Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Published: 2008-01-25
Updated: 2023-11-07
Summary
CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Server Side Include (SSI) Injection
An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
- Cross Site Scripting through Log Files
An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Command Line Execution through SQL Injection
An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
- Subverting Environment Variable Values
The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
Nessus
NASL family | Misc. |
NASL id | JUNIPER_NSM_JSA10685_CRED.NASL |
description | The remote host is running a version of NSM (Network and Security Manager) Server that is prior to 2012.2R9. It is, therefore, affected by multiple vulnerabilities in the bundled version of Apache HTTP Server : - A flaw exists due to improper escaping of filenames in 406 and 300 HTTP responses. A remote attacker can exploit this, by uploading a file with a specially crafted name, to inject arbitrary HTTP headers or conduct cross-site scripting attacks. (CVE-2008-0456) - Multiple cross-site scripting vulnerabilities exist in the mod_negotiation module due to improper sanitization of input passed via filenames. An attacker can exploit this to execute arbitrary script code in a user |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 84878 |
published | 2015-07-20 |
reporter | This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. |
source | https://www.tenable.com/plugins/nessus/84878 |
title | Juniper NSM < 2012.2R9 Apache HTTP Server Multiple Vulnerabilities (JSA10685) (credentialed check) |
NASL family | F5 Networks Local Security Checks |
NASL id | F5_BIGIP_SOL17189.NASL |
description | CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 85697 |
published | 2015-08-31 |
reporter | This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/85697 |
title | F5 Networks BIG-IP : Apache HTTP server vulnerability (SOL17189) |
NASL family | Misc. |
NASL id | JUNIPER_NSM_JSA10685.NASL |
description | The remote host is running a version of NSM (Network and Security Manager) Server that is prior to 2012.2R9. It is, therefore, affected by multiple vulnerabilities in the bundled version of Apache HTTP Server : - A flaw exists due to improper escaping of filenames in 406 and 300 HTTP responses. A remote attacker can exploit this, by uploading a file with a specially crafted name, to inject arbitrary HTTP headers or conduct cross-site scripting attacks. (CVE-2008-0456) - Multiple cross-site scripting vulnerabilities exist in the mod_negotiation module due to improper sanitization of input passed via filenames. An attacker can exploit this to execute arbitrary script code in a user |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 84877 |
published | 2015-07-20 |
reporter | This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. |
source | https://www.tenable.com/plugins/nessus/84877 |
title | Juniper NSM < 2012.2R9 Apache HTTP Server Multiple Vulnerabilities (JSA10685) |
NASL family | Scientific Linux Local Security Checks |
NASL id | SL_20130108_HTTPD_ON_SL5_X.NASL |
description | Input sanitization flaws were found in the mod_negotiation module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use these flaws to conduct cross-site scripting and HTTP response splitting attacks against users visiting the site. (CVE-2008-0455, CVE-2008-0456, CVE-2012-2687) Bug fixes : - Previously, no check was made to see if the /etc/pki/tls/private/localhost.key file was a valid key prior to running the |
last seen | 2020-03-18 |
modified | 2013-01-17 |
plugin id | 63597 |
published | 2013-01-17 |
reporter | This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/63597 |
title | Scientific Linux Security Update : httpd on SL5.x i386/x86_64 (20130108) |
NASL family | Gentoo Local Security Checks |
NASL id | GENTOO_GLSA-200803-19.NASL |
description | The remote host is affected by the vulnerability described in GLSA-200803-19 (Apache: Multiple vulnerabilities) Adrian Pastor and Amir Azam (ProCheckUp) reported that the HTTP Method specifier header is not properly sanitized when the HTTP return code is |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 31445 |
published | 2008-03-13 |
reporter | This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. |
source | https://www.tenable.com/plugins/nessus/31445 |
title | GLSA-200803-19 : Apache: Multiple vulnerabilities |
NASL family | Oracle Linux Local Security Checks |
NASL id | ORACLELINUX_ELSA-2013-0130.NASL |
description | From Red Hat Security Advisory 2013:0130 : Updated httpd packages that fix multiple security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The httpd packages contain the Apache HTTP Server (httpd), which is the namesake project of The Apache Software Foundation. Input sanitization flaws were found in the mod_negotiation module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use these flaws to conduct cross-site scripting and HTTP response splitting attacks against users visiting the site. (CVE-2008-0455, CVE-2008-0456, CVE-2012-2687) Bug fixes : * Previously, no check was made to see if the /etc/pki/tls/private/localhost.key file was a valid key prior to running the |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 68701 |
published | 2013-07-12 |
reporter | This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/68701 |
title | Oracle Linux 5 : httpd (ELSA-2013-0130) |
NASL family | Red Hat Local Security Checks |
NASL id | REDHAT-RHSA-2013-0130.NASL |
description | Updated httpd packages that fix multiple security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The httpd packages contain the Apache HTTP Server (httpd), which is the namesake project of The Apache Software Foundation. Input sanitization flaws were found in the mod_negotiation module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use these flaws to conduct cross-site scripting and HTTP response splitting attacks against users visiting the site. (CVE-2008-0455, CVE-2008-0456, CVE-2012-2687) Bug fixes : * Previously, no check was made to see if the /etc/pki/tls/private/localhost.key file was a valid key prior to running the |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 63411 |
published | 2013-01-08 |
reporter | This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/63411 |
title | RHEL 5 : httpd (RHSA-2013:0130) |
NASL family | MacOS X Local Security Checks |
NASL id | MACOSX_10_5_7.NASL |
description | The remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.7. Mac OS X 10.5.7 contains security fixes for the following products : - Apache - ATS - BIND - CFNetwork - CoreGraphics - Cscope - CUPS - Disk Images - enscript - Flash Player plug-in - Help Viewer - iChat - International Components for Unicode - IPSec - Kerberos - Kernel - Launch Services - libxml - Net-SNMP - Network Time - Networking - OpenSSL - PHP - QuickDraw Manager - ruby - Safari - Spotlight - system_cmds - telnet - Terminal - WebKit - X11 |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 38744 |
published | 2009-05-13 |
reporter | This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. |
source | https://www.tenable.com/plugins/nessus/38744 |
title | Mac OS X 10.5.x < 10.5.7 Multiple Vulnerabilities |
NASL family | CentOS Local Security Checks |
NASL id | CENTOS_RHSA-2013-0130.NASL |
description | Updated httpd packages that fix multiple security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The httpd packages contain the Apache HTTP Server (httpd), which is the namesake project of The Apache Software Foundation. Input sanitization flaws were found in the mod_negotiation module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use these flaws to conduct cross-site scripting and HTTP response splitting attacks against users visiting the site. (CVE-2008-0455, CVE-2008-0456, CVE-2012-2687) Bug fixes : * Previously, no check was made to see if the /etc/pki/tls/private/localhost.key file was a valid key prior to running the |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 63575 |
published | 2013-01-17 |
reporter | This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/63575 |
title | CentOS 5 : httpd (CESA-2013:0130) |
NASL family | Web Servers |
NASL id | APACHE_MOD_NEGOTIATION_XSS.NASL |
description | According to its banner, the version of Apache running on the remote host does not properly escape filenames in 406 responses. A remote attacker can exploit this to inject arbitrary HTTP headers or conduct cross-site scripting attacks by uploading a file with a specially crafted name. Note that the remote web server may not actually be affected by these vulnerabilities as Nessus has relied solely on the version number in the server |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 17692 |
published | 2011-11-18 |
reporter | This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. |
source | https://www.tenable.com/plugins/nessus/17692 |
title | Apache mod_negotiation Multi-Line Filename Upload Vulnerabilities |
Redhat
advisories | |
rpms | - httpd-0:2.2.3-74.el5
- httpd-debuginfo-0:2.2.3-74.el5
- httpd-devel-0:2.2.3-74.el5
- httpd-manual-0:2.2.3-74.el5
- mod_ssl-1:2.2.3-74.el5
|
Statements
contributor | Mark J Cox |
lastmodified | 2008-01-25 |
organization | Red Hat |
statement | We do not consider this issue to be security sensitive. Untrusted users should not be permitted to upload files to the directories from where they can be directly served by the web server without prior careful sanitation of both contents and filename. |