Apache mod_proxy_ajp Bug May Disclose Another User's Response Data - SecurityTracker

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Category: Application (Web Server/CGI) > Apache HTTPD

Vendors: Apache Software Foundation

Apache mod_proxy_ajp Bug May Disclose Another User's Response Data

SecurityTracker Alert ID: 1022264

SecurityTracker URL: http://securitytracker.com/id/1022264

CVE Reference: CVE-2009-1191 (Links to External Site)

Date: May 21 2009

Impact: Disclosure of user information

Fix Available: Yes Vendor Confirmed: Yes

Version(s): 2.2.11

Description: A vulnerability was reported in Apache mod_proxy_ajp. A remote user may be able to obtain potentially sensitive response data intended for another user.

A remote user can make a specially crafted HTTP request cause the mod_proxy_ajp module to return potentially sensitive response data intended for a client that previously sent a POST request with no request body.

Impact: A remote user can obtain potentially sensitive response data from a previous request of another user.

Solution: The vendor has issued a patch, available at:

http://www.apache.org/dist/httpd/patches/apply_to_2.2.11

Vendor URL: httpd.apache.org/ (Links to External Site)

Cause: Access control error, State error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Message History: This archive entry has one or more follow-up message(s) listed below.

May 21 2009	(Red Hat Issues Fix) Apache mod_proxy_ajp Bug May Disclose Another User's Response Data Red Hat has released a fix for JBoss Enterprise Web Server 1.0.0.
Oct 15 2010	(Sun Issues Fix) Apache mod_proxy_ajp Bug May Disclose Another User's Response Data Sun has issued a fix for Solaris 10 and OpenSolaris.

Source Message Contents


[Original Message Not Available for Viewing]

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
This web site uses cookies for web analytics. Learn More
Copyright 2020, SecurityGlobal.net LLC