by-one Error vulnerability in multiple products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_34123.NASL
    descriptions700_800 11.04 Virtualvault 4.7 OWS (Apache 2.x) update : Potential security vulnerabilities have been identified with Apache running on HP-UX. These vulnerability could be exploited remotely to allow execution of arbitrary code, Denial of Service (DoS), or unauthorized access.
    last seen2020-06-01
    modified2020-06-02
    plugin id21107
    published2006-03-21
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21107
    titleHP-UX PHSS_34123 : Apache-based Web Server on HP-UX mod_ssl, proxy_http, Remote Execution of Arbitrary Code, Denial of Service (DoS), and Unauthorized Access (HPSBUX02074 SSRT051251 rev.2)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2005-129.NASL
    descriptionMarc Stern reported an off-by-one overflow in the mod_ssl CRL verification callback which can only be exploited if the Apache server is configured to use a malicious certificate revocation list (CVE-2005-1268). Watchfire reported a flaw that occured when using the Apache server as a HTTP proxy. A remote attacker could send an HTTP request with both a
    last seen2020-06-01
    modified2020-06-02
    plugin id19889
    published2005-10-05
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/19889
    titleMandrake Linux Security Advisory : apache2 (MDKSA-2005:129)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-160-1.NASL
    descriptionMarc Stern discovered a buffer overflow in the SSL module
    last seen2020-06-01
    modified2020-06-02
    plugin id20565
    published2006-01-15
    reporterUbuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20565
    titleUbuntu 4.10 / 5.04 : apache2 vulnerabilities (USN-160-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-582.NASL
    descriptionUpdated Apache httpd packages to correct two security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Apache HTTP Server is a powerful, full-featured, efficient, and freely-available Web server. Watchfire reported a flaw that occured when using the Apache server as an HTTP proxy. A remote attacker could send an HTTP request with both a
    last seen2020-06-01
    modified2020-06-02
    plugin id19296
    published2005-07-25
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/19296
    titleRHEL 3 / 4 : httpd (RHSA-2005:582)
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_34163.NASL
    descriptions700_800 11.04 Webproxy server 2.1 (Apache 2.x) update : Potential security vulnerabilities have been identified with Apache running on HP-UX. These vulnerability could be exploited remotely to allow execution of arbitrary code, Denial of Service (DoS), or unauthorized access.
    last seen2020-06-01
    modified2020-06-02
    plugin id21108
    published2006-03-21
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21108
    titleHP-UX PHSS_34163 : Apache-based Web Server on HP-UX mod_ssl, proxy_http, Remote Execution of Arbitrary Code, Denial of Service (DoS), and Unauthorized Access (HPSBUX02074 SSRT051251 rev.2)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0118_HTTPD.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has httpd packages installed that are affected by multiple vulnerabilities: - Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte. (CVE-2005-1268) - The Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a Transfer-Encoding: chunked header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka HTTP Request Smuggling. (CVE-2005-2088) - ssl_engine_kernel.c in mod_ssl before 2.8.24, when using SSLVerifyClient optional in the global virtual host configuration, does not properly enforce SSLVerifyClient require in a per-location context, which allows remote attackers to bypass intended access restrictions. (CVE-2005-2700) - The byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field. (CVE-2005-2728) - Cross-site scripting (XSS) vulnerability in the mod_imap module of Apache httpd before 1.3.35-dev and Apache httpd 2.0.x before 2.0.56-dev allows remote attackers to inject arbitrary web script or HTML via the Referer when using image maps. (CVE-2005-3352) - mod_ssl in Apache 2.0 up to 2.0.55, when configured with an SSL vhost with access control and a custom error 400 error page, allows remote attackers to cause a denial of service (application crash) via a non-SSL request to an SSL port, which triggers a NULL pointer dereference. (CVE-2005-3357) - The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post- renegotiation context, related to a plaintext injection attack, aka the Project Mogul issue. (CVE-2009-3555) - The (1) mod_cache and (2) mod_dav modules in the Apache HTTP Server 2.2.x before 2.2.16 allow remote attackers to cause a denial of service (process crash) via a request that lacks a path. (CVE-2010-1452) - fs/ext4/extents.c in the Linux kernel before 3.0 does not mark a modified extent as dirty in certain cases of extent splitting, which allows local users to cause a denial of service (system crash) via vectors involving ext4 umount and mount operations. (CVE-2011-3638) - It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743) - It was discovered that the use of httpd
    last seen2020-06-01
    modified2020-06-02
    plugin id127360
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127360
    titleNewStart CGSL MAIN 4.05 : httpd Multiple Vulnerabilities (NS-SA-2019-0118)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2005_046.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2005:046 (apache,apache2). A security flaw was found in the Apache and Apache2 web servers which allows remote attacker to
    last seen2019-10-28
    modified2005-10-05
    plugin id19925
    published2005-10-05
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/19925
    titleSUSE-SA:2005:046: apache,apache2
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-805.NASL
    descriptionSeveral problems have been discovered in Apache2, the next generation, scalable, extendable web server. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2005-1268 Marc Stern discovered an off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback. When Apache is configured to use a CRL this can be used to cause a denial of service. - CAN-2005-2088 A vulnerability has been discovered in the Apache web server. When it is acting as an HTTP proxy, it allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct cross-site scripting attacks, which causes Apache to incorrectly handle and forward the body of the request. - CAN-2005-2700 A problem has been discovered in mod_ssl, which provides strong cryptography (HTTPS support) for Apache that allows remote attackers to bypass access restrictions. - CAN-2005-2728 The byte-range filter in Apache 2.0 allows remote attackers to cause a denial of service via an HTTP header with a large Range field.
    last seen2020-06-01
    modified2020-06-02
    plugin id19612
    published2005-09-12
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/19612
    titleDebian DSA-805-1 : apache2 - several vulnerabilities
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_E936D612253F11DABC01000E0C2E438A.NASL
    descriptionMarc Stern reports an off-by-one vulnerability in within mod_ssl. The vulnerability lies in mod_ssl
    last seen2020-06-01
    modified2020-06-02
    plugin id21529
    published2006-05-13
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21529
    titleFreeBSD : apache -- Certificate Revocation List (CRL) off-by-one vulnerability (e936d612-253f-11da-bc01-000e0c2e438a)
  • NASL familyWeb Servers
    NASL idAPACHE_2_0_55.NASL
    descriptionThe remote host appears to be running a version of Apache that is prior to 2.0.55. It is, therefore affected by multiple vulnerabilities : - A security issue exists where
    last seen2020-06-01
    modified2020-06-02
    plugin id31656
    published2008-03-26
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31656
    titleApache < 2.0.55 Multiple Vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2005-638.NASL
    descriptionThis update includes version 2.0.53 of the Apache HTTP server, and also adds security fixes for CVE-2005-2088 and CVE-2005-1268. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id19374
    published2005-08-03
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/19374
    titleFedora Core 3 : httpd-2.0.53-3.2 (2005-638)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2005-582.NASL
    descriptionUpdated Apache httpd packages to correct two security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Apache HTTP Server is a powerful, full-featured, efficient, and freely-available Web server. Watchfire reported a flaw that occured when using the Apache server as an HTTP proxy. A remote attacker could send an HTTP request with both a
    last seen2020-06-01
    modified2020-06-02
    plugin id21843
    published2006-07-03
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21843
    titleCentOS 3 / 4 : httpd (CESA-2005:582)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2005-639.NASL
    descriptionThis update security fixes for CVE-2005-2088 and CVE-2005-1268, along with some minor bug fixes. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id19375
    published2005-08-03
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/19375
    titleFedora Core 4 : httpd-2.0.54-10.1 (2005-639)

Oval

  • accepted2006-01-25T07:30:00.000-04:00
    classvulnerability
    contributors
    nameRobert L. Hollis
    organizationThreatGuard, Inc.
    descriptionOff-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte.
    familyunix
    idoval:org.mitre.oval:def:1346
    statusaccepted
    submitted2005-11-30T12:00:00.000-04:00
    titleApache mod_ssl CRL off-by-one DoS
    version36
  • accepted2007-10-02T08:08:10.523-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameTodd Dolinsky
      organizationOpsware, Inc.
    descriptionOff-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte.
    familyunix
    idoval:org.mitre.oval:def:1714
    statusaccepted
    submitted2006-03-18T07:24:00.000-04:00
    titleVirusVault Off-by-One Error in mod_ssl CRL
    version35
  • accepted2007-10-02T08:08:10.805-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameTodd Dolinsky
      organizationOpsware, Inc.
    descriptionOff-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte.
    familyunix
    idoval:org.mitre.oval:def:1747
    statusaccepted
    submitted2006-03-18T07:24:00.000-04:00
    titleWebproxy Off-by-One Error in mod_ssl CRL
    version35
  • accepted2013-04-29T04:20:28.525-04:00
    classvulnerability
    contributors
    • nameAharon Chernin
      organizationSCAP.com, LLC
    • nameDragos Prisaca
      organizationG2, Inc.
    definition_extensions
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
      ovaloval:org.mitre.oval:def:11782
    • commentCentOS Linux 3.x
      ovaloval:org.mitre.oval:def:16651
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
      ovaloval:org.mitre.oval:def:11831
    • commentCentOS Linux 4.x
      ovaloval:org.mitre.oval:def:16636
    • commentOracle Linux 4.x
      ovaloval:org.mitre.oval:def:15990
    descriptionOff-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte.
    familyunix
    idoval:org.mitre.oval:def:9589
    statusaccepted
    submitted2010-07-09T03:56:16-04:00
    titleOff-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte.
    version26

Redhat

advisories
rhsa
idRHSA-2005:582
rpms
  • httpd-0:2.0.46-46.2.ent
  • httpd-0:2.0.52-12.1.ent
  • httpd-debuginfo-0:2.0.46-46.2.ent
  • httpd-debuginfo-0:2.0.52-12.1.ent
  • httpd-devel-0:2.0.46-46.2.ent
  • httpd-devel-0:2.0.52-12.1.ent
  • httpd-manual-0:2.0.52-12.1.ent
  • httpd-suexec-0:2.0.52-12.1.ent
  • mod_ssl-1:2.0.46-46.2.ent
  • mod_ssl-1:2.0.52-12.1.ent

Statements

contributorMark J Cox
lastmodified2008-07-02
organizationApache
statementFixed in Apache HTTP Server 2.0.55: http://httpd.apache.org/security/vulnerabilities_20.html

References