| New User, Welcome! Login |
Next Page >>
HTTP server
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02160663
Version: 1
HPSBUX02531 SSRT100108 rev.1 - HP-UX Running Apache-based Web Server, Remote Denial of Service (DoS), Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-06-02
Last Updated: 2010-06-02
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01756421
Version: 1
HPSBUX02431 SSRT090085 rev.1 - HP-UX Running Apache Web Server Suite, Remote Denial of Service (DoS), Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-06-29
Last Updated: 2009-06-25
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01905287
Version: 1
HPSBUX02465 SSRT090192 rev.1 - HP-UX Running Apache-based Web Server, Remote Denial of Service (DoS) Cross-Site Scripting (XSS) Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-10-21
Last Updated: 2009-10-21
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Multiple Vulnerabilities with 8.3 Filename Pseudonyms in Web Servers
1. *Advisory Information*
request. PHP will need to create those files before the script is
executed and delete them afterwards.
The denial of service condition appears when you create a bunch of
requests, each containing a large number (15000+) of files.
When you send these requests to the web server, the web server collapses
and stops responding because it has to process (create & delete) an
insane number of files in a very short period of time.
Any website that runs PHP and where file uploading is enabled (which is
the default configuration) is vulnerable. You don't need to have a file
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01650939
Version: 1
HPSBUX02401 SSRT090005 rev.2 - HP-UX Running Apache Web Server Suite, Remote Denial of Service (DoS), Cross-site Scripting (XSS), Execution of Arbitrary Code, Cross-Site Request Forgery (CSRF)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-02-02
Last Updated: 2009-02-12
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01650939
Version: 3
HPSBUX02401 SSRT090005 rev.3 - HP-UX Running Apache Web Server Suite, Remote Denial of Service (DoS), Cross-site Scripting (XSS), Execution of Arbitrary Code, Cross-Site Request Forgery (CSRF)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-02-02
Last Updated: 2009-02-25
==============
Two separate Cisco IOS Hypertext Transfer Protocol (HTTP) cross-site
scripting (XSS) vulnerabilities have been reported to Cisco by two
independent researchers. ProCheckup has posted a Security Advisory
titled "XSS on Cisco IOS HTTP Server" posted at
http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr08-19
Cisco would like to thank Adrian Pastor and Richard J. Brain of
ProCheckUp and Nobuhiro Tsuji of NTT Data Security Corporation with
co-operation of JPCert.
> Martijn Vernooij (tinus win tue nl) wrote
> On Wed, 11 Feb 2009 security.432 (at) amxl (dot) com [email concealed] wrote:
> > => The attacker must be able to run code as the same user that the
> > webserver runs as. This is unlikely to be a problem for many local
> > attackers, because there are a multitude of possible attack vectors,
> > such as SSI, non-suexec CGI scripts, non-suexec PHP (if mod_php is also
> > installed), and likely numerous other options.
>
> Once the attacker can run code as the same user > the webserver runs as, he
> can make the webserver do whatever he wants. He > can just 'debug' the
expense. By coalescing applications and services onto Oracle WebLogic
Server, IT is in position to react swiftly to change and help the
enterprise outperform the competition." -- [1]
And:
"Oracle WebLogic Server Web Server Plugins provide load balancing
across WebLogic Server Clusters by acting as front-end proxies. While
WebLogic Server Web Server Plugins 1.0 are bundled with WebLogic
Server, these new WebLogic Server Web Server Plugins 1.1 are
downloadable separately outside of WebLogic Server and deliver
enhanced functionality and improved security." -- [2]
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02579879
Version: 1
HPSBUX02612 SSRT100345 rev.1 - HP-UX Apache-based Web Server, Local Information Disclosure, Increase of Privilege, Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-12-07
Last Updated: 2010-12-06
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02752210
Version: 1
HPSBUX02645 SSRT100387 rev.1 - HP-UX Apache Web Server, Remote Information Disclosure, Cross-Site Scripting (XSS), Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-03-29
Last Updated: 2011-03-29
>
> Synopsis:
> Most current installations of PHP set up to run via FastCGI with suexec
> are vulnerable to a local exploit, where anyone with the ability to run
> code as the user the webserver runs as can gain access as any user with
> an account set up to run PHP. It is anticipated that this issue will
> especially affect shared web hosts who use FastCGI + suexec thinking it
> will give them additional security.
>
> Conditions for exploitation:
I. BACKGROUND
nginx is a HTTP and reverse proxy server written by Igor Sysoev.
Varnish is a state-of-the-art, high-performance HTTP accelerator.
Cherokee is a very fast, flexible and easy to configure Web Server.
thttpd is a simple, small, portable, fast, and secure HTTP server.
mini_httpd is a small HTTP server.
WEBrick is a Ruby library providing simple HTTP web server services.
Orion Application Server is a pure java application-server.
AOLserver is America Online's Open-Source web server.
Yaws is a HTTP high perfomance 1.1 webserver.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01650939
Version: 1
HPSBUX02401 SSRT090005 rev.1 - HP-UX Running Apache Web Server Suite, Remote Denial of Service (DoS), Cross-site Scripting (XSS), Execution of Arbitrary Code, Cross-Site Request Forgery (CSRF)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-02-02
Last Updated: 2009-02-02
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02997184
Version: 4
HPSBUX02702 SSRT100606 rev.4 - HP-UX Apache Web Server, Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-09-08
Last Updated: 2011-09-23
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02997184
Version: 5
HPSBUX02702 SSRT100606 rev.5 - HP-UX Apache Web Server, Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-09-08
Last Updated: 2011-10-26
RESOLUTION
HP has provided the following software updates to resolve the vulnerabilities.
Note: Both HP-UX Web Server Suite Version v2.31 and HP-UX Web Server Suite Version v3.10 include PHP v5.2.13.
The updates are available for download from http://software.hp.com
Web Server Suite Version / Apache Depot name
Rapid7 Advisory R7-0033
Apache HTTP Server mod_proxy_ftp Wildcard Characters Cross-Site Scripting
Discovered: July 25, 2008
Published: August 5, 2008
Revision: 1.1
http://www.rapid7.com/advisories/R7-0033
CVE: CVE-2008-2939
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX running Tomcat-based Servlet Engine. The vulnerabilities
could be exploited remotely to increase privilege or arbitrarily modify files. Tomcat-based Servlet Engine is contained in
the Apache Web Server Suite.
References: CVE-2009-2693, CVE-2009-2902, CVE-2009-3548.
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11, B.11.23 and B.11.31 running Tomcat-based Servlet Engine v5.5.27.03 or earlier
Title: CA20090429-01: CA ARCserve Backup Apache HTTP Server
Multiple Vulnerabilities
CA Advisory Reference: CA20090429-01
CA Advisory Date: 2009-04-29
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02997184
Version: 2
HPSBUX02702 SSRT100606 rev.2 - HP-UX Apache Web Server, Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-09-08
Last Updated: 2011-09-08
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Multiple vulnerabilities in Sun Calendar Express Web Server
1. *Advisory Information*
Title: Multiple vulnerabilities in Sun Calendar Express Web Server
to cause a vulnerable device to reboot by sending a large ICMP
echo request packet. This vulnerability is corrected in SCCP
firmware version 8.0(6). This vulnerability is documented in
CVE-2008-0526 leavingcisco.com and Cisco Bug ID CSCsh71110.
* HTTP Server DoS
Cisco Unified IP Phone 7935 and 7936 devices running SCCP
firmware contain a DoS vulnerability in their internal HTTP
server. By sending a specially crafted HTTP request to TCP port
80 on a vulnerable phone, it may be possible to cause the phone
Proof of Concept:
Servers Involved
A.B.C.D = Target WordPress Web Server
W.X.Y.Z = Malicious User's MySQL Instance
1.) Malicious User hosts their own MySQL instance at W.X.Y.Z on port 3306
2.) Performs POST/GET Requests to Install WordPress into MySQL Instance
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX Apache Running Tomcat Servlet Engine. These
vulnerabilities could be exploited remotely to disclose information, allows unauthorized modification, or create a Denial
of Service (DoS). The Tomcat-based Servlet Engine is contained in the HP-UX Apache Web Server Suite.
References: CVE-2010-2227, CVE-2010-1157, CVE-2009-0783, CVE-2009-0781, CVE-2009-0580, CVE-2009-0033, CVE-2008-5515
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.23, B.11.31 running HP-UX Apache Web Server Suite v3.12 or earlier
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03025215
Version: 1
HPSBUX02707 SSRT100626 rev.1 - HP-UX Apache Web Server, Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-09-26
Last Updated: 2011-09-26
Potential Security Impact: Remote information disclosure, authentication bypass, cross-site scripting (XSS), unauthorized access, Denial of Service (DoS).
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX Apache Running Tomcat Servlet Engine. These vulnerabilities could be exploited remotely to disclose information, allow authentication bypass, allow cross-site scripting (XSS), gain unauthorized access, or create a Denial of Service (DoS). The Tomcat-based Servlet Engine is contained in the HP-UX Apache Web Server Suite.
References: CVE-2011-3190, CVE-2011-2729, CVE-2011-2526, CVE-2011-2204, CVE-2011-0013, CVE-2010-4476, CVE-2010-3718
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.23, B.11.31 running HP-UX Apache Web Server Suite v3.19 or earlier
Potential Security Impact: Remote Denial of Service (DoS), access restriction bypass
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX Apache Running Tomcat Servlet Engine. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS) or to perform an access restriction bypass. The Tomcat-based Servlet Engine is contained in the HP-UX Apache Web Server Suite.
References: CVE-2006-7243, CVE-2011-4858, CVE-2011-4885, CVE-2012-0022
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.23, B.11.31 running HP-UX Apache Web Server Suite v3.21 or earlier
Potential Security Impact: Remote Denial of Service (DoS), access restriction bypass
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX Apache Running Tomcat Servlet Engine. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS) or to perform an access restriction bypass. The Tomcat-based Servlet Engine is contained in the HP-UX Apache Web Server Suite.
References: CVE-2006-7243, CVE-2011-4858, CVE-2011-4885, CVE-2012-0022
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.23, B.11.31 running HP-UX Apache Web Server Suite v3.21 or earlier
Next Page>>
|
|
|
