Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » CSSA-2002-SCO.31-Apache Web Server Chunk Handling Vuln./mod_ssl off-by error

CSSA-2002-SCO.31-Apache Web Server Chunk Handling Vuln./mod_ssl off-by error

by Nikola Strahija on July 3rd, 2002 Problem Description This advisory addresses two separate vulnerabilities: 1) There is a remotely exploitable vulnerability in the handling of large chunks of data in web servers that are based on Apache source code. 2) mod_ssl registers a rewrite_command hook when backward compatibility is enabled. The ssl_compat_directive() is called for every line read in a configuration file, and contains an off-by-one error while doing so.


2. Vulnerable Supported Versions

System Subsystem
----------------------------------------------------------------------
UnixWare 7.1.1 Apache
Open UNIX 8.0.0 Apache


3. Solution

The proper solution is to install the latest packages.


4. UnixWare 7.1.1

4.1 Location of Fixed Binaries

ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.31


4.2 Verification

MD5 (apache-1.3.26.pkg.Z) = 75391ed80d727d9cd00a73c2cc24816b

md5 is available for download from
ftp://ftp.caldera.com/pub/security/tools


4.3 Installing Fixed Binaries

Upgrade the affected binaries with the following commands:

Download apache-1.3.26.pkg.Z to the /var/spool/pkg directory

# uncompress /var/spool/pkg/apache-1.3.26.pkg.Z
# pkgadd -d /var/spool/pkg/apache-1.3.26.pkg


5. Open UNIX 8.0.0

5.1 Location of Fixed Binaries

ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.31


5.2 Verification

MD5 (apache-1.3.26.pkg.Z) = 75391ed80d727d9cd00a73c2cc24816b

md5 is available for download from
ftp://ftp.caldera.com/pub/security/tools


5.3 Installing Fixed Binaries

Upgrade the affected binaries with the following commands:

Download apache-1.3.26.pkg.Z to the /var/spool/pkg directory

# uncompress /var/spool/pkg/apache-1.3.26.pkg.Z
# pkgadd -d /var/spool/pkg/apache-1.3.26.pkg


6. References

Specific references for this advisory:
http://www.cert.org/advisories/CA-2002-17.html
http://httpd.apache.org/info/security_bulletin_20020617.txt
http://www.modssl.org/

Caldera security resources:
http://www.caldera.com/support/security/index.html

This security fix closes Caldera incidents sr865893, fz521273,
erg712079.


7. Disclaimer

Caldera International, Inc. is not responsible for the
misuse of any of the information we provide on this website
and/or through our security advisories. Our advisories are
a service to our customers intended to promote secure
installation and use of Caldera products.


8. Acknowledgements

Neel Mehta of the ISS X-Force discovered the Apache
vulnerability. Mark Litchfield reported the vulnerability
to the Apache Software Foundation, and Mark Cox reported
it to the CERT/CC.

The mod_ssl vulnerability information was obtained from an
advisory by Frank Denis ([email protected])

______________________________________________________________________________



Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »