search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Apache Web Server ap_log_rerror() function discloses full path to CGI script

Vulnerability Note VU#165803

Original Release Date: 2002-07-11 | Last Revised: 2002-07-11


There is a vulnerability in Apache 2.0 through 2.035 that could disclose the real path to a CGI script or other file.


A vulnerability in the Apache web server could disclose sensitive information. Quoting from the Apache Change Log:

*) [Security] Added the APLOG_TOCLIENT flag to ap_log_rerror() to explicitly tell the server that warning messages should be sent to the client in addition to being recorded in the error log. Prior to this change, ap_log_rerror() always sent warning messages to the client. In one case, a faulty CGI script caused the server to send a warning message to the client that contained the full path to the CGI script. This could be considered a minor security exposure. [Bill Stoddard]

This vulnerability may disclose sensitive information.


Sensitive information may be disclosed.


if you are running version 2.0, upgrade to Apache 2.036 or later.

Vendor Information

CVSS Metrics

Group Score Vector



Our thanks to the Apache group for their change log.

This document was written by Shawn V Hernan, based upon information in the Apache Change Log.

Other Information

CVE IDs: None
Severity Metric: 5.06
Date Public: 2002-05-06
Date First Published: 2002-07-11
Date Last Updated: 2002-07-11 21:16 UTC
Document Revision: 5

Sponsored by CISA.