Vulnerabilities > CVE-2005-1268 - Off-by-one Error vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family HP-UX Local Security Checks NASL id HPUX_PHSS_34123.NASL description s700_800 11.04 Virtualvault 4.7 OWS (Apache 2.x) update : Potential security vulnerabilities have been identified with Apache running on HP-UX. These vulnerability could be exploited remotely to allow execution of arbitrary code, Denial of Service (DoS), or unauthorized access. last seen 2020-06-01 modified 2020-06-02 plugin id 21107 published 2006-03-21 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21107 title HP-UX PHSS_34123 : Apache-based Web Server on HP-UX mod_ssl, proxy_http, Remote Execution of Arbitrary Code, Denial of Service (DoS), and Unauthorized Access (HPSBUX02074 SSRT051251 rev.2) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-129.NASL description Marc Stern reported an off-by-one overflow in the mod_ssl CRL verification callback which can only be exploited if the Apache server is configured to use a malicious certificate revocation list (CVE-2005-1268). Watchfire reported a flaw that occured when using the Apache server as a HTTP proxy. A remote attacker could send an HTTP request with both a last seen 2020-06-01 modified 2020-06-02 plugin id 19889 published 2005-10-05 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19889 title Mandrake Linux Security Advisory : apache2 (MDKSA-2005:129) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-160-1.NASL description Marc Stern discovered a buffer overflow in the SSL module last seen 2020-06-01 modified 2020-06-02 plugin id 20565 published 2006-01-15 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20565 title Ubuntu 4.10 / 5.04 : apache2 vulnerabilities (USN-160-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-582.NASL description Updated Apache httpd packages to correct two security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Apache HTTP Server is a powerful, full-featured, efficient, and freely-available Web server. Watchfire reported a flaw that occured when using the Apache server as an HTTP proxy. A remote attacker could send an HTTP request with both a last seen 2020-06-01 modified 2020-06-02 plugin id 19296 published 2005-07-25 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19296 title RHEL 3 / 4 : httpd (RHSA-2005:582) NASL family HP-UX Local Security Checks NASL id HPUX_PHSS_34163.NASL description s700_800 11.04 Webproxy server 2.1 (Apache 2.x) update : Potential security vulnerabilities have been identified with Apache running on HP-UX. These vulnerability could be exploited remotely to allow execution of arbitrary code, Denial of Service (DoS), or unauthorized access. last seen 2020-06-01 modified 2020-06-02 plugin id 21108 published 2006-03-21 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21108 title HP-UX PHSS_34163 : Apache-based Web Server on HP-UX mod_ssl, proxy_http, Remote Execution of Arbitrary Code, Denial of Service (DoS), and Unauthorized Access (HPSBUX02074 SSRT051251 rev.2) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0118_HTTPD.NASL description The remote NewStart CGSL host, running version MAIN 4.05, has httpd packages installed that are affected by multiple vulnerabilities: - Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte. (CVE-2005-1268) - The Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a Transfer-Encoding: chunked header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka HTTP Request Smuggling. (CVE-2005-2088) - ssl_engine_kernel.c in mod_ssl before 2.8.24, when using SSLVerifyClient optional in the global virtual host configuration, does not properly enforce SSLVerifyClient require in a per-location context, which allows remote attackers to bypass intended access restrictions. (CVE-2005-2700) - The byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field. (CVE-2005-2728) - Cross-site scripting (XSS) vulnerability in the mod_imap module of Apache httpd before 1.3.35-dev and Apache httpd 2.0.x before 2.0.56-dev allows remote attackers to inject arbitrary web script or HTML via the Referer when using image maps. (CVE-2005-3352) - mod_ssl in Apache 2.0 up to 2.0.55, when configured with an SSL vhost with access control and a custom error 400 error page, allows remote attackers to cause a denial of service (application crash) via a non-SSL request to an SSL port, which triggers a NULL pointer dereference. (CVE-2005-3357) - The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post- renegotiation context, related to a plaintext injection attack, aka the Project Mogul issue. (CVE-2009-3555) - The (1) mod_cache and (2) mod_dav modules in the Apache HTTP Server 2.2.x before 2.2.16 allow remote attackers to cause a denial of service (process crash) via a request that lacks a path. (CVE-2010-1452) - fs/ext4/extents.c in the Linux kernel before 3.0 does not mark a modified extent as dirty in certain cases of extent splitting, which allows local users to cause a denial of service (system crash) via vectors involving ext4 umount and mount operations. (CVE-2011-3638) - It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743) - It was discovered that the use of httpd last seen 2020-06-01 modified 2020-06-02 plugin id 127360 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127360 title NewStart CGSL MAIN 4.05 : httpd Multiple Vulnerabilities (NS-SA-2019-0118) NASL family SuSE Local Security Checks NASL id SUSE_SA_2005_046.NASL description The remote host is missing the patch for the advisory SUSE-SA:2005:046 (apache,apache2). A security flaw was found in the Apache and Apache2 web servers which allows remote attacker to last seen 2019-10-28 modified 2005-10-05 plugin id 19925 published 2005-10-05 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19925 title SUSE-SA:2005:046: apache,apache2 NASL family Debian Local Security Checks NASL id DEBIAN_DSA-805.NASL description Several problems have been discovered in Apache2, the next generation, scalable, extendable web server. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2005-1268 Marc Stern discovered an off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback. When Apache is configured to use a CRL this can be used to cause a denial of service. - CAN-2005-2088 A vulnerability has been discovered in the Apache web server. When it is acting as an HTTP proxy, it allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct cross-site scripting attacks, which causes Apache to incorrectly handle and forward the body of the request. - CAN-2005-2700 A problem has been discovered in mod_ssl, which provides strong cryptography (HTTPS support) for Apache that allows remote attackers to bypass access restrictions. - CAN-2005-2728 The byte-range filter in Apache 2.0 allows remote attackers to cause a denial of service via an HTTP header with a large Range field. last seen 2020-06-01 modified 2020-06-02 plugin id 19612 published 2005-09-12 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19612 title Debian DSA-805-1 : apache2 - several vulnerabilities NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_E936D612253F11DABC01000E0C2E438A.NASL description Marc Stern reports an off-by-one vulnerability in within mod_ssl. The vulnerability lies in mod_ssl last seen 2020-06-01 modified 2020-06-02 plugin id 21529 published 2006-05-13 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21529 title FreeBSD : apache -- Certificate Revocation List (CRL) off-by-one vulnerability (e936d612-253f-11da-bc01-000e0c2e438a) NASL family Web Servers NASL id APACHE_2_0_55.NASL description The remote host appears to be running a version of Apache that is prior to 2.0.55. It is, therefore affected by multiple vulnerabilities : - A security issue exists where last seen 2020-06-01 modified 2020-06-02 plugin id 31656 published 2008-03-26 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/31656 title Apache < 2.0.55 Multiple Vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2005-638.NASL description This update includes version 2.0.53 of the Apache HTTP server, and also adds security fixes for CVE-2005-2088 and CVE-2005-1268. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 19374 published 2005-08-03 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19374 title Fedora Core 3 : httpd-2.0.53-3.2 (2005-638) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2005-582.NASL description Updated Apache httpd packages to correct two security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Apache HTTP Server is a powerful, full-featured, efficient, and freely-available Web server. Watchfire reported a flaw that occured when using the Apache server as an HTTP proxy. A remote attacker could send an HTTP request with both a last seen 2020-06-01 modified 2020-06-02 plugin id 21843 published 2006-07-03 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21843 title CentOS 3 / 4 : httpd (CESA-2005:582) NASL family Fedora Local Security Checks NASL id FEDORA_2005-639.NASL description This update security fixes for CVE-2005-2088 and CVE-2005-1268, along with some minor bug fixes. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 19375 published 2005-08-03 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19375 title Fedora Core 4 : httpd-2.0.54-10.1 (2005-639)
Oval
accepted 2006-01-25T07:30:00.000-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. description Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte. family unix id oval:org.mitre.oval:def:1346 status accepted submitted 2005-11-30T12:00:00.000-04:00 title Apache mod_ssl CRL off-by-one DoS version 36 accepted 2007-10-02T08:08:10.523-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Todd Dolinsky organization Opsware, Inc.
description Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte. family unix id oval:org.mitre.oval:def:1714 status accepted submitted 2006-03-18T07:24:00.000-04:00 title VirusVault Off-by-One Error in mod_ssl CRL version 35 accepted 2007-10-02T08:08:10.805-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Todd Dolinsky organization Opsware, Inc.
description Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte. family unix id oval:org.mitre.oval:def:1747 status accepted submitted 2006-03-18T07:24:00.000-04:00 title Webproxy Off-by-One Error in mod_ssl CRL version 35 accepted 2013-04-29T04:20:28.525-04:00 class vulnerability contributors name Aharon Chernin organization SCAP.com, LLC name Dragos Prisaca organization G2, Inc.
definition_extensions comment The operating system installed on the system is Red Hat Enterprise Linux 3 oval oval:org.mitre.oval:def:11782 comment CentOS Linux 3.x oval oval:org.mitre.oval:def:16651 comment The operating system installed on the system is Red Hat Enterprise Linux 4 oval oval:org.mitre.oval:def:11831 comment CentOS Linux 4.x oval oval:org.mitre.oval:def:16636 comment Oracle Linux 4.x oval oval:org.mitre.oval:def:15990
description Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte. family unix id oval:org.mitre.oval:def:9589 status accepted submitted 2010-07-09T03:56:16-04:00 title Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte. version 26
Redhat
advisories |
| ||||
rpms |
|
Statements
contributor | Mark J Cox |
lastmodified | 2008-07-02 |
organization | Apache |
statement | Fixed in Apache HTTP Server 2.0.55: http://httpd.apache.org/security/vulnerabilities_20.html |
References
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=163013
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:129
- http://rhn.redhat.com/errata/RHSA-2005-582.html
- http://www.debian.org/security/2005/dsa-805
- http://lists.trustix.org/pipermail/tsl-announce/2005-October/000354.html
- http://www.securityfocus.com/bid/14366
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-102198-1
- http://secunia.com/advisories/19072
- http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm
- http://secunia.com/advisories/19185
- http://www.novell.com/linux/security/advisories/2005_46_apache.html
- http://www.novell.com/linux/security/advisories/2005_18_sr.html
- http://securityreason.com/securityalert/604
- http://www.vupen.com/english/advisories/2006/0789
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9589
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1747
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1714
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1346
- http://www.securityfocus.com/archive/1/428138/100/0/threaded
- https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/re895fc1736d25c8cf57e102c871613b8aeec9ea26fd8a44e7942b5ab%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r734a07156abf332d5ab27fb91d9d962cacfef4f3681e44056f064fa8%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rd65d8ba68ba17e7deedafbf5bb4899f2ae4dad781d21b931c2941ac3%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E