[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] apache vulnerbility

Subject: [cobalt-security] apache vulnerbility
From: "Jeremy Kettelhohn" <jkettelhohn@xxxxxxxxxxxxxx>
Date: Mon, 6 Aug 2001 09:34:03 -0400
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

   Does anyone know if the below vulnerability is exploitable on the cobalt
qube 2?  I know apache on the qube 2 is,
Server version: Apache/1.3.3 Cobalt (Unix)  (Red Hat/Linux)
Server built:   Nov 29 1999 16:27:01

any other known exploits for that version of apache?  since cobalt hasn't
seen fit to update apache...

Quoting the SecurityFocus entry for this vulnerability:

A problem in the package could allow directory indexing, and path discovery.
In a default configuration, Apache enables mod_dir, mod_autoindex, and
mod_negotiation. However, by placing a custom crafted request to the Apache
server consisting of a long path name created artificially by using numerous
slashes, this can cause these modules to misbehave, making it possible to
escape the error page, and gain a listing of the directory contents.

This vulnerability makes it possible for a malicious remote user to launch
an information gathering attack, which could potentially result in
compromise of the system. Additionally, this vulnerability affects all
releases of Apache previous to 1.3.19.

This problem has been fixed in apache-ssl 1.3.9-13.3 and apache_1.3.9-14. We
recommend that you upgrade your packages immediately

Prev by Date: Re: [cobalt-security] need help for configuring SSH on cobalt Raq 4r
Next by Date: [cobalt-security] need help for configuring SSH on cobalt Raq 4r
Previous by thread: Re: [cobalt-security] need help for configuring SSH on cobalt Raq 4r
Next by thread: [cobalt-security] Hacking my Raq4i???

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index