Vulnerabilities > CVE-2009-3094 - NULL Pointer Dereference vulnerability in multiple products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13 allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2009-1580.NASL
    descriptionUpdated httpd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Apache HTTP Server is a popular Web server. A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client
    last seen2020-06-01
    modified2020-06-02
    plugin id42470
    published2009-11-12
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/42470
    titleRHEL 4 : httpd (RHSA-2009:1580)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2009:1580. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(42470);
      script_version ("1.32");
      script_cvs_date("Date: 2019/10/25 13:36:14");
    
      script_cve_id("CVE-2009-1891", "CVE-2009-3094", "CVE-2009-3095", "CVE-2009-3555");
      script_bugtraq_id(35623, 36254, 36260, 36935);
      script_xref(name:"RHSA", value:"2009:1580");
    
      script_name(english:"RHEL 4 : httpd (RHSA-2009:1580)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated httpd packages that fix multiple security issues are now
    available for Red Hat Enterprise Linux 4.
    
    This update has been rated as having moderate security impact by the
    Red Hat Security Response Team.
    
    The Apache HTTP Server is a popular Web server.
    
    A flaw was found in the way the TLS/SSL (Transport Layer
    Security/Secure Sockets Layer) protocols handle session renegotiation.
    A man-in-the-middle attacker could use this flaw to prefix arbitrary
    plain text to a client's session (for example, an HTTPS connection to
    a website). This could force the server to process an attacker's
    request as if authenticated using the victim's credentials. This
    update partially mitigates this flaw for SSL sessions to HTTP servers
    using mod_ssl by rejecting client-requested renegotiation.
    (CVE-2009-3555)
    
    Note: This update does not fully resolve the issue for HTTPS servers.
    An attack is still possible in configurations that require a
    server-initiated renegotiation. Refer to the following Knowledgebase
    article for further information:
    http://kbase.redhat.com/faq/docs/DOC-20491
    
    A denial of service flaw was found in the Apache mod_deflate module.
    This module continued to compress large files until compression was
    complete, even if the network connection that requested the content
    was closed before compression completed. This would cause mod_deflate
    to consume large amounts of CPU if mod_deflate was enabled for a large
    file. (CVE-2009-1891)
    
    A NULL pointer dereference flaw was found in the Apache mod_proxy_ftp
    module. A malicious FTP server to which requests are being proxied
    could use this flaw to crash an httpd child process via a malformed
    reply to the EPSV or PASV commands, resulting in a limited denial of
    service. (CVE-2009-3094)
    
    A second flaw was found in the Apache mod_proxy_ftp module. In a
    reverse proxy configuration, a remote attacker could use this flaw to
    bypass intended access restrictions by creating a carefully-crafted
    HTTP Authorization header, allowing the attacker to send arbitrary
    commands to the FTP server. (CVE-2009-3095)
    
    All httpd users should upgrade to these updated packages, which
    contain backported patches to correct these issues. After installing
    the updated packages, the httpd daemon must be restarted for the
    update to take effect."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2009-1891"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2009-3094"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2009-3095"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2009-3555"
      );
      # http://kbase.redhat.com/faq/docs/DOC-20491
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/articles/20490"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2009:1580"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_cwe_id(119, 264, 310, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:httpd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:httpd-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:httpd-manual");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:httpd-suexec");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mod_ssl");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4.8");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/07/10");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/11/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/11/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 4.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2009:1580";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL4", reference:"httpd-2.0.52-41.ent.6")) flag++;
    
      if (rpm_check(release:"RHEL4", reference:"httpd-devel-2.0.52-41.ent.6")) flag++;
    
      if (rpm_check(release:"RHEL4", reference:"httpd-manual-2.0.52-41.ent.6")) flag++;
    
      if (rpm_check(release:"RHEL4", reference:"httpd-suexec-2.0.52-41.ent.6")) flag++;
    
      if (rpm_check(release:"RHEL4", reference:"mod_ssl-2.0.52-41.ent.6")) flag++;
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "httpd / httpd-devel / httpd-manual / httpd-suexec / mod_ssl");
      }
    }
    
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2010-024-01.NASL
    descriptionNew httpd packages are available for Slackware 12.0, 12.1, 12.2, 13.0, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id44120
    published2010-01-25
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/44120
    titleSlackware 12.0 / 12.1 / 12.2 / 13.0 / current : httpd (SSA:2010-024-01)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Slackware Security Advisory 2010-024-01. The text 
    # itself is copyright (C) Slackware Linux, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(44120);
      script_version("1.14");
      script_cvs_date("Date: 2019/10/25 13:36:21");
    
      script_cve_id("CVE-2009-3094", "CVE-2009-3095");
      script_bugtraq_id(36254, 36260);
      script_xref(name:"SSA", value:"2010-024-01");
    
      script_name(english:"Slackware 12.0 / 12.1 / 12.2 / 13.0 / current : httpd (SSA:2010-024-01)");
      script_summary(english:"Checks for updated package in /var/log/packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Slackware host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "New httpd packages are available for Slackware 12.0, 12.1, 12.2,
    13.0, and -current to fix security issues."
      );
      # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.451468
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?c708ebd6"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected httpd package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(119, 264);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:httpd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:12.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:12.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:12.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/01/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/01/25");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Slackware Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("slackware.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware");
    if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu);
    
    
    flag = 0;
    if (slackware_check(osver:"12.0", pkgname:"httpd", pkgver:"2.2.14", pkgarch:"i486", pkgnum:"1_slack12.0")) flag++;
    
    if (slackware_check(osver:"12.1", pkgname:"httpd", pkgver:"2.2.14", pkgarch:"i486", pkgnum:"1_slack12.1")) flag++;
    
    if (slackware_check(osver:"12.2", pkgname:"httpd", pkgver:"2.2.14", pkgarch:"i486", pkgnum:"1_slack12.2")) flag++;
    
    if (slackware_check(osver:"13.0", pkgname:"httpd", pkgver:"2.2.14", pkgarch:"i486", pkgnum:"1_slack13.0")) flag++;
    if (slackware_check(osver:"13.0", arch:"x86_64", pkgname:"httpd", pkgver:"2.2.14", pkgarch:"x86_64", pkgnum:"1_slack13.0")) flag++;
    
    if (slackware_check(osver:"current", pkgname:"httpd", pkgver:"2.2.14", pkgarch:"i486", pkgnum:"1")) flag++;
    if (slackware_check(osver:"current", arch:"x86_64", pkgname:"httpd", pkgver:"2.2.14", pkgarch:"x86_64", pkgnum:"1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyWeb Servers
    NASL idAPACHE_2_2_14.NASL
    descriptionAccording to its banner, the version of Apache 2.2.x running on the remote host is prior to 2.2.14. It is, therefore, potentially affected by multiple vulnerabilities : - Faulty error handling in the Solaris pollset support could lead to a denial of service. (CVE-2009-2699) - The
    last seen2020-06-01
    modified2020-06-02
    plugin id42052
    published2009-10-07
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42052
    titleApache 2.2.x < 2.2.14 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(42052);
      script_cvs_date("Date: 2018/11/15 20:50:25");
      script_version("1.32");
    
      script_cve_id("CVE-2009-2699", "CVE-2009-3094", "CVE-2009-3095");
      script_bugtraq_id(36254, 36260, 36596);
      script_xref(name:"Secunia", value:"36549");
    
      script_name(english:"Apache 2.2.x < 2.2.14 Multiple Vulnerabilities");
      script_summary(english:"Checks version in Server response header.");
    
      script_set_attribute(attribute:"synopsis", value:
        "The remote web server is affected by multiple vulnerabilities."
      );
      script_set_attribute(attribute:"description", value:
    "According to its banner, the version of Apache 2.2.x running on the 
    remote host is prior to 2.2.14. It is, therefore, potentially affected
    by multiple vulnerabilities :
    
      - Faulty error handling in the Solaris pollset support 
        could lead to a denial of service. (CVE-2009-2699)
    
      - The 'mod_proxy_ftp' module allows remote attackers to 
        bypass intended access restrictions. (CVE-2009-3095)
    
      - The 'ap_proxy_ftp_handler' function in 
        'modules/proxy/proxy_ftp.c' in the 'mod_proxy_ftp' 
        module allows remote FTP servers to cause a 
        denial of service. (CVE-2009-3094)
    
    Note that the remote web server may not actually be affected by these
    vulnerabilities as Nessus did not try to determine whether the affected
    modules are in use or check for the issues themselves."  );
    
      script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/advisories/17947");
      script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/advisories/17959");
      # http://web.archive.org/web/20100106104919/http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0154
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e470f137");
      script_set_attribute(attribute:"see_also", value:"https://bz.apache.org/bugzilla/show_bug.cgi?id=47645");
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c34c4eda");
    
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Apache version 2.2.14 or later. Alternatively, ensure that
    the affected modules are not in use.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(119, 264);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/10/05");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/10/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/10/07");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:http_server");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Web Servers");
    
      script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
    
      script_dependencies("apache_http_version.nasl");
      script_require_keys("installed_sw/Apache");
      script_require_ports("Services/www", 80);
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("http.inc");
    include("misc_func.inc");
    include("audit.inc");
    include("install_func.inc");
    
    get_install_count(app_name:"Apache", exit_if_zero:TRUE);
    port = get_http_port(default:80);
    install = get_single_install(app_name:"Apache", port:port, exit_if_unknown_ver:TRUE);
    
    # Check if we could get a version first, then check if it was
    # backported
    version = get_kb_item_or_exit('www/apache/'+port+'/version', exit_code:1);
    backported = get_kb_item_or_exit('www/apache/'+port+'/backported', exit_code:1);
    
    if (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, "Apache");
    source = get_kb_item_or_exit('www/apache/'+port+'/source', exit_code:1);
    
    # Check if the version looks like either ServerTokens Major/Minor
    # was used
    if (version =~ '^2(\\.2)?$') exit(1, "The banner from the Apache server listening on port "+port+" - "+source+" - is not granular enough to make a determination.");
    if (version !~ "^\d+(\.\d+)*$") exit(1, "The version of Apache listening on port " + port + " - " + version + " - is non-numeric and, therefore, cannot be used to make a determination.");
    if (version =~ '^2\\.2' && ver_compare(ver:version, fix:'2.2.14') == -1)
    {
      if (report_verbosity > 0)
      {
        report = 
          '\n  Version source    : ' + source +
          '\n  Installed version : ' + version +
          '\n  Fixed version     : 2.2.14\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
      exit(0);
    }
    else audit(AUDIT_LISTEN_NOT_VULN, "Apache", port, install["version"]);
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2009-1579.NASL
    descriptionUpdated httpd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Apache HTTP Server is a popular Web server. A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client
    last seen2020-06-01
    modified2020-06-02
    plugin id42469
    published2009-11-12
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/42469
    titleRHEL 3 / 5 : httpd (RHSA-2009:1579)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2009:1579. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(42469);
      script_version ("1.29");
      script_cvs_date("Date: 2019/10/25 13:36:14");
    
      script_cve_id("CVE-2009-3094", "CVE-2009-3095", "CVE-2009-3555");
      script_bugtraq_id(36254, 36260, 36935);
      script_xref(name:"RHSA", value:"2009:1579");
    
      script_name(english:"RHEL 3 / 5 : httpd (RHSA-2009:1579)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated httpd packages that fix multiple security issues are now
    available for Red Hat Enterprise Linux 3 and 5.
    
    This update has been rated as having moderate security impact by the
    Red Hat Security Response Team.
    
    The Apache HTTP Server is a popular Web server.
    
    A flaw was found in the way the TLS/SSL (Transport Layer
    Security/Secure Sockets Layer) protocols handle session renegotiation.
    A man-in-the-middle attacker could use this flaw to prefix arbitrary
    plain text to a client's session (for example, an HTTPS connection to
    a website). This could force the server to process an attacker's
    request as if authenticated using the victim's credentials. This
    update partially mitigates this flaw for SSL sessions to HTTP servers
    using mod_ssl by rejecting client-requested renegotiation.
    (CVE-2009-3555)
    
    Note: This update does not fully resolve the issue for HTTPS servers.
    An attack is still possible in configurations that require a
    server-initiated renegotiation. Refer to the following Knowledgebase
    article for further information:
    http://kbase.redhat.com/faq/docs/DOC-20491
    
    A NULL pointer dereference flaw was found in the Apache mod_proxy_ftp
    module. A malicious FTP server to which requests are being proxied
    could use this flaw to crash an httpd child process via a malformed
    reply to the EPSV or PASV commands, resulting in a limited denial of
    service. (CVE-2009-3094)
    
    A second flaw was found in the Apache mod_proxy_ftp module. In a
    reverse proxy configuration, a remote attacker could use this flaw to
    bypass intended access restrictions by creating a carefully-crafted
    HTTP Authorization header, allowing the attacker to send arbitrary
    commands to the FTP server. (CVE-2009-3095)
    
    All httpd users should upgrade to these updated packages, which
    contain backported patches to correct these issues. After installing
    the updated packages, the httpd daemon must be restarted for the
    update to take effect."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2009-3094"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2009-3095"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2009-3555"
      );
      # http://kbase.redhat.com/faq/docs/DOC-20491
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/articles/20490"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2009:1579"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(119, 264, 310);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:httpd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:httpd-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:httpd-manual");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mod_ssl");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5.4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/09/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/11/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/11/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(3|5)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 3.x / 5.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2009:1579";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL3", reference:"httpd-2.0.46-77.ent")) flag++;
    
      if (rpm_check(release:"RHEL3", reference:"httpd-devel-2.0.46-77.ent")) flag++;
    
      if (rpm_check(release:"RHEL3", reference:"mod_ssl-2.0.46-77.ent")) flag++;
    
    
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"httpd-2.2.3-31.el5_4.2")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"httpd-2.2.3-31.el5_4.2")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"httpd-2.2.3-31.el5_4.2")) flag++;
    
      if (rpm_check(release:"RHEL5", reference:"httpd-devel-2.2.3-31.el5_4.2")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"httpd-manual-2.2.3-31.el5_4.2")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"httpd-manual-2.2.3-31.el5_4.2")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"httpd-manual-2.2.3-31.el5_4.2")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"mod_ssl-2.2.3-31.el5_4.2")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"mod_ssl-2.2.3-31.el5_4.2")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"mod_ssl-2.2.3-31.el5_4.2")) flag++;
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "httpd / httpd-devel / httpd-manual / mod_ssl");
      }
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_0_APACHE2-091020.NASL
    descriptionThis update of the Apache webserver fixes various security issues : - the option IncludesNOEXEC could be bypassed via .htaccess (CVE-2009-1195) - mod_proxy could run into an infinite loop when used as reverse proxy (CVE-2009-1890) - mod_deflate continued to compress large files even after a network connection was closed, causing mod_deflate to consume large amounts of CPU (CVE-2009-1891) - The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command. (CVE-2009-3094) - access restriction bypass in mod_proxy_ftp module (CVE-2009-3095)
    last seen2020-06-01
    modified2020-06-02
    plugin id42245
    published2009-10-26
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/42245
    titleopenSUSE Security Update : apache2 (apache2-1419)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update apache2-1419.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(42245);
      script_version("1.15");
      script_cvs_date("Date: 2019/10/25 13:36:33");
    
      script_cve_id("CVE-2009-1195", "CVE-2009-1890", "CVE-2009-1891", "CVE-2009-3094", "CVE-2009-3095");
    
      script_name(english:"openSUSE Security Update : apache2 (apache2-1419)");
      script_summary(english:"Check for the apache2-1419 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update of the Apache webserver fixes various security issues :
    
      - the option IncludesNOEXEC could be bypassed via
        .htaccess (CVE-2009-1195) 
    
      - mod_proxy could run into an infinite loop when used as
        reverse proxy (CVE-2009-1890) 
    
      - mod_deflate continued to compress large files even after
        a network connection was closed, causing mod_deflate to
        consume large amounts of CPU (CVE-2009-1891)
    
      - The ap_proxy_ftp_handler function in
        modules/proxy/proxy_ftp.c in the mod_proxy_ftp module
        allows remote FTP servers to cause a denial of service
        (NULL pointer dereference and child process crash) via a
        malformed reply to an EPSV command. (CVE-2009-3094)
    
      - access restriction bypass in mod_proxy_ftp module
        (CVE-2009-3095)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=512583"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=513080"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=519194"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=521906"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=538322"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=539571"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected apache2 packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_cwe_id(16, 119, 189, 264, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-example-pages");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-prefork");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-utils");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-worker");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/05/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/10/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/10/26");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE11\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.0", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE11.0", reference:"apache2-2.2.8-28.8") ) flag++;
    if ( rpm_check(release:"SUSE11.0", reference:"apache2-devel-2.2.8-28.8") ) flag++;
    if ( rpm_check(release:"SUSE11.0", reference:"apache2-example-pages-2.2.8-28.8") ) flag++;
    if ( rpm_check(release:"SUSE11.0", reference:"apache2-prefork-2.2.8-28.8") ) flag++;
    if ( rpm_check(release:"SUSE11.0", reference:"apache2-utils-2.2.8-28.8") ) flag++;
    if ( rpm_check(release:"SUSE11.0", reference:"apache2-worker-2.2.8-28.8") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "apache2");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2009-12604.NASL
    descriptionThis update contains the latest stable release of Apache httpd. Three security fixes are included, along with several minor bug fixes. A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client
    last seen2020-06-01
    modified2020-06-02
    plugin id43090
    published2009-12-10
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/43090
    titleFedora 10 : httpd-2.2.14-1.fc10 (2009-12604)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2009-12604.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(43090);
      script_version("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:29");
    
      script_cve_id("CVE-2009-3094", "CVE-2009-3095", "CVE-2009-3555");
      script_bugtraq_id(36254, 36260, 36935);
      script_xref(name:"FEDORA", value:"2009-12604");
    
      script_name(english:"Fedora 10 : httpd-2.2.14-1.fc10 (2009-12604)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update contains the latest stable release of Apache httpd. Three
    security fixes are included, along with several minor bug fixes. A
    flaw was found in the way the TLS/SSL (Transport Layer Security/Secure
    Sockets Layer) protocols handle session renegotiation. A
    man-in-the-middle attacker could use this flaw to prefix arbitrary
    plain text to a client's session (for example, an HTTPS connection to
    a website). This could force the server to process an attacker's
    request as if authenticated using the victim's credentials. This
    update partially mitigates this flaw for SSL sessions to HTTP servers
    using mod_ssl by rejecting client-requested renegotiation.
    (CVE-2009-3555) Note: This update does not fully resolve the issue for
    HTTPS servers. An attack is still possible in configurations that
    require a server-initiated renegotiation A NULL pointer dereference
    flaw was found in the Apache mod_proxy_ftp module. A malicious FTP
    server to which requests are being proxied could use this flaw to
    crash an httpd child process via a malformed reply to the EPSV or PASV
    commands, resulting in a limited denial of service. (CVE-2009-3094) A
    second flaw was found in the Apache mod_proxy_ftp module. In a reverse
    proxy configuration, a remote attacker could use this flaw to bypass
    intended access restrictions by creating a carefully-crafted HTTP
    Authorization header, allowing the attacker to send arbitrary commands
    to the FTP server. (CVE-2009-3095) See the upstream changes file for
    further information: http://www.apache.org/dist/httpd/CHANGES_2.2.14
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.apache.org/dist/httpd/CHANGES_2.2.14"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=521619"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=522209"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2009-December/032454.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?52dbbad6"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected httpd package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(119, 264, 310);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:httpd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:10");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/12/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/12/10");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^10([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 10.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC10", reference:"httpd-2.2.14-1.fc10")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "httpd");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE9_12526.NASL
    descriptionThis update of the Apache webserver fixes various security issues : - mod_proxy could run into an infinite loop when used as reverse proxy. (CVE-2009-1890) - mod_deflate continued to compress large files even after a network connection was closed, causing mod_deflate to consume large amounts of CPU. (CVE-2009-1891) - The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command. (CVE-2009-3094) - access restriction bypass in mod_proxy_ftp module. (CVE-2009-3095)
    last seen2020-06-01
    modified2020-06-02
    plugin id42243
    published2009-10-26
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/42243
    titleSuSE9 Security Update : Apache 2 (YOU Patch Number 12526)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The text description of this plugin is (C) Novell, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(42243);
      script_version("1.14");
      script_cvs_date("Date: 2019/10/25 13:36:33");
    
      script_cve_id("CVE-2009-1890", "CVE-2009-1891", "CVE-2009-3094", "CVE-2009-3095");
    
      script_name(english:"SuSE9 Security Update : Apache 2 (YOU Patch Number 12526)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 9 host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update of the Apache webserver fixes various security issues :
    
      - mod_proxy could run into an infinite loop when used as
        reverse proxy. (CVE-2009-1890) 
    
      - mod_deflate continued to compress large files even after
        a network connection was closed, causing mod_deflate to
        consume large amounts of CPU. (CVE-2009-1891)
    
      - The ap_proxy_ftp_handler function in
        modules/proxy/proxy_ftp.c in the mod_proxy_ftp module
        allows remote FTP servers to cause a denial of service
        (NULL pointer dereference and child process crash) via a
        malformed reply to an EPSV command. (CVE-2009-3094)
    
      - access restriction bypass in mod_proxy_ftp module.
        (CVE-2009-3095)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-1890.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-1891.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-3094.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2009-3095.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply YOU patch number 12526.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_cwe_id(119, 189, 264, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/10/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/10/26");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
    if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
    if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 9 on the '"+cpu+"' architecture have not been implemented.");
    
    
    flag = 0;
    if (rpm_check(release:"SUSE9", reference:"apache2-2.0.59-1.14")) flag++;
    if (rpm_check(release:"SUSE9", reference:"apache2-devel-2.0.59-1.14")) flag++;
    if (rpm_check(release:"SUSE9", reference:"apache2-doc-2.0.59-1.14")) flag++;
    if (rpm_check(release:"SUSE9", reference:"apache2-example-pages-2.0.59-1.14")) flag++;
    if (rpm_check(release:"SUSE9", reference:"apache2-prefork-2.0.59-1.14")) flag++;
    if (rpm_check(release:"SUSE9", reference:"apache2-worker-2.0.59-1.14")) flag++;
    if (rpm_check(release:"SUSE9", reference:"libapr0-2.0.59-1.14")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else exit(0, "The host is not affected.");
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2009-1580.NASL
    descriptionFrom Red Hat Security Advisory 2009:1580 : Updated httpd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Apache HTTP Server is a popular Web server. A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client
    last seen2020-06-01
    modified2020-06-02
    plugin id67959
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67959
    titleOracle Linux 4 : httpd (ELSA-2009-1580)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2009:1580 and 
    # Oracle Linux Security Advisory ELSA-2009-1580 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(67959);
      script_version("1.16");
      script_cvs_date("Date: 2019/10/25 13:36:08");
    
      script_cve_id("CVE-2009-1891", "CVE-2009-3094", "CVE-2009-3095", "CVE-2009-3555");
      script_bugtraq_id(35623, 36254, 36260, 36935);
      script_xref(name:"RHSA", value:"2009:1580");
    
      script_name(english:"Oracle Linux 4 : httpd (ELSA-2009-1580)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2009:1580 :
    
    Updated httpd packages that fix multiple security issues are now
    available for Red Hat Enterprise Linux 4.
    
    This update has been rated as having moderate security impact by the
    Red Hat Security Response Team.
    
    The Apache HTTP Server is a popular Web server.
    
    A flaw was found in the way the TLS/SSL (Transport Layer
    Security/Secure Sockets Layer) protocols handle session renegotiation.
    A man-in-the-middle attacker could use this flaw to prefix arbitrary
    plain text to a client's session (for example, an HTTPS connection to
    a website). This could force the server to process an attacker's
    request as if authenticated using the victim's credentials. This
    update partially mitigates this flaw for SSL sessions to HTTP servers
    using mod_ssl by rejecting client-requested renegotiation.
    (CVE-2009-3555)
    
    Note: This update does not fully resolve the issue for HTTPS servers.
    An attack is still possible in configurations that require a
    server-initiated renegotiation. Refer to the following Knowledgebase
    article for further information:
    http://kbase.redhat.com/faq/docs/DOC-20491
    
    A denial of service flaw was found in the Apache mod_deflate module.
    This module continued to compress large files until compression was
    complete, even if the network connection that requested the content
    was closed before compression completed. This would cause mod_deflate
    to consume large amounts of CPU if mod_deflate was enabled for a large
    file. (CVE-2009-1891)
    
    A NULL pointer dereference flaw was found in the Apache mod_proxy_ftp
    module. A malicious FTP server to which requests are being proxied
    could use this flaw to crash an httpd child process via a malformed
    reply to the EPSV or PASV commands, resulting in a limited denial of
    service. (CVE-2009-3094)
    
    A second flaw was found in the Apache mod_proxy_ftp module. In a
    reverse proxy configuration, a remote attacker could use this flaw to
    bypass intended access restrictions by creating a carefully-crafted
    HTTP Authorization header, allowing the attacker to send arbitrary
    commands to the FTP server. (CVE-2009-3095)
    
    All httpd users should upgrade to these updated packages, which
    contain backported patches to correct these issues. After installing
    the updated packages, the httpd daemon must be restarted for the
    update to take effect."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2009-November/001244.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected httpd packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_cwe_id(119, 264, 310, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:httpd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:httpd-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:httpd-manual");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:httpd-suexec");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:mod_ssl");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/07/10");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/11/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 4", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL4", reference:"httpd-2.0.52-41.ent.6.0.1")) flag++;
    if (rpm_check(release:"EL4", reference:"httpd-devel-2.0.52-41.ent.6.0.1")) flag++;
    if (rpm_check(release:"EL4", reference:"httpd-manual-2.0.52-41.ent.6.0.1")) flag++;
    if (rpm_check(release:"EL4", reference:"httpd-suexec-2.0.52-41.ent.6.0.1")) flag++;
    if (rpm_check(release:"EL4", reference:"mod_ssl-2.0.52-41.ent.6.0.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "httpd / httpd-devel / httpd-manual / httpd-suexec / mod_ssl");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1934.NASL
    descriptionA design flaw has been found in the TLS and SSL protocol that allows an attacker to inject arbitrary content at the beginning of a TLS/SSL connection. The attack is related to the way how TLS and SSL handle session renegotiations. CVE-2009-3555 has been assigned to this vulnerability. As a partial mitigation against this attack, this apache2 update disables client-initiated renegotiations. This should fix the vulnerability for the majority of Apache configurations in use. NOTE: This is not a complete fix for the problem. The attack is still possible in configurations where the server initiates the renegotiation. This is the case for the following configurations (the information in the changelog of the updated packages is slightly inaccurate) : - The
    last seen2020-06-01
    modified2020-06-02
    plugin id44799
    published2010-02-24
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/44799
    titleDebian DSA-1934-1 : apache2 - multiple issues
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1934. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(44799);
      script_version("1.18");
      script_cvs_date("Date: 2019/08/02 13:32:22");
    
      script_cve_id("CVE-2009-3094", "CVE-2009-3095", "CVE-2009-3555");
      script_bugtraq_id(36254, 36260, 36935);
      script_xref(name:"DSA", value:"1934");
    
      script_name(english:"Debian DSA-1934-1 : apache2 - multiple issues");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A design flaw has been found in the TLS and SSL protocol that allows
    an attacker to inject arbitrary content at the beginning of a TLS/SSL
    connection. The attack is related to the way how TLS and SSL handle
    session renegotiations. CVE-2009-3555 has been assigned to this
    vulnerability.
    
    As a partial mitigation against this attack, this apache2 update
    disables client-initiated renegotiations. This should fix the
    vulnerability for the majority of Apache configurations in use.
    
    NOTE: This is not a complete fix for the problem. The attack is still
    possible in configurations where the server initiates the
    renegotiation. This is the case for the following configurations (the
    information in the changelog of the updated packages is slightly
    inaccurate) :
    
      - The 'SSLVerifyClient' directive is used in a Directory
        or Location context.
      - The 'SSLCipherSuite' directive is used in a Directory or
        Location context.
    
    As a workaround, you may rearrange your configuration in a way that
    SSLVerifyClient and SSLCipherSuite are only used on the server or
    virtual host level.
    
    
    A complete fix for the problem will require a protocol change. Further
    information will be included in a separate announcement about this
    issue.
    
    In addition, this update fixes the following issues in Apache's
    mod_proxy_ftp :
    
      - CVE-2009-3094
        Insufficient input validation in the mod_proxy_ftp
        module allowed remote FTP servers to cause a denial of
        service (NULL pointer dereference and child process
        crash) via a malformed reply to an EPSV command.
    
      - CVE-2009-3095
        Insufficient input validation in the mod_proxy_ftp
        module allowed remote authenticated attackers to bypass
        intended access restrictions and send arbitrary FTP
        commands to an FTP server."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2009-3555"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2009-3094"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2009-3095"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2009/dsa-1934"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the apache2 and apache2-mpm-itk packages.
    
    For the oldstable distribution (etch), these problems have been fixed
    in version 2.2.3-4+etch11.
    
    For the stable distribution (lenny), these problems have been fixed in
    version 2.2.9-10+lenny6. This version also includes some non-security
    bug fixes that were scheduled for inclusion in the next stable point
    release (Debian 5.0.4).
    
    This advisory also provides updated apache2-mpm-itk packages which
    have been recompiled against the new apache2 packages.
    
    Updated apache2-mpm-itk packages for the armel architecture are not
    included yet. They will be released as soon as they become available."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(119, 264, 310);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:apache2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/11/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/24");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"4.0", prefix:"apache2", reference:"2.2.3-4+etch11")) flag++;
    if (deb_check(release:"4.0", prefix:"apache2-doc", reference:"2.2.3-4+etch11")) flag++;
    if (deb_check(release:"4.0", prefix:"apache2-mpm-event", reference:"2.2.3-4+etch11")) flag++;
    if (deb_check(release:"4.0", prefix:"apache2-mpm-itk", reference:"2.2.3-01-2+etch4+b1")) flag++;
    if (deb_check(release:"4.0", prefix:"apache2-mpm-perchild", reference:"2.2.3-4+etch11")) flag++;
    if (deb_check(release:"4.0", prefix:"apache2-mpm-prefork", reference:"2.2.3-4+etch11")) flag++;
    if (deb_check(release:"4.0", prefix:"apache2-mpm-worker", reference:"2.2.3-4+etch11")) flag++;
    if (deb_check(release:"4.0", prefix:"apache2-prefork-dev", reference:"2.2.3-4+etch11")) flag++;
    if (deb_check(release:"4.0", prefix:"apache2-src", reference:"2.2.3-4+etch11")) flag++;
    if (deb_check(release:"4.0", prefix:"apache2-threaded-dev", reference:"2.2.3-4+etch11")) flag++;
    if (deb_check(release:"4.0", prefix:"apache2-utils", reference:"2.2.3-4+etch11")) flag++;
    if (deb_check(release:"4.0", prefix:"apache2.2-common", reference:"2.2.3-4+etch11")) flag++;
    if (deb_check(release:"5.0", prefix:"apache2", reference:"2.2.9-10+lenny6")) flag++;
    if (deb_check(release:"5.0", prefix:"apache2-dbg", reference:"2.2.9-10+lenny6")) flag++;
    if (deb_check(release:"5.0", prefix:"apache2-doc", reference:"2.2.9-10+lenny6")) flag++;
    if (deb_check(release:"5.0", prefix:"apache2-mpm-event", reference:"2.2.9-10+lenny6")) flag++;
    if (deb_check(release:"5.0", prefix:"apache2-mpm-itk", reference:"2.2.6-02-1+lenny2+b2")) flag++;
    if (deb_check(release:"5.0", prefix:"apache2-mpm-prefork", reference:"2.2.9-10+lenny6")) flag++;
    if (deb_check(release:"5.0", prefix:"apache2-mpm-worker", reference:"2.2.9-10+lenny6")) flag++;
    if (deb_check(release:"5.0", prefix:"apache2-prefork-dev", reference:"2.2.9-10+lenny6")) flag++;
    if (deb_check(release:"5.0", prefix:"apache2-src", reference:"2.2.9-10+lenny6")) flag++;
    if (deb_check(release:"5.0", prefix:"apache2-suexec", reference:"2.2.9-10+lenny6")) flag++;
    if (deb_check(release:"5.0", prefix:"apache2-suexec-custom", reference:"2.2.9-10+lenny6")) flag++;
    if (deb_check(release:"5.0", prefix:"apache2-threaded-dev", reference:"2.2.9-10+lenny6")) flag++;
    if (deb_check(release:"5.0", prefix:"apache2-utils", reference:"2.2.9-10+lenny6")) flag++;
    if (deb_check(release:"5.0", prefix:"apache2.2-common", reference:"2.2.9-10+lenny6")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20091111_HTTPD_ON_SL3_X.NASL
    descriptionCVE-2009-1891 httpd: possible temporary DoS (CPU consumption) in mod_deflate CVE-2009-3094 httpd: NULL pointer defer in mod_proxy_ftp caused by crafted EPSV and PASV reply CVE-2009-3095 httpd: mod_proxy_ftp FTP command injection via Authorization HTTP header CVE-2009-3555 TLS: MITM attacks via session renegotiation A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client
    last seen2020-06-01
    modified2020-06-02
    plugin id60695
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60695
    titleScientific Linux Security Update : httpd on SL3.x, SL4.x, SL5.x i386/x86_64
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text is (C) Scientific Linux.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(60695);
      script_version("1.9");
      script_cvs_date("Date: 2019/10/25 13:36:18");
    
      script_cve_id("CVE-2009-1891", "CVE-2009-3094", "CVE-2009-3095", "CVE-2009-3555");
    
      script_name(english:"Scientific Linux Security Update : httpd on SL3.x, SL4.x, SL5.x i386/x86_64");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Scientific Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "CVE-2009-1891 httpd: possible temporary DoS (CPU consumption) in
    mod_deflate
    
    CVE-2009-3094 httpd: NULL pointer defer in mod_proxy_ftp caused by
    crafted EPSV and PASV reply
    
    CVE-2009-3095 httpd: mod_proxy_ftp FTP command injection via
    Authorization HTTP header
    
    CVE-2009-3555 TLS: MITM attacks via session renegotiation
    
    A flaw was found in the way the TLS/SSL (Transport Layer
    Security/Secure Sockets Layer) protocols handle session renegotiation.
    A man-in-the-middle attacker could use this flaw to prefix arbitrary
    plain text to a client's session (for example, an HTTPS connection to
    a website). This could force the server to process an attacker's
    request as if authenticated using the victim's credentials. This
    update partially mitigates this flaw for SSL sessions to HTTP servers
    using mod_ssl by rejecting client-requested renegotiation.
    (CVE-2009-3555)
    
    Note: This update does not fully resolve the issue for HTTPS servers.
    An attack is still possible in configurations that require a
    server-initiated renegotiation. Refer to the following Knowledgebase
    article for further information:
    http://kbase.redhat.com/faq/docs/DOC-20491
    
    A denial of service flaw was found in the Apache mod_deflate module.
    This module continued to compress large files until compression was
    complete, even if the network connection that requested the content
    was closed before compression completed. This would cause mod_deflate
    to consume large amounts of CPU if mod_deflate was enabled for a large
    file. (CVE-2009-1891) - SL4 only
    
    A NULL pointer dereference flaw was found in the Apache mod_proxy_ftp
    module. A malicious FTP server to which requests are being proxied
    could use this flaw to crash an httpd child process via a malformed
    reply to the EPSV or PASV commands, resulting in a limited denial of
    service. (CVE-2009-3094)
    
    A second flaw was found in the Apache mod_proxy_ftp module. In a
    reverse proxy configuration, a remote attacker could use this flaw to
    bypass intended access restrictions by creating a carefully-crafted
    HTTP Authorization header, allowing the attacker to send arbitrary
    commands to the FTP server. (CVE-2009-3095)
    
    After installing the updated packages, the httpd daemon must be
    restarted for the update to take effect."
      );
      # http://kbase.redhat.com/faq/docs/DOC-20491
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/articles/20490"
      );
      # https://listserv.fnal.gov/scripts/wa.exe?A2=ind0911&L=scientific-linux-errata&T=0&P=1958
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?a32339d7"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_cwe_id(119, 264, 310, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/07/10");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/11/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Scientific Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"SL3", reference:"httpd-2.0.46-77.sl3")) flag++;
    if (rpm_check(release:"SL3", reference:"httpd-devel-2.0.46-77.sl3")) flag++;
    if (rpm_check(release:"SL3", reference:"mod_ssl-2.0.46-77.sl3")) flag++;
    
    if (rpm_check(release:"SL4", reference:"httpd-2.0.52-41.sl4.6")) flag++;
    if (rpm_check(release:"SL4", reference:"httpd-devel-2.0.52-41.sl4.6")) flag++;
    if (rpm_check(release:"SL4", reference:"httpd-manual-2.0.52-41.sl4.6")) flag++;
    if (rpm_check(release:"SL4", reference:"httpd-suexec-2.0.52-41.sl4.6")) flag++;
    if (rpm_check(release:"SL4", reference:"mod_ssl-2.0.52-41.sl4.6")) flag++;
    
    if (rpm_check(release:"SL5", reference:"httpd-2.2.3-31.sl5.2")) flag++;
    if (rpm_check(release:"SL5", reference:"httpd-devel-2.2.3-31.sl5.2")) flag++;
    if (rpm_check(release:"SL5", reference:"httpd-manual-2.2.3-31.sl5.2")) flag++;
    if (rpm_check(release:"SL5", reference:"mod_ssl-2.2.3-31.sl5.2")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_APACHE2-091020.NASL
    descriptionThis update of the Apache webserver fixes various security issues : - the option IncludesNOEXEC could be bypassed via .htaccess. (CVE-2009-1195) - mod_proxy could run into an infinite loop when used as reverse proxy. (CVE-2009-1890) - mod_deflate continued to compress large files even after a network connection was closed, causing mod_deflate to consume large amounts of CPU. (CVE-2009-1891) - The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command. (CVE-2009-3094) - access restriction bypass in mod_proxy_ftp module (CVE-2009-3095)
    last seen2020-06-01
    modified2020-06-02
    plugin id42252
    published2009-10-26
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/42252
    titleSuSE 11 Security Update : Apache 2 (SAT Patch Number 1417)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2009-1579.NASL
    descriptionUpdated httpd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Apache HTTP Server is a popular Web server. A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client
    last seen2020-06-01
    modified2020-06-02
    plugin id67073
    published2013-06-29
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67073
    titleCentOS 3 / 5 : httpd (CESA-2009:1579)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2009-323.NASL
    descriptionMultiple vulnerabilities has been found and corrected in apache : Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server mod_ssl that specify a compression algorithm (CVE-2008-1678). Note that this security issue does not really apply as zlib compression is not enabled in the openssl build provided by Mandriva, but apache is patched to address this issue anyway (conserns 2008.1 only). mod_proxy_ajp.c in the mod_proxy_ajp module in the Apache HTTP Server 2.2.11 allows remote attackers to obtain sensitive response data, intended for a client that sent an earlier POST request with no request body, via an HTTP request (CVE-2009-1191). Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via wildcards in a pathname in an FTP URI (CVE-2008-2939). Note that this security issue was initially addressed with MDVSA-2008:195 but the patch fixing the issue was added but not applied in 2009.0. The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly handle Options=IncludesNOEXEC in the AllowOverride directive, which allows local users to gain privileges by configuring (1) Options Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a .htaccess file, and then inserting an exec element in a .shtml file (CVE-2009-1195). The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured, does not properly handle an amount of streamed data that exceeds the Content-Length value, which allows remote attackers to cause a denial of service (CPU consumption) via crafted requests (CVE-2009-1890). Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects (CVE-2009-1891). The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13 allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command (CVE-2009-3094). The mod_proxy_ftp module in the Apache HTTP Server allows remote attackers to bypass intended access restrictions and send arbitrary commands to an FTP server via vectors related to the embedding of these commands in the Authorization HTTP header, as demonstrated by a certain module in VulnDisco Pack Professional 8.11. NOTE: as of 20090903, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes (CVE-2009-3095). Apache is affected by SSL injection or man-in-the-middle attacks due to a design flaw in the SSL and/or TLS protocols. A short term solution was released Sat Nov 07 2009 by the ASF team to mitigate these problems. Apache will now reject in-session renegotiation (CVE-2009-3555). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers This update provides a solution to these vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id43042
    published2009-12-08
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/43042
    titleMandriva Linux Security Advisory : apache (MDVSA-2009:323)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2009-1580.NASL
    descriptionUpdated httpd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Apache HTTP Server is a popular Web server. A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client
    last seen2020-06-01
    modified2020-06-02
    plugin id67074
    published2013-06-29
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67074
    titleCentOS 4 : httpd (CESA-2009:1580)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_APACHE2-6572.NASL
    descriptionThis update of the Apache webserver fixes various security issues : - the option IncludesNOEXEC could be bypassed via .htaccess. (CVE-2009-1195) - mod_proxy could run into an infinite loop when used as reverse proxy. (CVE-2009-1890) - mod_deflate continued to compress large files even after a network connection was closed, causing mod_deflate to consume large amounts of CPU. (CVE-2009-1891) - The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command. (CVE-2009-3094) - access restriction bypass in mod_proxy_ftp module. (CVE-2009-3095) Also a incompatibility between mod_cache and mod_rewrite was fixed.
    last seen2020-06-01
    modified2020-06-02
    plugin id49826
    published2010-10-11
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/49826
    titleSuSE 10 Security Update : Apache 2 (ZYPP Patch Number 6572)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2009-12747.NASL
    descriptionThis update contains the latest stable release of Apache httpd. Three security fixes are included, along with several minor bug fixes. A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client
    last seen2020-06-01
    modified2020-06-02
    plugin id47168
    published2010-07-01
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/47168
    titleFedora 11 : httpd-2.2.14-1.fc11 (2009-12747)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_1_APACHE2-091020.NASL
    descriptionThis update of the Apache webserver fixes various security issues : - the option IncludesNOEXEC could be bypassed via .htaccess (CVE-2009-1195) - mod_proxy could run into an infinite loop when used as reverse proxy (CVE-2009-1890) - mod_deflate continued to compress large files even after a network connection was closed, causing mod_deflate to consume large amounts of CPU (CVE-2009-1891) - The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command. (CVE-2009-3094) - access restriction bypass in mod_proxy_ftp module (CVE-2009-3095)
    last seen2020-06-01
    modified2020-06-02
    plugin id42248
    published2009-10-26
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/42248
    titleopenSUSE Security Update : apache2 (apache2-1419)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_APACHE2-6576.NASL
    descriptionThis update of the Apache webserver fixes various security issues : - the option IncludesNOEXEC could be bypassed via .htaccess (CVE-2009-1195) - mod_proxy could run into an infinite loop when used as reverse proxy (CVE-2009-1890) - mod_deflate continued to compress large files even after a network connection was closed, causing mod_deflate to consume large amounts of CPU (CVE-2009-1891) - The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command. (CVE-2009-3094) - access restriction bypass in mod_proxy_ftp module (CVE-2009-3095)
    last seen2020-06-01
    modified2020-06-02
    plugin id42319
    published2009-10-30
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/42319
    titleopenSUSE 10 Security Update : apache2 (apache2-6576)
  • NASL familyWeb Servers
    NASL idAPACHE_2_0_64.NASL
    descriptionAccording to its banner, the version of Apache 2.0.x running on the remote host is prior to 2.0.64. It is, therefore, affected by the following vulnerabilities : - An unspecified error exists in the handling of requests without a path segment. (CVE-2010-1452) - Several modules, including
    last seen2020-06-01
    modified2020-06-02
    plugin id50069
    published2010-10-20
    reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/50069
    titleApache 2.0.x < 2.0.64 Multiple Vulnerabilities
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2009-1579.NASL
    descriptionFrom Red Hat Security Advisory 2009:1579 : Updated httpd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Apache HTTP Server is a popular Web server. A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client
    last seen2020-06-01
    modified2020-06-02
    plugin id67958
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67958
    titleOracle Linux 3 / 5 : httpd (ELSA-2009-1579)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2009-240.NASL
    descriptionMultiple vulnerabilities was discovered and corrected in apache : The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13 allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command (CVE-2009-3094). The mod_proxy_ftp module in the Apache HTTP Server allows remote attackers to bypass intended access restrictions and send arbitrary commands to an FTP server via vectors related to the embedding of these commands in the Authorization HTTP header, as demonstrated by a certain module in VulnDisco Pack Professional 8.11. NOTE: as of 20090903, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes (CVE-2009-3095). This update provides a solution to these vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id41049
    published2009-09-23
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/41049
    titleMandriva Linux Security Advisory : apache (MDVSA-2009:240)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_APACHE2-6571.NASL
    descriptionThis update of the Apache webserver fixes various security issues : - the option IncludesNOEXEC could be bypassed via .htaccess. (CVE-2009-1195) - mod_proxy could run into an infinite loop when used as reverse proxy. (CVE-2009-1890) - mod_deflate continued to compress large files even after a network connection was closed, causing mod_deflate to consume large amounts of CPU. (CVE-2009-1891) - The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command. (CVE-2009-3094) - access restriction bypass in mod_proxy_ftp module. (CVE-2009-3095) Also a incompatibility between mod_cache and mod_rewrite was fixed.
    last seen2020-06-01
    modified2020-06-02
    plugin id42253
    published2009-10-26
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/42253
    titleSuSE 10 Security Update : Apache 2 (ZYPP Patch Number 6571)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-860-1.NASL
    descriptionMarsh Ray and Steve Dispensa discovered a flaw in the TLS and SSLv3 protocols. If an attacker could perform a man in the middle attack at the start of a TLS connection, the attacker could inject arbitrary content at the beginning of the user
    last seen2020-06-01
    modified2020-06-02
    plugin id42858
    published2009-11-19
    reporterUbuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/42858
    titleUbuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : apache2 vulnerabilities (USN-860-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2009-12606.NASL
    descriptionThis update contains the latest stable release of Apache httpd. Three security fixes are included, along with several minor bug fixes. A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client
    last seen2020-06-01
    modified2020-06-02
    plugin id43329
    published2009-12-18
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/43329
    titleFedora 12 : httpd-2.2.14-1.fc12 (2009-12606)

Oval

  • accepted2013-04-29T04:10:26.972-04:00
    classvulnerability
    contributors
    • nameAharon Chernin
      organizationSCAP.com, LLC
    • nameDragos Prisaca
      organizationG2, Inc.
    definition_extensions
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
      ovaloval:org.mitre.oval:def:11782
    • commentCentOS Linux 3.x
      ovaloval:org.mitre.oval:def:16651
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
      ovaloval:org.mitre.oval:def:11831
    • commentCentOS Linux 4.x
      ovaloval:org.mitre.oval:def:16636
    • commentOracle Linux 4.x
      ovaloval:org.mitre.oval:def:15990
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
      ovaloval:org.mitre.oval:def:11414
    • commentThe operating system installed on the system is CentOS Linux 5.x
      ovaloval:org.mitre.oval:def:15802
    • commentOracle Linux 5.x
      ovaloval:org.mitre.oval:def:15459
    descriptionThe ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13 allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command.
    familyunix
    idoval:org.mitre.oval:def:10981
    statusaccepted
    submitted2010-07-09T03:56:16-04:00
    titleThe ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13 allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command.
    version27
  • accepted2014-07-14T04:01:28.723-04:00
    classvulnerability
    contributors
    • nameJ. Daniel Brown
      organizationDTCC
    • nameMike Lah
      organizationThe MITRE Corporation
    • nameMike Lah
      organizationThe MITRE Corporation
    • nameShane Shaffer
      organizationG2, Inc.
    • nameMaria Mikhno
      organizationALTX-SOFT
    definition_extensions
    • commentApache HTTP Server 2.0.x is installed on the system
      ovaloval:org.mitre.oval:def:8605
    • commentApache HTTP Server 2.2.x is installed on the system
      ovaloval:org.mitre.oval:def:8550
    descriptionThe ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13 allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command.
    familywindows
    idoval:org.mitre.oval:def:8087
    statusaccepted
    submitted2010-03-08T17:30:00.000-05:00
    titleApache mod_proxy_ftp Module Insufficient Input Validation Denial Of Service Vulnerability
    version12

Redhat

rpms
  • httpd-0:2.2.13-2.el5s2
  • httpd-debuginfo-0:2.2.13-2.el5s2
  • httpd-devel-0:2.2.13-2.el5s2
  • httpd-manual-0:2.2.13-2.el5s2
  • mod_ssl-1:2.2.13-2.el5s2
  • mysql-0:5.0.84-2.el5s2
  • mysql-bench-0:5.0.84-2.el5s2
  • mysql-cluster-0:5.0.84-2.el5s2
  • mysql-debuginfo-0:5.0.84-2.el5s2
  • mysql-devel-0:5.0.84-2.el5s2
  • mysql-libs-0:5.0.84-2.el5s2
  • mysql-server-0:5.0.84-2.el5s2
  • mysql-test-0:5.0.84-2.el5s2
  • perl-DBD-MySQL-0:4.012-1.el5s2
  • perl-DBD-MySQL-debuginfo-0:4.012-1.el5s2
  • perl-DBI-0:1.609-1.el5s2
  • perl-DBI-debuginfo-0:1.609-1.el5s2
  • php-0:5.2.10-1.el5s2
  • php-bcmath-0:5.2.10-1.el5s2
  • php-cli-0:5.2.10-1.el5s2
  • php-common-0:5.2.10-1.el5s2
  • php-dba-0:5.2.10-1.el5s2
  • php-debuginfo-0:5.2.10-1.el5s2
  • php-devel-0:5.2.10-1.el5s2
  • php-gd-0:5.2.10-1.el5s2
  • php-imap-0:5.2.10-1.el5s2
  • php-ldap-0:5.2.10-1.el5s2
  • php-mbstring-0:5.2.10-1.el5s2
  • php-mysql-0:5.2.10-1.el5s2
  • php-ncurses-0:5.2.10-1.el5s2
  • php-odbc-0:5.2.10-1.el5s2
  • php-pdo-0:5.2.10-1.el5s2
  • php-pear-1:1.8.1-2.el5s2
  • php-pgsql-0:5.2.10-1.el5s2
  • php-snmp-0:5.2.10-1.el5s2
  • php-soap-0:5.2.10-1.el5s2
  • php-xml-0:5.2.10-1.el5s2
  • php-xmlrpc-0:5.2.10-1.el5s2
  • postgresql-0:8.2.14-1.el5s2
  • postgresql-contrib-0:8.2.14-1.el5s2
  • postgresql-debuginfo-0:8.2.14-1.el5s2
  • postgresql-devel-0:8.2.14-1.el5s2
  • postgresql-docs-0:8.2.14-1.el5s2
  • postgresql-jdbc-0:8.2.510-1jpp.el5s2
  • postgresql-jdbc-debuginfo-0:8.2.510-1jpp.el5s2
  • postgresql-libs-0:8.2.14-1.el5s2
  • postgresql-plperl-0:8.2.14-1.el5s2
  • postgresql-plpython-0:8.2.14-1.el5s2
  • postgresql-pltcl-0:8.2.14-1.el5s2
  • postgresql-python-0:8.2.14-1.el5s2
  • postgresql-server-0:8.2.14-1.el5s2
  • postgresql-tcl-0:8.2.14-1.el5s2
  • postgresql-test-0:8.2.14-1.el5s2
  • httpd-0:2.0.46-77.ent
  • httpd-0:2.2.3-31.el5_4.2
  • httpd-debuginfo-0:2.0.46-77.ent
  • httpd-debuginfo-0:2.2.3-31.el5_4.2
  • httpd-devel-0:2.0.46-77.ent
  • httpd-devel-0:2.2.3-31.el5_4.2
  • httpd-manual-0:2.2.3-31.el5_4.2
  • mod_ssl-1:2.0.46-77.ent
  • mod_ssl-1:2.2.3-31.el5_4.2
  • httpd-0:2.0.52-41.ent.6
  • httpd-debuginfo-0:2.0.52-41.ent.6
  • httpd-devel-0:2.0.52-41.ent.6
  • httpd-manual-0:2.0.52-41.ent.6
  • httpd-suexec-0:2.0.52-41.ent.6
  • mod_ssl-1:2.0.52-41.ent.6
  • httpd-0:2.2.10-11.ep5.el5
  • httpd-debuginfo-0:2.2.10-11.ep5.el5
  • httpd-devel-0:2.2.10-11.ep5.el5
  • httpd-manual-0:2.2.10-11.ep5.el5
  • httpd22-0:2.2.10-25.1.ep5.el4
  • httpd22-apr-0:2.2.10-25.1.ep5.el4
  • httpd22-apr-devel-0:2.2.10-25.1.ep5.el4
  • httpd22-apr-util-0:2.2.10-25.1.ep5.el4
  • httpd22-apr-util-devel-0:2.2.10-25.1.ep5.el4
  • httpd22-debuginfo-0:2.2.10-25.1.ep5.el4
  • httpd22-devel-0:2.2.10-25.1.ep5.el4
  • mod_ssl-1:2.2.10-11.ep5.el5
  • mod_ssl22-1:2.2.10-25.1.ep5.el4
  • ant-0:1.6.5-1jpp_1rh
  • avalon-logkit-0:1.2-2jpp_4rh
  • axis-0:1.2.1-1jpp_3rh
  • classpathx-jaf-0:1.0-2jpp_6rh
  • classpathx-mail-0:1.1.1-2jpp_8rh
  • geronimo-ejb-2.1-api-0:1.0-0.M4.1jpp_10rh
  • geronimo-j2ee-1.4-apis-0:1.0-0.M4.1jpp_10rh
  • geronimo-j2ee-connector-1.5-api-0:1.0-0.M4.1jpp_10rh
  • geronimo-j2ee-deployment-1.1-api-0:1.0-0.M4.1jpp_10rh
  • geronimo-j2ee-management-1.0-api-0:1.0-0.M4.1jpp_10rh
  • geronimo-jms-1.1-api-0:1.0-0.M4.1jpp_10rh
  • geronimo-jsp-2.0-api-0:1.0-0.M4.1jpp_10rh
  • geronimo-jta-1.0.1B-api-0:1.0-0.M4.1jpp_10rh
  • geronimo-servlet-2.4-api-0:1.0-0.M4.1jpp_10rh
  • geronimo-specs-0:1.0-0.M4.1jpp_10rh
  • geronimo-specs-javadoc-0:1.0-0.M4.1jpp_10rh
  • jakarta-commons-modeler-0:2.0-3jpp_2rh
  • log4j-0:1.2.12-1jpp_1rh
  • mx4j-1:3.0.1-1jpp_4rh
  • pcsc-lite-0:1.3.3-3.el4
  • pcsc-lite-debuginfo-0:1.3.3-3.el4
  • pcsc-lite-doc-0:1.3.3-3.el4
  • pcsc-lite-libs-0:1.3.3-3.el4
  • rhpki-ca-0:7.3.0-20.el4
  • rhpki-java-tools-0:7.3.0-10.el4
  • rhpki-kra-0:7.3.0-14.el4
  • rhpki-manage-0:7.3.0-19.el4
  • rhpki-native-tools-0:7.3.0-6.el4
  • rhpki-ocsp-0:7.3.0-13.el4
  • rhpki-tks-0:7.3.0-13.el4
  • tomcat5-0:5.5.23-0jpp_4rh.16
  • tomcat5-common-lib-0:5.5.23-0jpp_4rh.16
  • tomcat5-jasper-0:5.5.23-0jpp_4rh.16
  • tomcat5-jsp-2.0-api-0:5.5.23-0jpp_4rh.16
  • tomcat5-server-lib-0:5.5.23-0jpp_4rh.16
  • tomcat5-servlet-2.4-api-0:5.5.23-0jpp_4rh.16
  • xerces-j2-0:2.7.1-1jpp_1rh
  • xml-commons-0:1.3.02-2jpp_1rh
  • xml-commons-apis-0:1.3.02-2jpp_1rh

Seebug

  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:12673
    last seen2017-11-19
    modified2009-11-20
    published2009-11-20
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-12673
    titleapache2 vulnerabilities
  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 36260 CVE ID: CVE-2009-3094 Apache HTTP Server是一款流行的Web服务器。 Apache的mod_proxy_ftp模块中modules/proxy/proxy_ftp.c文件的ap_proxy_ftp_handler函数中存在空指针引用漏洞,正在被代理的恶意FTP服务器可以通过发送特制的EPSV或PASV命令回复导致httpd子进程崩溃,造成有限的拒绝服务。 Apache Group Apache 2.2.x 厂商补丁: Apache Group ------------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.apache.org/dist/httpd/httpd-2.2.14.tar.gz RedHat ------ RedHat已经为此发布了一个安全公告(RHSA-2009:1579-02)以及相应补丁: RHSA-2009:1579-02:Moderate: httpd security update 链接:https://www.redhat.com/support/errata/RHSA-2009-1579.html
    idSSV:12628
    last seen2017-11-19
    modified2009-11-13
    published2009-11-13
    reporterRoot
    titleApache mod_proxy_ftp模块空指针引用拒绝服务漏洞

Statements

contributorTomas Hoger
lastmodified2009-11-12
organizationRed Hat
statementList of the errata fixing this flaw in affected products can be found at: https://www.redhat.com/security/data/cve/CVE-2009-3094.html

References