SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Apache mod_include Vendors:   Apache Software Foundation
(Mandrake Issues Fix) Apache mod_include Buffer Overflow Lets Local Users Execute Arbitrary Code
SecurityTracker Alert ID:  1012254
SecurityTracker URL:  http://securitytracker.com/id/1012254
CVE Reference:   CVE-2004-0940   (Links to External Site)
Date:  Nov 17 2004
Impact:   Execution of arbitrary code via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.3.x
Description:   Crazy Einstein reported a buffer overflow in Apache mod_include. A local user may be able to gain elevated privileges.

It is reported that the get_tag() function contains a buffer overflow that can be triggered, for example, from the handle_echo() function. A local user can create specially crafted HTML that, when processed by Apache, will execute arbitrary code with the privileges of the httpd child process.

Impact:   A local user can execute arbitrary code with the privileges of the Apache httpd child process.
Solution:   Mandrake has released a fix.

Mandrakelinux 10.0:
0be6313dae811fcc0b001b2d9620113b 10.0/RPMS/apache-1.3.29-1.3.100mdk.i586.rpm
6c787e8c03418783f0f7100a9e805f15 10.0/RPMS/apache-devel-1.3.29-1.3.100mdk.i586.rpm
e2f7d5da46a5d2e16c84a2696371d189 10.0/RPMS/apache-modules-1.3.29-1.3.100mdk.i586.rpm
42aafb3a8a7a88f0f77d25431b064e59 10.0/RPMS/apache-source-1.3.29-1.3.100mdk.i586.rpm
7aec1cfd1649215c64a103b48ea0e999 10.0/SRPMS/apache-1.3.29-1.3.100mdk.src.rpm

Mandrakelinux 10.0/AMD64:
758197d601e4b7ebf3392d2ba277c75c amd64/10.0/RPMS/apache-1.3.29-1.3.100mdk.amd64.rpm
d8f014db6377f8143ce64528247e6cda amd64/10.0/RPMS/apache-devel-1.3.29-1.3.100mdk.amd64.rpm
1df2e1b10fa30b56edd2af8155cc727b amd64/10.0/RPMS/apache-modules-1.3.29-1.3.100mdk.amd64.rpm
2696f7d9da96ffe0e2dfe1cfc890f8fa amd64/10.0/RPMS/apache-source-1.3.29-1.3.100mdk.amd64.rpm
7aec1cfd1649215c64a103b48ea0e999 amd64/10.0/SRPMS/apache-1.3.29-1.3.100mdk.src.rpm

Mandrakelinux 10.1:
a243088ce931b9d53c12989b0a9e7a18 10.1/RPMS/apache-1.3.31-7.1.101mdk.i586.rpm
5d3bcb6165e112ea4309f4a81901e2e9 10.1/RPMS/apache-devel-1.3.31-7.1.101mdk.i586.rpm
6e1b20d47e0fd002047170b888cfa318 10.1/RPMS/apache-modules-1.3.31-7.1.101mdk.i586.rpm
72f4a38cde2d8926940016a6189f2524 10.1/RPMS/apache-source-1.3.31-7.1.101mdk.i586.rpm
1716a37f5222cee27bebf5e83c0923da 10.1/SRPMS/apache-1.3.31-7.1.101mdk.src.rpm

Mandrakelinux 10.1/X86_64:
fab98ae8cd03d1ee56112ba150f59709 x86_64/10.1/RPMS/apache-1.3.31-7.1.101mdk.x86_64.rpm
4b58ca0f66f52301e136bddda3c85e79 x86_64/10.1/RPMS/apache-devel-1.3.31-7.1.101mdk.x86_64.rpm
7aaaaf961b6bc370df2bf65e9c65e5ff x86_64/10.1/RPMS/apache-modules-1.3.31-7.1.101mdk.x86_64.rpm
7bb6ff6c0142204ec571c2aff2f300cd x86_64/10.1/RPMS/apache-source-1.3.31-7.1.101mdk.x86_64.rpm
1716a37f5222cee27bebf5e83c0923da x86_64/10.1/SRPMS/apache-1.3.31-7.1.101mdk.src.rpm

Corporate Server 2.1:
dd2cfbb0ab7b92ae351b19d65a18d5c7 corporate/2.1/RPMS/apache-1.3.26-7.3.C21mdk.i586.rpm
c3edf47b293c026d0c2e33f774a724b2 corporate/2.1/RPMS/apache-common-1.3.26-7.3.C21mdk.i586.rpm
4be8f536da810f6eb1b68d5a50d4acb9 corporate/2.1/RPMS/apache-devel-1.3.26-7.3.C21mdk.i586.rpm
96153a44fa444ef06254cc306e1eb131 corporate/2.1/RPMS/apache-manual-1.3.26-7.3.C21mdk.i586.rpm
a1fa6c40d67306178ad316e93ff5fc90 corporate/2.1/RPMS/apache-modules-1.3.26-7.3.C21mdk.i586.rpm
fd1a28a818d4731dc2b0eb441a724660 corporate/2.1/RPMS/apache-source-1.3.26-7.3.C21mdk.i586.rpm
b376625c753b03c793aa43eacd9aed26 corporate/2.1/SRPMS/apache-1.3.26-7.3.C21mdk.src.rpm

Corporate Server 2.1/x86_64:
3e2e5b9bdc272d7dd20a83864c120c1f x86_64/corporate/2.1/RPMS/apache-1.3.26-7.3.C21mdk.x86_64.rpm
583c055dd96b1d8ca0bb1dcbdd6bb3e3 x86_64/corporate/2.1/RPMS/apache-common-1.3.26-7.3.C21mdk.x86_64.rpm
3d91ed0d804bf7083fcdc465b3a4458b x86_64/corporate/2.1/RPMS/apache-devel-1.3.26-7.3.C21mdk.x86_64.rpm
0aade5cac03993197a02023e2c396026 x86_64/corporate/2.1/RPMS/apache-manual-1.3.26-7.3.C21mdk.x86_64.rpm
03a05949dec2afe3bd418cac70672d76 x86_64/corporate/2.1/RPMS/apache-modules-1.3.26-7.3.C21mdk.x86_64.rpm
a220e75582a4bceb685c96d255fb8541 x86_64/corporate/2.1/RPMS/apache-source-1.3.26-7.3.C21mdk.x86_64.rpm
b376625c753b03c793aa43eacd9aed26 x86_64/corporate/2.1/SRPMS/apache-1.3.26-7.3.C21mdk.src.rpm

Mandrakelinux 9.2:
175e886ff0c9eece52bea1f261a769be 9.2/RPMS/apache-1.3.28-3.4.92mdk.i586.rpm
b9fe7ecf4e142a9ac62b5d25654b2359 9.2/RPMS/apache-devel-1.3.28-3.4.92mdk.i586.rpm
26f6a86c6da232048d536564f3b77b93 9.2/RPMS/apache-modules-1.3.28-3.4.92mdk.i586.rpm
aaf112d3516184d3db4c6c2199bf6eae 9.2/RPMS/apache-source-1.3.28-3.4.92mdk.i586.rpm
7c7a7c952c51d53d803eee4b3fe5bbfa 9.2/SRPMS/apache-1.3.28-3.4.92mdk.src.rpm

Mandrakelinux 9.2/AMD64:
847b57769bf31fe0933ee5f2f3cd5586 amd64/9.2/RPMS/apache-1.3.28-3.4.92mdk.amd64.rpm
4b42d87ff1e277115eb188de3452ee12 amd64/9.2/RPMS/apache-devel-1.3.28-3.4.92mdk.amd64.rpm
ee420117615b815a34d012d9a6c0d59a amd64/9.2/RPMS/apache-modules-1.3.28-3.4.92mdk.amd64.rpm
b1dfc904b593ec60933134edf93f2abb amd64/9.2/RPMS/apache-source-1.3.28-3.4.92mdk.amd64.rpm
7c7a7c952c51d53d803eee4b3fe5bbfa amd64/9.2/SRPMS/apache-1.3.28-3.4.92mdk.src.rpm

Multi Network Firewall 8.2:
afe0f49e0bd816d726c2e5f1579eb0ce mnf8.2/RPMS/apache-1.3.23-4.5.M82mdk.i586.rpm
d3f3fba0c1c54cf2f3de11c3722901b8 mnf8.2/RPMS/apache-common-1.3.23-4.5.M82mdk.i586.rpm
04fe0084f12e171795aff5016a0da248 mnf8.2/RPMS/apache-modules-1.3.23-4.5.M82mdk.i586.rpm
e13e1435dc81e58010001058a521a6c7 mnf8.2/SRPMS/apache-1.3.23-4.5.M82mdk.src.rpm

Vendor URL:  httpd.apache.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Mandriva/Mandrake)
Underlying OS Comments:  10.0, 10.1, 9.2, Corporate Server 2.1, Multi Network Firewall 8.2

Message History:   This archive entry is a follow-up to the message listed below.
Oct 19 2004 Apache mod_include Buffer Overflow Lets Local Users Execute Arbitrary Code



 Source Message Contents

Subject:  [Security Announce] MDKSA-2004:134 - Updated apache packages fix


This is a multi-part message in MIME format...

------------=_1100710794-1263-5020

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                 Mandrakelinux Security Update Advisory
 _______________________________________________________________________

 Package name:           apache
 Advisory ID:            MDKSA-2004:134
 Date:                   November 15th, 2004

 Affected versions:	 10.0, 10.1, 9.2, Corporate Server 2.1,
			 Multi Network Firewall 8.2
 ______________________________________________________________________

 Problem Description:

 A possible buffer overflow exists in the get_tag() function of
 mod_include, and if SSI (Server Side Includes) are enabled, a local
 attacker may be able to run arbitrary code with the rights of an httpd
 child process.  This could be done with a special HTML document using
 malformed SSI.
 
 The updated packages have been patched to prevent this problem.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0940
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 0be6313dae811fcc0b001b2d9620113b  10.0/RPMS/apache-1.3.29-1.3.100mdk.i586.rpm
 6c787e8c03418783f0f7100a9e805f15  10.0/RPMS/apache-devel-1.3.29-1.3.100mdk.i586.rpm
 e2f7d5da46a5d2e16c84a2696371d189  10.0/RPMS/apache-modules-1.3.29-1.3.100mdk.i586.rpm
 42aafb3a8a7a88f0f77d25431b064e59  10.0/RPMS/apache-source-1.3.29-1.3.100mdk.i586.rpm
 7aec1cfd1649215c64a103b48ea0e999  10.0/SRPMS/apache-1.3.29-1.3.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 758197d601e4b7ebf3392d2ba277c75c  amd64/10.0/RPMS/apache-1.3.29-1.3.100mdk.amd64.rpm
 d8f014db6377f8143ce64528247e6cda  amd64/10.0/RPMS/apache-devel-1.3.29-1.3.100mdk.amd64.rpm
 1df2e1b10fa30b56edd2af8155cc727b  amd64/10.0/RPMS/apache-modules-1.3.29-1.3.100mdk.amd64.rpm
 2696f7d9da96ffe0e2dfe1cfc890f8fa  amd64/10.0/RPMS/apache-source-1.3.29-1.3.100mdk.amd64.rpm
 7aec1cfd1649215c64a103b48ea0e999  amd64/10.0/SRPMS/apache-1.3.29-1.3.100mdk.src.rpm

 Mandrakelinux 10.1:
 a243088ce931b9d53c12989b0a9e7a18  10.1/RPMS/apache-1.3.31-7.1.101mdk.i586.rpm
 5d3bcb6165e112ea4309f4a81901e2e9  10.1/RPMS/apache-devel-1.3.31-7.1.101mdk.i586.rpm
 6e1b20d47e0fd002047170b888cfa318  10.1/RPMS/apache-modules-1.3.31-7.1.101mdk.i586.rpm
 72f4a38cde2d8926940016a6189f2524  10.1/RPMS/apache-source-1.3.31-7.1.101mdk.i586.rpm
 1716a37f5222cee27bebf5e83c0923da  10.1/SRPMS/apache-1.3.31-7.1.101mdk.src.rpm

 Mandrakelinux 10.1/X86_64:
 fab98ae8cd03d1ee56112ba150f59709  x86_64/10.1/RPMS/apache-1.3.31-7.1.101mdk.x86_64.rpm
 4b58ca0f66f52301e136bddda3c85e79  x86_64/10.1/RPMS/apache-devel-1.3.31-7.1.101mdk.x86_64.rpm
 7aaaaf961b6bc370df2bf65e9c65e5ff  x86_64/10.1/RPMS/apache-modules-1.3.31-7.1.101mdk.x86_64.rpm
 7bb6ff6c0142204ec571c2aff2f300cd  x86_64/10.1/RPMS/apache-source-1.3.31-7.1.101mdk.x86_64.rpm
 1716a37f5222cee27bebf5e83c0923da  x86_64/10.1/SRPMS/apache-1.3.31-7.1.101mdk.src.rpm

 Corporate Server 2.1:
 dd2cfbb0ab7b92ae351b19d65a18d5c7  corporate/2.1/RPMS/apache-1.3.26-7.3.C21mdk.i586.rpm
 c3edf47b293c026d0c2e33f774a724b2  corporate/2.1/RPMS/apache-common-1.3.26-7.3.C21mdk.i586.rpm
 4be8f536da810f6eb1b68d5a50d4acb9  corporate/2.1/RPMS/apache-devel-1.3.26-7.3.C21mdk.i586.rpm
 96153a44fa444ef06254cc306e1eb131  corporate/2.1/RPMS/apache-manual-1.3.26-7.3.C21mdk.i586.rpm
 a1fa6c40d67306178ad316e93ff5fc90  corporate/2.1/RPMS/apache-modules-1.3.26-7.3.C21mdk.i586.rpm
 fd1a28a818d4731dc2b0eb441a724660  corporate/2.1/RPMS/apache-source-1.3.26-7.3.C21mdk.i586.rpm
 b376625c753b03c793aa43eacd9aed26  corporate/2.1/SRPMS/apache-1.3.26-7.3.C21mdk.src.rpm

 Corporate Server 2.1/x86_64:
 3e2e5b9bdc272d7dd20a83864c120c1f  x86_64/corporate/2.1/RPMS/apache-1.3.26-7.3.C21mdk.x86_64.rpm
 583c055dd96b1d8ca0bb1dcbdd6bb3e3  x86_64/corporate/2.1/RPMS/apache-common-1.3.26-7.3.C21mdk.x86_64.rpm
 3d91ed0d804bf7083fcdc465b3a4458b  x86_64/corporate/2.1/RPMS/apache-devel-1.3.26-7.3.C21mdk.x86_64.rpm
 0aade5cac03993197a02023e2c396026  x86_64/corporate/2.1/RPMS/apache-manual-1.3.26-7.3.C21mdk.x86_64.rpm
 03a05949dec2afe3bd418cac70672d76  x86_64/corporate/2.1/RPMS/apache-modules-1.3.26-7.3.C21mdk.x86_64.rpm
 a220e75582a4bceb685c96d255fb8541  x86_64/corporate/2.1/RPMS/apache-source-1.3.26-7.3.C21mdk.x86_64.rpm
 b376625c753b03c793aa43eacd9aed26  x86_64/corporate/2.1/SRPMS/apache-1.3.26-7.3.C21mdk.src.rpm

 Mandrakelinux 9.2:
 175e886ff0c9eece52bea1f261a769be  9.2/RPMS/apache-1.3.28-3.4.92mdk.i586.rpm
 b9fe7ecf4e142a9ac62b5d25654b2359  9.2/RPMS/apache-devel-1.3.28-3.4.92mdk.i586.rpm
 26f6a86c6da232048d536564f3b77b93  9.2/RPMS/apache-modules-1.3.28-3.4.92mdk.i586.rpm
 aaf112d3516184d3db4c6c2199bf6eae  9.2/RPMS/apache-source-1.3.28-3.4.92mdk.i586.rpm
 7c7a7c952c51d53d803eee4b3fe5bbfa  9.2/SRPMS/apache-1.3.28-3.4.92mdk.src.rpm

 Mandrakelinux 9.2/AMD64:
 847b57769bf31fe0933ee5f2f3cd5586  amd64/9.2/RPMS/apache-1.3.28-3.4.92mdk.amd64.rpm
 4b42d87ff1e277115eb188de3452ee12  amd64/9.2/RPMS/apache-devel-1.3.28-3.4.92mdk.amd64.rpm
 ee420117615b815a34d012d9a6c0d59a  amd64/9.2/RPMS/apache-modules-1.3.28-3.4.92mdk.amd64.rpm
 b1dfc904b593ec60933134edf93f2abb  amd64/9.2/RPMS/apache-source-1.3.28-3.4.92mdk.amd64.rpm
 7c7a7c952c51d53d803eee4b3fe5bbfa  amd64/9.2/SRPMS/apache-1.3.28-3.4.92mdk.src.rpm

 Multi Network Firewall 8.2:
 afe0f49e0bd816d726c2e5f1579eb0ce  mnf8.2/RPMS/apache-1.3.23-4.5.M82mdk.i586.rpm
 d3f3fba0c1c54cf2f3de11c3722901b8  mnf8.2/RPMS/apache-common-1.3.23-4.5.M82mdk.i586.rpm
 04fe0084f12e171795aff5016a0da248  mnf8.2/RPMS/apache-modules-1.3.23-4.5.M82mdk.i586.rpm
 e13e1435dc81e58010001058a521a6c7  mnf8.2/SRPMS/apache-1.3.23-4.5.M82mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandrakesoft for security.  You can obtain
 the GPG public key of the Mandrakelinux Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandrakelinux at:

  http://www.mandrakesoft.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBm31lmqjQ0CJFipgRAtulAJ41liN52gjg0RZaGSi8sv2ri90JxACfdYKX
A7Poqv5LVD+++NlrOw7GWsY=
=0SvW
-----END PGP SIGNATURE-----


------------=_1100710794-1263-5020
Content-Type: text/plain; name="message.footer"
Content-Disposition: inline; filename="message.footer"
Content-Transfer-Encoding: 8bit

____________________________________________________
Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com
Join the Club : http://www.mandrakeclub.com
____________________________________________________

------------=_1100710794-1263-5020--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC