SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#104555

Buffer Overflow in mod_ssl

Overview

A buffer overflow exists in mod_ssl.

I. Description

mod_ssl is an Apache module that allows secure connections over X.509 authenticated channels. A buffer overflow exists in the ssl_compat_directive() function. For more detailed information, please see the original vulnerability report.

II. Impact

A local attacker can execute arbitrary code with the privileges of the web server. Additionally, an attacker may be able to add bogus entries to multiple web server log files. An attacker may also be able to slow down or even stop the web server.

III. Solution

Apply a patch from your vendor.

Do not allow per-directory config files. To accomplish this, set the AllowOverride directive to "none" in the httpd.conf file. As a reminder, you must restart the web server for the changes to take effect.

Systems Affected

VendorStatusDate Updated
Apple Computer Inc.Vulnerable30-Apr-2003
ConectivaVulnerable8-Jul-2002
Data GeneralUnknown29-Apr-2003
DebianVulnerable30-Apr-2003
EngardeVulnerable17-Apr-2003
Extreme NetworksNot Vulnerable1-May-2003
Foundry Networks Inc.Not Vulnerable7-May-2003
Hewlett-Packard CompanyVulnerable17-Apr-2003
HitachiNot Vulnerable8-May-2003
IBMVulnerable17-Jun-2003
Ingrian NetworksNot Vulnerable2-May-2003
NeXTUnknown29-Apr-2003
Red Hat Inc.Vulnerable30-Apr-2003
SCOVulnerable17-Apr-2003
SGINot Vulnerable30-Apr-2003
Sun Microsystems Inc.Unknown8-May-2003
The mod_ssl projectVulnerable8-Jul-2002
Xerox CorporationNot Vulnerable30-May-2003

References


http://www.modssl.org/
http://www.securityfocus.com/bid/5084
http://online.securityfocus.com/archive/1/279074
http://marc.theaimsgroup.com/?l=apache-modssl&m=102491918531562

Credit

This vulnerability was discovered by Frank Denis.

This document was written by Ian A Finlay.

Other Information

Date Public06/24/2002
Date First Published04/17/2003 02:12:04 PM
Date Last Updated06/17/2003
CERT Advisory 
CVE NameCVE-2002-0653
US-CERT Technical Alerts 
Metric23.62
Document Revision34

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader