Vulnerabilities > CVE-2007-6423 - Resource Management Errors vulnerability in Apache Http Server

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
apache
CWE-399
nessus
NVD
Published: 2008-01-12
Updated: 2024-04-11

Summary

Unspecified vulnerability in mod_proxy_balancer for Apache HTTP Server 2.2.x before 2.2.7-dev, when running on Windows, allows remote attackers to trigger memory corruption via a long URL. NOTE: the vendor could not reproduce this issue

Vulnerable Configurations

Part Description Count
OS
Microsoft
1
Application
Apache
5

Common Weakness Enumeration (CWE)

Nessus

NASL familyWeb Servers
NASL idAPACHE_2_2_9.NASL
descriptionAccording to its banner, the version of Apache 2.2.x running on the remote host is prior to 2.2.9. It is, therefore, affected by multiple vulnerabilities : - Improper handling of excessive forwarded interim responses may cause denial of service conditions in mod_proxy_http. (CVE-2008-2364) - A cross-site request forgery vulnerability in the balancer-manager interface of mod_proxy_balancer. (CVE-2007-6420) Note that the remote web server may not actually be affected by these vulnerabilities. Nessus did not try to determine whether the affected modules are in use or to check for the issues themselves.
last seen2020-06-01
modified2020-06-02
plugin id33477
published2008-07-11
reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/33477
titleApache 2.2.x < 2.2.9 Multiple Vulnerabilities (DoS, XSS)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(33477);
  script_cvs_date("Date: 2018/06/29 12:01:03");
  script_version("1.36");

  script_cve_id("CVE-2007-6420", "CVE-2008-2364", "CVE-2007-6423");
  script_bugtraq_id(27236, 29653);
  script_xref(name:"Secunia", value:"30621");

  script_name(english:"Apache 2.2.x < 2.2.9 Multiple Vulnerabilities (DoS, XSS)");
  script_summary(english:"Checks version in Server response header");
 
  script_set_attribute(attribute:"synopsis", value:
"The remote web server may be affected by several issues.");
  script_set_attribute(attribute:"description", value:
"According to its banner, the version of Apache 2.2.x running on the
remote host is prior to 2.2.9. It is, therefore, affected by multiple
vulnerabilities :

  - Improper handling of excessive forwarded interim 
    responses may cause denial of service conditions in 
    mod_proxy_http. (CVE-2008-2364)

  - A cross-site request forgery vulnerability in the 
    balancer-manager interface of mod_proxy_balancer.
    (CVE-2007-6420)

Note that the remote web server may not actually be affected by these
vulnerabilities. Nessus did not try to determine whether the affected
modules are in use or to check for the issues themselves.");
  script_set_attribute(attribute:"see_also", value:"https://archive.apache.org/dist/httpd/CHANGES_2.2");
  script_set_attribute(attribute:"see_also", value:"http://httpd.apache.org/security/vulnerabilities_22.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Apache version 2.2.9 or later. Alternatively, ensure that
the affected modules are not in use.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(352, 399);

  script_set_attribute(attribute:"plugin_publication_date", value:"2008/07/11");

  script_set_attribute(attribute:"plugin_type", value: "remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:http_server");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");

  script_dependencies("apache_http_version.nasl");
  script_require_keys("installed_sw/Apache");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("audit.inc");
include("install_func.inc");

get_install_count(app_name:"Apache", exit_if_zero:TRUE);
port = get_http_port(default:80);
install = get_single_install(app_name:"Apache", port:port, exit_if_unknown_ver:TRUE);

# Check if we could get a version first, then check if it was
# backported
version = get_kb_item_or_exit('www/apache/'+port+'/version', exit_code:1);
backported = get_kb_item_or_exit('www/apache/'+port+'/backported', exit_code:1);

if (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, "Apache");
source = get_kb_item_or_exit('www/apache/'+port+'/source', exit_code:1);

# Check if the version looks like either ServerTokens Major/Minor
# was used
if (version =~ '^2(\\.2)?$') exit(1, "The banner from the Apache server listening on port "+port+" - "+source+" - is not granular enough to make a determination.");
if (version !~ "^\d+(\.\d+)*$") exit(1, "The version of Apache listening on port " + port + " - " + version + " - is non-numeric and, therefore, cannot be used to make a determination.");
if (version =~ '^2\\.2' && ver_compare(ver:version, fix:'2.2.9') == -1)
{
  set_kb_item(name:"www/"+port+"/XSS", value:TRUE);
  if (report_verbosity > 0)
  {
    report = 
      '\n  Version source    : ' + source +
      '\n  Installed version : ' + version +
      '\n  Fixed version     : 2.2.9\n';
    security_warning(port:port, extra:report);
  }
  else security_warning(port);
  exit(0);
}
else exit(0, "Apache "+version+" is listening on port "+port+" and is not affected.");

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 27236 CVE ID:CVE-2007-6420 CVE-2007-6421 CVE-2007-6422 CVE-2007-6423 CNCVE ID:CNCVE-20076420 CNCVE-20076421 CNCVE-20076422 CNCVE-20076423 Apache HTTP Server是一款开放源码的WEB服务程序。 Apache HTTP Server包含的mod_proxy_balancer模块存在输入验证问题,远程攻击者可以利用漏洞进行跨站脚本,CSRF,拒绝服务等攻击。 1,由于所有行为通过GET访问执行,存在“CSRF”攻击。 2,&quot;mod_proxy_balancer.c&quot;存在跨站脚本问题,输入传递给: &quot;ss&quot; - 为&quot;&quot;StickySession Identifier&quot;, &quot;wr&quot; - 为&quot;Route&quot;, &quot;rr&quot; - 为&quot;Route Redirect&quot;, 参数没有进行任何过滤可导致任意HTML和脚本代码执行。 另外对&quot;balancer-mamanger&quot;参数缺少过滤,也可导致任意HTML和脚本代码执行。 3,管理负责loadfactors和member状态的&quot;balancer_handler()&quot;存在错误,当编辑工作设置使攻击者输入非法&quot;b&quot;变量可导致拒绝服务攻击。 4,当在URL中输入7390 or 7506或7622 &quot;A&quot;字符时会由于&quot;mod_proxy_balancer&quot;错误而导致内存破坏。 Apache Software Foundation Apache 2.2.6 Apache Software Foundation Apache 2.2.5 Apache Software Foundation Apache 2.2.4 Apache Software Foundation Apache 2.2.3 Apache Software Foundation Apache 2.2.2 Apache Software Foundation Apache 2.2 .0 Apache Software Foundation Apache 2.2.6-dev Apache Software Foundation Apache 2.2.5-dev 厂商解决方案 Apache 2.2.7-dev已经修正此漏洞: <a href=http://www.apache.org/ target=_blank>http://www.apache.org/</a>
idSSV:2820
last seen2017-11-19
modified2008-01-14
published2008-01-14
reporterRoot
titleApache 'mod_proxy_balancer'存在多个漏洞

Statements

contributorMark J Cox
lastmodified2008-01-24
organizationRed Hat
statementmod_proxy_balancer is included in the version of Apache HTTP Server as shipped in Red Hat Enterprise Linux 5 and Red Hat Application Stack v2. Red Hat was unable to reproduce this issue.

References