The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Juniper Junos Space Service Insight

computer vulnerability alert CVE-2012-5568

Apache Tomcat: denial of service Slowloris

Synthesis of the vulnerability

An attacker can exhaust the maximum number of allowed clients on an Apache Tomcat server, in its default configuration.
Severity: 1/4.
Creation date: 28/12/2012.
Identifiers: 880011, CERTFR-2017-AVI-012, CVE-2012-5568, JSA10600, JSA10770, openSUSE-SU-2012:1700-1, openSUSE-SU-2012:1701-1, openSUSE-SU-2013:0147-1, VIGILANCE-VUL-12270.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The VIGILANCE-VUL-8809 bulletin describes a vulnerability of Apache httpd, which allows an attacker to use parallel sessions, in order to create a denial of service.

However, this vulnerability also impacts Apache Tomcat.

An attacker can therefore exhaust the maximum number of allowed clients on an Apache Tomcat server, in its default configuration.
Full Vigil@nce bulletin... (Free trial)

cybersecurity vulnerability CVE-2012-3144 CVE-2012-3147 CVE-2012-3149

MySQL: several vulnerabilities of October 2012

Synthesis of the vulnerability

Several vulnerabilities of MySQL are corrected by the CPU of October 2012.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 14.
Creation date: 17/10/2012.
Identifiers: CERTA-2012-AVI-579, cpuoct2012, CVE-2012-3144, CVE-2012-3147, CVE-2012-3149, CVE-2012-3150, CVE-2012-3156, CVE-2012-3158, CVE-2012-3160, CVE-2012-3163, CVE-2012-3166, CVE-2012-3167, CVE-2012-3173, CVE-2012-3177, CVE-2012-3180, CVE-2012-3197, DSA-2581-1, JSA10601, MDVSA-2013:102, RHSA-2012:1462-01, SOL14907, VIGILANCE-VUL-12079.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

A Critical Patch Update corrects several vulnerabilities of MySQL.

An attacker can use a vulnerability of Information Schema, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; CVE-2012-3163]

An attacker can use a vulnerability of MySQL Protocol, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; CVE-2012-3158]

An attacker can use a vulnerability of Server, in order to create a denial of service. [severity:2/4; CVE-2012-3177]

An attacker can use a vulnerability of MySQL Client, in order to alter information, or to create a denial of service. [severity:2/4; CVE-2012-3147]

An attacker can use a vulnerability of InnoDB, in order to create a denial of service. [severity:2/4; CVE-2012-3166]

An attacker can use a vulnerability of InnoDB Plugin, in order to create a denial of service. [severity:2/4; CVE-2012-3173]

An attacker can use a vulnerability of Server, in order to create a denial of service. [severity:2/4; CVE-2012-3144]

An attacker can use a vulnerability of Server Optimizer, in order to create a denial of service. [severity:2/4; CVE-2012-3150]

An attacker can use a vulnerability of Server Optimizer, in order to create a denial of service. [severity:2/4; CVE-2012-3180]

An attacker can use a vulnerability of MySQL Client, in order to obtain information. [severity:2/4; CVE-2012-3149]

An attacker can use a vulnerability of Server, in order to create a denial of service. [severity:2/4; CVE-2012-3156]

An attacker can use a vulnerability of Server Full Text Search, in order to create a denial of service. [severity:3/4; CVE-2012-3167]

An attacker can use a vulnerability of Server Replication, in order to create a denial of service. [severity:2/4; CVE-2012-3197]

An attacker can use a vulnerability of Server Installation, in order to obtain information. [severity:1/4; CVE-2012-3160]
Full Vigil@nce bulletin... (Free trial)

cybersecurity alert CVE-2012-1531 CVE-2012-1532 CVE-2012-1533

Java JRE/JDK: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Java JRE/JDK can be used by a malicious applet/application in order to execute code or to obtain information. A legitimate applet/application, handling malicious data, can also be forced to execute code.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 27.
Creation date: 17/10/2012.
Identifiers: BID-55501, BID-55538, BID-56025, BID-56033, BID-56039, BID-56043, BID-56046, BID-56051, BID-56054, BID-56055, BID-56056, BID-56057, BID-56058, BID-56059, BID-56061, BID-56063, BID-56065, BID-56067, BID-56070, BID-56071, BID-56072, BID-56075, BID-56076, BID-56079, BID-56080, BID-56081, BID-56082, BID-56083, c03595351, CERTA-2012-AVI-576, CERTA-2012-AVI-746, CERTA-2013-AVI-094, CVE-2012-1531, CVE-2012-1532, CVE-2012-1533, CVE-2012-3143, CVE-2012-3159, CVE-2012-3216, CVE-2012-4416, CVE-2012-4420, CVE-2012-5067, CVE-2012-5068, CVE-2012-5069, CVE-2012-5070, CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5074, CVE-2012-5075, CVE-2012-5076, CVE-2012-5077, CVE-2012-5079, CVE-2012-5081, CVE-2012-5083, CVE-2012-5084, CVE-2012-5085, CVE-2012-5086, CVE-2012-5087, CVE-2012-5088, CVE-2012-5089, CVE-2012-5979-ERROR, DSECRG-12-039, ESX350-201302401-SG, FEDORA-2012-16346, FEDORA-2012-16351, IC89804, javacpuoct2012, MDVSA-2012:169, openSUSE-SU-2012:1419-1, openSUSE-SU-2012:1423-1, openSUSE-SU-2012:1424-1, RHSA-2012:1384-01, RHSA-2012:1385-01, RHSA-2012:1386-01, RHSA-2012:1391-01, RHSA-2012:1392-01, RHSA-2012:1465-01, RHSA-2012:1466-01, RHSA-2012:1467-01, RHSA-2012:1485-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SUSE-SU-2012:1398-1, SUSE-SU-2012:1489-1, SUSE-SU-2012:1489-2, SUSE-SU-2012:1490-1, SUSE-SU-2012:1588-1, SUSE-SU-2012:1595-1, swg21621958, swg21621959, VIGILANCE-VUL-12072, VMSA-2013-0001.2, VMSA-2013-0003.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Java JRE/JDK. The most severe vulnerabilities lead to code execution.

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56025, CVE-2012-5083]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56033, CVE-2012-1531]

An attacker can use a vulnerability of Beans, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56039, CVE-2012-5086]

An attacker can use a vulnerability of Beans, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56043, CVE-2012-5087]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56046, CVE-2012-1533]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56051, CVE-2012-1532]

An attacker can use the class com.sun.org.glassfish.gmbal.util.GenericConstructor in order to execute arbitrary JVM code. [severity:3/4; BID-56054, CVE-2012-5076]

An attacker can use a vulnerability of JMX, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56055, CVE-2012-3143]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56057, CVE-2012-5088]

An attacker can use a vulnerability of JMX, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56059, CVE-2012-5089]

An attacker can use a vulnerability of Swing, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56063, CVE-2012-5084]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56072, CVE-2012-3159]

An attacker can use a vulnerability of Libraries, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-56076, CVE-2012-5068]

When a Java application uses an integer array, and the Arrays.fill() method, the array memory area is not initialized to zero by the JRE, so an attacker can obtain a fragment memory (VIGILANCE-VUL-11929). [severity:3/4; BID-55501, BID-55538, CVE-2012-4416, CVE-2012-4420]

An attacker can use a vulnerability of JAX-WS, in order to obtain or alter information. [severity:3/4; BID-56056, CVE-2012-5074]

An attacker can use a vulnerability of JMX, in order to obtain or alter information. [severity:3/4; BID-56061, CVE-2012-5071]

An attacker can use a vulnerability of Concurrency, in order to obtain or alter information. [severity:3/4; BID-56065, CVE-2012-5069]

An attacker can use a vulnerability of Deployment, in order to obtain information. [severity:2/4; BID-56070, CVE-2012-5067]

An attacker can use a vulnerability of JMX, in order to obtain information. [severity:2/4; BID-56079, CVE-2012-5070]

An attacker can use a vulnerability of JMX, in order to obtain information. [severity:2/4; BID-56081, CVE-2012-5075]

An attacker can use a vulnerability of Libraries, in order to alter information. [severity:2/4; BID-56080, CVE-2012-5073]

An attacker can use a vulnerability of Libraries, in order to alter information. [severity:2/4; BID-56082, CVE-2012-5079, CVE-2012-5979-ERROR]

An attacker can use a vulnerability of Security, in order to alter information. [severity:2/4; BID-56083, CVE-2012-5072]

An attacker can use a vulnerability of JSSE (ROBOT Attack VIGILANCE-VUL-24749), in order to create a denial of service. [severity:2/4; BID-56071, CVE-2012-5081]

An attacker can use a vulnerability of Libraries, in order to obtain information. [severity:1/4; BID-56075, CVE-2012-3216]

An attacker can use a vulnerability of Security, in order to obtain information. [severity:1/4; BID-56058, CVE-2012-5077]

An attacker can use a vulnerability of Gopher, in order to send packets. [severity:1/4; BID-56067, CVE-2012-5085, DSECRG-12-039]
Full Vigil@nce bulletin... (Free trial)

computer weakness note CVE-2012-2131

OpenSSL 0.9.8: memory corruption via asn1_d2i_read_bio

Synthesis of the vulnerability

An attacker can use malformed ASN.1 data, with an application linked to OpenSSL 0.9.8, in order to corrupt the memory, which leads to a denial of service or to code execution.
Severity: 3/4.
Creation date: 24/04/2012.
Identifiers: 1643316, BID-53212, c03333987, CERTA-2012-AVI-286, CERTA-2012-AVI-419, CERTFR-2014-AVI-480, CERTFR-2016-AVI-300, CVE-2012-2131, DSA-2454-2, HPSBUX02782, JSA10659, MDVSA-2012:064, RHSA-2012:0518-01, RHSA-2012:0522-01, SSRT100844, SUSE-SU-2012:0623-1, SUSE-SU-2012:0637-1, VIGILANCE-VUL-11564.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The version 0.9.8v of OpenSSL was published to correct the vulnerability VIGILANCE-VUL-11559.

However, the vulnerability was not fully corrected by this version.

An attacker can therefore still use malformed ASN.1 data, with an application linked to OpenSSL 0.9.8, in order to corrupt the memory, which leads to a denial of service or to code execution.
Full Vigil@nce bulletin... (Free trial)

weakness alert CVE-2012-2110

OpenSSL: memory corruption via asn1_d2i_read_bio

Synthesis of the vulnerability

An attacker can use malformed ASN.1 data, with an application linked to OpenSSL, in order to corrupt the memory, which leads to a denial of service or to code execution.
Severity: 3/4.
Creation date: 19/04/2012.
Identifiers: 1643316, BID-53158, c03333987, CERTA-2012-AVI-224, CERTA-2012-AVI-286, CERTA-2012-AVI-419, CERTA-2012-AVI-479, CERTFR-2014-AVI-480, CERTFR-2016-AVI-300, CVE-2012-2110, DSA-2454-1, ESX350-201302401-SG, ESX400-201209001, ESX400-201209401-SG, ESX400-201209402-SG, ESX400-201209404-SG, ESX410-201208101-SG, ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG, FEDORA-2012-6395, FEDORA-2012-6403, FreeBSD-SA-12:01.openssl, HPSBUX02782, JSA10659, KB27376, MDVSA-2012:060, NetBSD-SA2012-001, openSUSE-SU-2013:0336-1, openSUSE-SU-2013:0337-1, openSUSE-SU-2013:0339-1, PSN-2012-09-712, PSN-2013-03-872, PSN-2013-05-941, RHSA-2012:0518-01, RHSA-2012:0522-01, RHSA-2012:1306-01, RHSA-2012:1307-01, RHSA-2012:1308-01, SOL16285, SSRT100844, SUSE-SU-2012:0623-1, SUSE-SU-2012:0637-1, SUSE-SU-2012:1149-1, SUSE-SU-2012:1149-2, VIGILANCE-VUL-11559, VMSA-2012-0003.1, VMSA-2012-0005.2, VMSA-2012-0005.3, VMSA-2012-0008.1, VMSA-2012-0013, VMSA-2012-0013.1, VMSA-2013-0001.2, VMSA-2013-0003.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

X.509 certificates are encoded with ASN.1 (Abstract Syntax Notation).

OpenSSL uses BIO, which are data streams where a program can write or read.

The asn1_d2i_read_bio() function of OpenSSL decodes ASN.1 data coming from a BIO.

However, this function converts ("cast") size of ASN.1 objects to signed integers (where as "size_t" is unsigned). If the announced size of an object is greater than 0x80000000, an allocation error thus occurs, and the memory is corrupted.

The asn1_d2i_read_bio() function is used by several OpenSSL functions. Note: SSL/TLS clients/servers do not use this function, and are thus not vulnerable (there are exceptions if d2i_X509_bio() is called). However, S/MIME or CMS applications are vulnerable.

An attacker can therefore use malformed ASN.1 data, with an application linked to OpenSSL, in order to corrupt the memory, which leads to a denial of service or to code execution.
Full Vigil@nce bulletin... (Free trial)

cybersecurity announce CVE-2012-0882

MySQL: vulnerability

Synthesis of the vulnerability

A vulnerability impacts MySQL.
Severity: 2/4.
Creation date: 10/02/2012.
Identifiers: BID-51925, BID-52154-REJECT, CVE-2012-0882, JSA10601, VIGILANCE-VUL-11350.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

A vulnerability impacts MySQL.
Full Vigil@nce bulletin... (Free trial)

cybersecurity note CVE-2012-0053

Apache httpd: reading an HttpOnly cookie

Synthesis of the vulnerability

An attacker can use a malformed HTTP query, in order to generate a code 400 error, which displays user's HttpOnly cookies, so JavaScript code can access them.
Severity: 2/4.
Creation date: 27/01/2012.
Identifiers: BID-51706, c03231301, c03278391, CERTA-2012-AVI-225, CVE-2012-0053, DSA-2405-1, FEDORA-2012-1598, FEDORA-2012-1642, HPSBMU02748, HPSBUX02761, JSA10585, MDVSA-2012:012, openSUSE-SU-2012:0314-1, RHSA-2012:0128-01, RHSA-2012:0323-01, RHSA-2012:0542-01, RHSA-2012:0543-01, SOL15273, SOL15889, SSA:2012-041-01, SSRT100772, SSRT100823, SUSE-SU-2012:0284-1, SUSE-SU-2012:0323-1, VIGILANCE-VUL-11323.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The HTTP Set-Cookie header defines a cookie. This header can also contain the HttpOnly attribute:
  Set-Cookie: v=abc; HttpOnly
This attribute indicates that this cookie cannot be accessed from JavaScript. This feature is supported since IE 6 SP1, Mozilla Firefox 3.0.0.6 and Opera 9.23, in order to protect a website against a Cross Site Scripting.

When Apache httpd receives a malformed HTTP query, (CONNECT with "authority", line larger than LimitRequestFieldSize, header without ':'), it returns a code 400 error page. If there is no default error page defined by ErrorDocument, Apache httpd dynamically generates this page. However, the generated page contains all headers, in order to help developers. Cookies are thus displayed inside the HTML, even if they have the HttpOnly attribute. As JavaScript code is allowed to read an HTML document, it can thus read the cookie.

An attacker can therefore use a malformed HTTP query, in order to generate a code 400 error, which displays user's HttpOnly cookies, so JavaScript code can access them.
Full Vigil@nce bulletin... (Free trial)

threat CVE-2011-2262 CVE-2012-0075 CVE-2012-0087

MySQL: several vulnerabilities of January 2012

Synthesis of the vulnerability

Several vulnerabilities of Oracle MySQL are corrected by the CPU of January 2012.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 27.
Creation date: 18/01/2012.
Identifiers: BID-51488, BID-51493, BID-51502, BID-51503, BID-51504, BID-51505, BID-51506, BID-51507, BID-51508, BID-51509, BID-51510, BID-51511, BID-51512, BID-51513, BID-51514, BID-51515, BID-51516, BID-51517, BID-51518, BID-51519, BID-51520, BID-51521, BID-51522, BID-51523, BID-51524, BID-51525, BID-51526, CERTA-2012-AVI-024, cpujan2012, CVE-2011-2262, CVE-2012-0075, CVE-2012-0087, CVE-2012-0101, CVE-2012-0102, CVE-2012-0112, CVE-2012-0113, CVE-2012-0114, CVE-2012-0115, CVE-2012-0116, CVE-2012-0117, CVE-2012-0118, CVE-2012-0119, CVE-2012-0120, CVE-2012-0484, CVE-2012-0485, CVE-2012-0486, CVE-2012-0487, CVE-2012-0488, CVE-2012-0489, CVE-2012-0490, CVE-2012-0491, CVE-2012-0492, CVE-2012-0493, CVE-2012-0494, CVE-2012-0495, CVE-2012-0496, DSA-2429-1, FEDORA-2012-0972, FEDORA-2012-0987, JSA10601, openSUSE-SU-2012:0618-1, openSUSE-SU-2012:0619-1, RHSA-2012:0105-01, RHSA-2012:0127-01, sol14410, VIGILANCE-VUL-11296.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

A Critical Patch Update corrects several vulnerabilities of Oracle MySQL.

An attacker can use a vulnerability of MySQL, in order to obtain information, or to create a denial of service. [severity:2/4; BID-51488, CVE-2012-0113]

An attacker can use a vulnerability of MySQL, in order to create a denial of service. [severity:2/4; BID-51493, CERTA-2012-AVI-024, CVE-2011-2262]

An attacker can use a vulnerability of MySQL, in order to obtain or alter information. [severity:2/4; BID-51508, CVE-2012-0116]

An attacker can use a vulnerability of MySQL, in order to obtain information, or to create a denial of service. [severity:2/4; BID-51511, CVE-2012-0118]

An attacker can use a vulnerability of MySQL, in order to obtain or alter information. [severity:2/4; BID-51507, CVE-2012-0496]

An attacker can use a vulnerability of MySQL, in order to create a denial of service. [severity:2/4; BID-51509, CVE-2012-0087]

An attacker can use a vulnerability of MySQL, in order to create a denial of service. [severity:2/4; BID-51505, CVE-2012-0101]

An attacker can use a vulnerability of MySQL, in order to create a denial of service. [severity:2/4; BID-51502, CVE-2012-0102]

An attacker can use a vulnerability of MySQL, in order to create a denial of service. [severity:2/4; BID-51504, CVE-2012-0115]

An attacker can use a vulnerability of MySQL, in order to create a denial of service. [severity:2/4; BID-51512, CVE-2012-0119]

An attacker can use a vulnerability of MySQL, in order to create a denial of service. [severity:2/4; BID-51517, CVE-2012-0120]

An attacker can use a vulnerability of MySQL, in order to obtain information. [severity:2/4; BID-51515, CVE-2012-0484]

An attacker can use a vulnerability of MySQL, in order to create a denial of service. [severity:2/4; BID-51513, CVE-2012-0485]

An attacker can use a vulnerability of MySQL, in order to create a denial of service. [severity:2/4; BID-51514, CVE-2012-0486]

An attacker can use a vulnerability of MySQL, in order to create a denial of service. [severity:2/4; BID-51503, CVE-2012-0487]

An attacker can use a vulnerability of MySQL, in order to create a denial of service. [severity:2/4; BID-51506, CVE-2012-0488]

An attacker can use a vulnerability of MySQL, in order to create a denial of service. [severity:2/4; BID-51510, CVE-2012-0489]

An attacker can use a vulnerability of MySQL, in order to create a denial of service. [severity:2/4; BID-51524, CVE-2012-0490]

An attacker can use a vulnerability of MySQL, in order to create a denial of service. [severity:2/4; BID-51518, CVE-2012-0491]

An attacker can use a vulnerability of MySQL, in order to create a denial of service. [severity:2/4; BID-51522, CVE-2012-0495]

An attacker can use a vulnerability of MySQL, in order to create a denial of service. [severity:2/4; BID-51519, CVE-2012-0112]

An attacker can use a vulnerability of MySQL, in order to create a denial of service. [severity:2/4; BID-51521, CVE-2012-0117]

An attacker can use a vulnerability of MySQL, in order to obtain or alter information. [severity:2/4; BID-51520, CVE-2012-0114]

An attacker can use a vulnerability of MySQL, in order to create a denial of service. [severity:1/4; BID-51516, CVE-2012-0492]

An attacker can use a vulnerability of MySQL, in order to create a denial of service. [severity:1/4; BID-51525, CVE-2012-0493]

An attacker can use a vulnerability of MySQL, in order to alter information. [severity:2/4; BID-51526, CVE-2012-0075]

An attacker can use a vulnerability of MySQL, in order to create a denial of service. [severity:1/4; BID-51523, CVE-2012-0494]
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2011-4317

Apache httpd: access to another server via mod_proxy

Synthesis of the vulnerability

An attacker can use a malicious HTTP query, when mod_proxy uses RewriteRule or ProxyPassMatch, in order to access to web resources of another server.
Severity: 2/4.
Creation date: 25/11/2011.
Identifiers: BID-50802, c03231301, CVE-2011-4317, DSA-2405-1, HPSBMU02748, JSA10585, MDVSA-2012:003, openSUSE-SU-2012:0212-1, openSUSE-SU-2012:0248-1, openSUSE-SU-2013:0243-1, openSUSE-SU-2013:0248-1, RHSA-2012:0128-01, SOL15889, SSA:2012-041-01, SSRT100772, SUSE-SU-2011:1309-1, SUSE-SU-2011:1322-1, VIGILANCE-VUL-11179.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The mod_proxy module is used to configure Apache httpd as a proxy, in order to access to an internal web server. Its resources are voluntarily public.

However, the VIGILANCE-VUL-11041 vulnerability of mod_proxy was not fully corrected.

Indeed, the case where the query has a scheme ("something:endOfQuery") was not corrected. The scheme ("something:") is removed, and the end of query ("endOfQuery") is concatenated to the rewrite rule.

An attacker can therefore still use a malicious HTTP query on Apache httpd, when mod_proxy uses RewriteRule or ProxyPassMatch, in order to access to web resources of another server.
Full Vigil@nce bulletin... (Free trial)

computer threat alert CVE-2011-3368

Apache httpd: access to another server via mod_proxy

Synthesis of the vulnerability

An attacker can use a malicious HTTP query, when mod_proxy uses RewriteRule or ProxyPassMatch, in order to access to web resources of another server.
Severity: 2/4.
Creation date: 05/10/2011.
Identifiers: BID-49957, c03231301, CERTA-2011-AVI-562, CERTA-2011-AVI-607, CERTA-2012-AVI-050, CERTA-2012-AVI-156, CVE-2011-3368, DSA-2405-1, FEDORA-2012-1598, FEDORA-2012-1642, HPSBMU02748, JSA10585, MDVSA-2011:144, openSUSE-SU-2012:0212-1, openSUSE-SU-2012:0248-1, openSUSE-SU-2013:0243-1, openSUSE-SU-2014:1647-1, RHSA-2011:1391-01, RHSA-2011:1392-01, RHSA-2012:0542-01, RHSA-2012:0543-01, SOL15889, SSA:2012-041-01, SSRT100772, SUSE-SU-2011:1229-1, SUSE-SU-2011:1309-1, SUSE-SU-2011:1322-1, VIGILANCE-VUL-11041.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The mod_proxy module is used to configure Apache httpd as a proxy, in order to access to an internal web server. Its resources are voluntarily public.

The RewriteRule and ProxyPassMatch directives are used to rewrite requested HTTP paths (url). For example:
  RewriteRule (.*) http://voluntaryPublic.example.com$1 [P]
  ProxyPassMatch (.*) http://voluntaryPublic.example.com$1

However, if the domain name does not end by a '/', an attacker can for example use the following HTTP query:
  GET @privateServer.example.com/page.html HTTP/1.1
This query will be rewritten as:
  GET http://voluntaryPublic.example.com@privateServer.example.com/page.html HTTP/1.1
The attacker then has access to the web page located on the private server.

An attacker can therefore use a malicious HTTP query, when mod_proxy uses RewriteRule or ProxyPassMatch, in order to access to web resources of another server.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Juniper Junos Space Service Insight: