Vulnerability Note VU#910713

Apache discloses source code via POST requests to a location with WebDAV and CGI enabled

Original Release date: 29 Oct 2002 | Last revised: 19 Nov 2002


There is an information leakage in Apache that results from an interaction between WebDAV and CGI.


Apache version 2.0.42 allows remote attackers to obtain the source code of CGI scripts that are stored in locations for which both CGI and WebDAV are enabled. When a POST request is sent to a CGI script on an affected server, this vulnerability will cause the source code of the script to be returned to the attacker.


Remote attackers can obtain the source code of CGI scripts located on affected servers.


Apply a patch from your vendor

This vulnerability was addressed in Apache version 2.0.43, available at For vendor-specific information regarding this issue, please see the Systems Affected section of this document.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
ApacheAffected26 Sep 200229 Oct 2002
Hewlett-Packard CompanyAffected28 Oct 200219 Nov 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



This document was written by Jeffrey P. Lanza and is based upon information provided by

Other Information

  • CVE IDs: CAN-2002-1156
  • Date Public: 26 Sep 2002
  • Date First Published: 29 Oct 2002
  • Date Last Updated: 19 Nov 2002
  • Severity Metric: 16.87
  • Document Revision: 11


If you have feedback, comments, or additional information about this vulnerability, please send us email.