Overview
There is a vulnerability in Apache 2.0 through 2.035 that could disclose the real path to a CGI script or other file.
Description
A vulnerability in the Apache web server could disclose sensitive information. Quoting from the Apache Change Log: *) [Security] Added the APLOG_TOCLIENT flag to ap_log_rerror() to explicitly tell the server that warning messages should be sent to the client in addition to being recorded in the error log. Prior to this change, ap_log_rerror() always sent warning messages to the client. In one case, a faulty CGI script caused the server to send a warning message to the client that contained the full path to the CGI script. This could be considered a minor security exposure. [Bill Stoddard] |
Impact
Sensitive information may be disclosed. |
Solution
if you are running version 2.0, upgrade to Apache 2.036 or later. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Our thanks to the Apache group for their change log.
This document was written by Shawn V Hernan, based upon information in the Apache Change Log.
Other Information
| CVE IDs: | None |
| Severity Metric: | 5.06 |
| Date Public: | 2002-05-06 |
| Date First Published: | 2002-07-11 |
| Date Last Updated: | 2002-07-11 21:16 UTC |
| Document Revision: | 5 |