|
|
|
Vulnerability Note VU#104555
Buffer Overflow in mod_ssl
OverviewA buffer overflow exists in mod_ssl.
I. Descriptionmod_ssl is an Apache module that allows secure connections over X.509 authenticated channels. A buffer overflow exists in the ssl_compat_directive() function. For more detailed information, please see the original vulnerability report.II. ImpactA local attacker can execute arbitrary code with the privileges of the web server. Additionally, an attacker may be able to add bogus entries to multiple web server log files. An attacker may also be able to slow down or even stop the web server.III. SolutionApply a patch from your vendor.
Do not allow per-directory config files. To accomplish this, set the AllowOverride directive to "none" in the httpd.conf file. As a reminder, you must restart the web server for the changes to take effect.
Systems Affected
References
http://www.modssl.org/
http://www.securityfocus.com/bid/5084
http://online.securityfocus.com/archive/1/279074
http://marc.theaimsgroup.com/?l=apache-modssl&m=102491918531562
Credit
This vulnerability was discovered by Frank Denis.
This document was written by Ian A Finlay.
Other Information
| Date Public | 06/24/2002 |
| Date First Published | 04/17/2003 02:12:04 PM |
| Date Last Updated | 06/17/2003 |
| CERT Advisory | |
| CVE Name | CVE-2002-0653 |
| Metric | 23.62 |
| Document Revision | 34 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
 |
