The mod_dav module in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (child process crash) via a certain sequence of LOCK requests for a location that allows WebDAV authoring access.

A vulnerability in the WebDAV module has been fixed. A remote attacker could crash a server process, leading to a Denial of Service scenario.
Only installations configured for WebDAV access were affected. See http://nagoya.apache.org/bugzilla/show_bug.cgi?id=31183. CVE-2004-0809 has been assigned to this issue.

A malicious user with DAV write privileges can trigger a NULL pointer dereference in the Apache mod_dav module. This could cause the server to become unavailable.

Julian Reschke reported a problem in mod_dav of Apache 2 in connection with a NULL pointer dereference. When running in a threaded model, especially with Apache 2, a segmentation fault can take out a whole process and hence create a denial of service for the whole server.

The remote host is affected by the vulnerability described in GLSA-200409-21 (Apache 2, mod_dav: Multiple vulnerabilities)

    A potential infinite loop has been found in the input filter of mod_ssl     (CAN-2004-0748) as well as a possible segmentation fault in the     char_buffer_read function if reverse proxying to a SSL server is being used     (CAN-2004-0751). Furthermore, mod_dav, as shipped in Apache httpd 2 or     mod_dav 1.0.x for Apache 1.3, contains a NULL pointer dereference which can     be triggered remotely (CAN-2004-0809). The third issue is an input     validation error found in the IPv6 URI parsing routines within the apr-util     library (CAN-2004-0786). Additionally a possible buffer overflow has been     reported when expanding environment variables during the parsing of     configuration files (CAN-2004-0747).
  Impact :

    A remote attacker could cause a Denial of Service either by aborting a SSL     connection in a special way, resulting in CPU consumption, by exploiting     the segmentation fault in mod_ssl or the mod_dav flaw. A remote attacker     could also crash a httpd child process by sending a specially crafted URI.
    The last vulnerability could be used by a local user to gain the privileges     of a httpd child, if the server parses a carefully prepared .htaccess file.
  Workaround :

    There is no known workaround at this time.

Two Denial of Service conditions were discovered in the input filter of mod_ssl, the module that enables apache to handle HTTPS requests.

Another vulnerability was discovered by the ASF security team using the Codenomicon HTTP Test Tool. This vulnerability, in the apr-util library, can possibly lead to arbitrary code execution if certain non-default conditions are met (enabling the AP_ENABLE_EXCEPTION_HOOK define).

As well, the SITIC have discovered a buffer overflow when Apache expands environment variables in configuration files such as .htaccess and httpd.conf, which can lead to possible privilege escalation. This can only be done, however, if an attacker is able to place malicious configuration files on the server.

Finally, a crash condition was discovered in the mod_dav module by Julian Reschke, where sending a LOCK refresh request to an indirectly locked resource could crash the server.

The updated packages have been patched to protect against these vulnerabilities.

According to its Server response header, the remote host is running a version of Apache 2.0.x prior to 2.0.51. It is, therefore, affected by multiple vulnerabilities :

  - An input validation issue in apr-util can be triggered     by malformed IPv6 literal addresses and result in a     buffer overflow (CVE-2004-0786).

  - There is a buffer overflow that can be triggered when     expanding environment variables during configuration     file parsing (CVE-2004-0747).

  - A segfault in mod_dav_ds when handling an indirect lock     refresh can lead to a process crash (CVE-2004-0809).

  - A segfault in the SSL input filter can be triggered     if using 'speculative' mode by, for instance, a proxy     request to an SSL server (CVE-2004-0751).

  - There is the potential for an infinite loop in mod_ssl     (CVE-2004-0748).

The remote host is running a vulnerable version of Apache. It is reported that versions prior to 2.0.51 are prone to a remote buffer overflow when parsing an URI sent over IPv6. An attacker may use this vulnerability to execute arbitrary code on the remote host or to deny service to legitimate users.

The remote host is running a vulnerable version of Apache. It is reported that versions prior 2.0.51 are prone to a remote denial of service issue. An attacker may issue a specific sequence of DAV LOCK commands to crash the process. If Apache is configured to use threads, it may completely crash the Apache process.

The remote host is running a vulnerable version of Apache. It is reported that versions prior 2.0.51 are prone to a local buffer overflow when processing ${ENVVAR} constructs in .htaccess and httpd.conf files. An attacker with interactive access to the computer may use this flaw to execute arbitrary code in the context of the web server.

Updated httpd packages that include fixes for security issues are now available.

The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server.

Four issues have been discovered affecting releases of the Apache HTTP 2.0 Server, up to and including version 2.0.50 :

Testing using the Codenomicon HTTP Test Tool performed by the Apache Software Foundation security group and Red Hat uncovered an input validation issue in the IPv6 URI parsing routines in the apr-util library. If a remote attacker sent a request including a carefully crafted URI, an httpd child process could be made to crash. This issue is not believed to allow arbitrary code execution on Red Hat Enterprise Linux. This issue also does not represent a significant denial of service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0786 to this issue.

The Swedish IT Incident Centre (SITIC) reported a buffer overflow in the expansion of environment variables during configuration file parsing. This issue could allow a local user to gain 'apache' privileges if an httpd process can be forced to parse a carefully crafted .htaccess file written by a local user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0747 to this issue.

An issue was discovered in the mod_ssl module which could be triggered if the server is configured to allow proxying to a remote SSL server.
A malicious remote SSL server could force an httpd child process to crash by sending a carefully crafted response header. This issue is not believed to allow execution of arbitrary code. This issue also does not represent a significant Denial of Service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0751 to this issue.

An issue was discovered in the mod_dav module which could be triggered for a location where WebDAV authoring access has been configured. A malicious remote client which is authorized to use the LOCK method could force an httpd child process to crash by sending a particular sequence of LOCK requests. This issue does not allow execution of arbitrary code. This issue also does not represent a significant Denial of Service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0809 to this issue.

Users of the Apache HTTP server should upgrade to these updated packages, which contain backported patches that address these issues.

The remote host appears to be running a version of Apache 2.x that is older than 2.0.51. It is reported that these versions of Apache are prone to a denial of service issue related to mod_ssl. An attacker may deny service to legitimate users if the remote server uses a 'RewriteRule' to enable reverse proxying to a SSL origin server.

The remote host appears to be running a version of Apache 2.x that is older than 2.0.51. It is reported that these versions of Apache are prone to a denial of service issue related to mod_ssl. An attacker may force a SSL connection to be aborted and therefore cause the Apache server to enter in an infinite loop, consuming CPU resources. 

ID	Name	Product	Family	Severity
41330	SuSE9 Security Update : the webdav apache module (YOU Patch Number 9363)	Nessus	SuSE Local Security Checks	medium
37996	FreeBSD : mod_dav -- lock related denial-of-service (013fa252-0724-11d9-b45d-000c41e2cdad)	Nessus	FreeBSD Local Security Checks	medium
15656	Debian DSA-558-1 : libapache-mod-dav - NULL pointer dereference	Nessus	Debian Local Security Checks	medium
14766	GLSA-200409-21 : Apache 2, mod_dav: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
14752	Mandrake Linux Security Advisory : apache2 (MDKSA-2004:096)	Nessus	Mandriva Local Security Checks	high
14748	Apache 2.0.x < 2.0.51 Multiple Vulnerabilities (OF, DoS)	Nessus	Web Servers	medium
2292	Apache < 2.0.51 IPv6 Remote Buffer Overflow	Nessus Network Monitor	Web Servers	medium
2291	Apache < 2.0.51 mod_dav DAV LOCK Command Remote DoS	Nessus Network Monitor	Web Servers	medium
2290	Apache < 2.0.51 ${ENVVAR} Local Overflow	Nessus Network Monitor	Web Servers	medium
14736	RHEL 3 : httpd (RHSA-2004:463)	Nessus	Red Hat Local Security Checks	medium
2276	Apache < 2.0.51 mod_ssl Rewrite Rules DoS	Nessus Network Monitor	Web Servers	medium
2254	Apache < 2.0.51 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
800587	Apache < 2.0.51 mod_ssl Rewrite Rules DoS	Log Correlation Engine	Web Servers	medium
800565	Apache < 2.0.51 mod_dav DAV LOCK Command Remote DoS	Log Correlation Engine	Web Servers	medium
800564	Apache < 2.0.51 Multiple Vulnerabilities	Log Correlation Engine	Web Servers	medium
800562	Apache < 2.0.51 ${ENVVAR} Local Overflow	Log Correlation Engine	Web Servers	medium
800560	Apache < 2.0.51 IPv6 Remote Buffer Overflow	Log Correlation Engine	Web Servers	medium

Detections

Analytics

CVE-2004-0809

high

Tenable Plugins

medium

medium

medium

medium

high

medium

medium

medium

medium

medium

medium

high

medium

medium

medium

medium

medium