A buffer overflow exists in mod_ssl.
mod_ssl is an Apache module that allows secure connections over X.509 authenticated channels. A buffer overflow exists in the ssl_compat_directive() function. For more detailed information, please see the original vulnerability report.
A local attacker can execute arbitrary code with the privileges of the web server. Additionally, an attacker may be able to add bogus entries to multiple web server log files. An attacker may also be able to slow down or even stop the web server.
Apply a patch from your vendor.
Do not allow per-directory config files. To accomplish this, set the AllowOverride directive to "none" in the httpd.conf file. As a reminder, you must restart the web server for the changes to take effect.
Apple Computer Inc.
Red Hat Inc.
The mod_ssl project
Foundry Networks Inc.
Sun Microsystems Inc.
This vulnerability was discovered by Frank Denis.
This document was written by Ian A Finlay.
|Date First Published:||2003-04-17|
|Date Last Updated:||2003-06-17 16:38 UTC|