Vulnerability Note VU#910713

Apache discloses source code via POST requests to a location with WebDAV and CGI enabled

Overview

There is an information leakage in Apache that results from an interaction between WebDAV and CGI.

I. Description

Apache version 2.0.42 allows remote attackers to obtain the source code of CGI scripts that are stored in locations for which both CGI and WebDAV are enabled. When a POST request is sent to a CGI script on an affected server, this vulnerability will cause the source code of the script to be returned to the attacker.

II. Impact

Remote attackers can obtain the source code of CGI scripts located on affected servers.

III. Solution

Apply a patch from your vendor

This vulnerability was addressed in Apache version 2.0.43, available at http://httpd.apache.org/download.cgi. For vendor-specific information regarding this issue, please see the Systems Affected section of this document.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Apache	Vulnerable	29-Oct-2002
Hewlett-Packard Company	Vulnerable	19-Nov-2002

References

http://www.apacheweek.com/issues/02-10-04
http://www.apache.org/dist/httpd/CHANGES_2.0
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13025
http://www.securityfocus.com/bid/6065

Credit

This document was written by Jeffrey P. Lanza and is based upon information provided by Apache.org.

Other Information

Date Public:	2002-09-26
Date First Published:	2002-10-29
Date Last Updated:	2002-11-19
CERT Advisory:
CVE-ID(s):	CAN-2002-1156
NVD-ID(s):	CAN-2002-1156
US-CERT Technical Alerts:
Metric:	16.87
Document Revision:	11

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader