A vulnerability in some implementations of mod_dav may permit a remote attacker to gain unauthorized access to a web server running mod_dav.
mod_dav is a module designed to provide DAV capabilities for a web server. A format string vulnerability in some implementations may permit a remote attacker to gain unauthorized access to a web server running mod_dav.
Here is a brief primer for those unfamiliar with format string vulnerabilities:
A remote attacker may be able to gain privileged access to a web server running mod_dav.
Apply a vendor patch.
You may wish to disable mod_dav until a patch can be applied.
Oracle Corporation Affected
Apple Computer Inc. Not Affected
Cray Inc. Not Affected
IBM Not Affected
Microsoft Corporation Not Affected
OpenBSD Not Affected
Openwall GNU/*/Linux Not Affected
Red Hat Inc. Not Affected
Xerox Corporation Not Affected
Cisco Systems Inc. Unknown
Computer Associates Unknown
Data General Unknown
F5 Networks Unknown
Guardian Digital Inc. Unknown
Hewlett-Packard Company Unknown
Juniper Networks Unknown
Lotus Software Unknown
Lucent Technologies Unknown
MontaVista Software Unknown
NEC Corporation Unknown
Network Appliance Unknown
Nortel Networks Unknown
Sony Corporation Unknown
SuSE Inc. Unknown
Sun Microsystems Inc. Unknown
The SCO Group (SCO Linux) Unknown
The SCO Group (SCO UnixWare) Unknown
Unisphere Networks Unknown
Wind River Systems Inc. Unknown
This vulnerability was discovered by David Litchfield of Next Generation Security Software Ltd. The CERT/CC thanks both Next Generation Security Software Ltd and Oracle for providing information upon which this document is based.
This document was written by Ian A Finlay and Shawn V. Hernan.
|Date First Published:||2003-02-14|
|Date Last Updated:||2003-07-24 12:42 UTC|