Next Page >>
apache
Actual title: Java Runtime UTF-8 Decoder Smuggling Vector
Discovered by: William A. Rowe, Jr. <wrowe@rowe-clan.net>
Sr. Software Engineer, SpringSource, Inc.
Security Team member, Apache Software Foundation
Based on Tomcat Path Traversal Flaw reported by OuTian[1] and Simon Ryeo[2].
Thanks go to the members of the Apache Security Team for their energy and
endless efforts to triage and research potential vulnerabilities, separating
Apache HTTP Server 2.2.22 Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.2.22 of the Apache HTTP
Server ("Apache"). This version of Apache is principally a security
and bug fix release, including the following significant security fixes:
* SECURITY: CVE-2011-3368 (cve.mitre.org)
Reject requests where the request-URI does not match the HTTP
specification, preventing unexpected expansion of target URLs in
Apache implementation directory traversal and sensitive file disclosure in Shared Hosting environment.
Chris Dixon and David Ibarra of the Hostgator.com Support Team discovered a severe vulnerability exists specifically in several large
scale "pre-packaged" Apache implementations such as cPanel which allows a user to traverse directories and view any file which has readable
access by the webserver. Our proof of concept demonstrates exploitation via a symlink in a chrooted jailed shell. This can be disabled by enabling the
SymLinksIfOwnerMatch option in Apache however you must also change the AllowOverride default options as well. We also provide an Apache patch
which can be implemented directly via an easyapache hook in order to disallow symlinks followed by anyone other than their owners.
cPanel developers were notified of this vulnerability and given time to hotfix the issue.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[SecurityReason - Apache (mod_status) Refresh Header - Open Redirector (XSS)]
Author: sp3x
Date:
- - Written: 15.12.2007
- - Public: 15.01.2008
Mandriva Linux Security Advisory MDVSA-2009:323
http://www.mandriva.com/security/
_______________________________________________________________________
Package : apache
Date : December 7, 2009
Affected: 2008.0
_______________________________________________________________________
Problem Description:
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01963123
Version: 1
HPSBUX02498 SSRT090264 rev.1 - HP-UX Running Apache, Remote Unauthorized Data Injection, Denial of
Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[SecurityReason - Apache (mod_proxy_ftp) Undefined Charset UTF-7 XSS Vulnerability]
Author: sp3x
Date:
- - Written: 15.12.2007
- - Public: 10.01.2008
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01539432
Version: 1
HPSBUX02365 SSRT080118 rev.1 - HP-UX Running Apache, Remote Cross Site Scripting (XSS) or Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-08-26
Last Updated: 2008-08-27
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02997184
Version: 2
HPSBUX02702 SSRT100606 rev.2 - HP-UX Apache Web Server, Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-09-08
Last Updated: 2011-09-08
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02997184
Version: 4
HPSBUX02702 SSRT100606 rev.4 - HP-UX Apache Web Server, Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-09-08
Last Updated: 2011-09-23
Hash: SHA1
Bonsai Information Security - Advisory
http://www.bonsai-sec.com/research/
Multiple XSS in Apache OFBiz
1. *Advisory Information*
Title: Multiple XSS in Apache OFBiz
Advisory ID: BONSAI-2010-0103
Disclaimer:
This is not the first time this issue has been discussed. Andreas
Steinmetz posted about the problem for an Apache httpd release in 2003.
http://www.securityfocus.com/archive/1/339138
http://www.securityfocus.com/bid/8707
Philipp Krammer reported that he notifed the vendor over five years
ago, in January 2003. http://www.securityfocus.com/archive/1/339163
What's new is
Advisory ID: VMSA-2011-0003
Synopsis: Third party component updates for VMware vCenter
Server, vCenter Update Manager, ESXi and ESX
Issue date: 2011-02-10
Updated on: 2011-02-10 (initial release of advisory)
CVE numbers: --- Apache Tomcat ---
CVE-2009-2693 CVE-2009-2901 CVE-2009-2902
CVE-2009-3548 CVE-2010-2227 CVE-2010-1157
--- Apache Tomcat Manager ---
CVE-2010-2928
--- cURL ---
Title: CA20090429-01: CA ARCserve Backup Apache HTTP Server
Multiple Vulnerabilities
CA Advisory Reference: CA20090429-01
CA Advisory Date: 2009-04-29
Security Advisory: MVSA-11-006
CVE: CVE-2011-1772
Vendor: Apache Software Foundation
Product: Struts 2 Framework
Vulnerabilities: Multiple Reflected XSS in XWork error pages
Security Advisory: MVSA-11-007 (http://www.ventuneac.net/security-advisories/MVSA-11-007)
CVE: CVE-2011-2088
Vendors: Apache Software Foundation, OpenSymphony
Products: Struts 2, XWork , WebWork
Vulnerabilities: Java Class Path Information Disclosure
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02997184
Version: 5
HPSBUX02702 SSRT100606 rev.5 - HP-UX Apache Web Server, Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-09-08
Last Updated: 2011-10-26
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01476437
Version: 2
HPSBUX02342 SSRT080063 rev.2 - HP-UX Running Apache with PHP, Remote Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-06-23
Last Updated: 2008-06-23
Problem Description:
Multiple vulnerabilities has been found and corrected in tomcat5:
Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0
through 4.1.36 does not properly handle (1) double quote (") characters
or (2) \%5C (encoded backslash) sequences in a cookie value, which
might cause sensitive information such as session IDs to be leaked
to remote attackers and enable session hijacking attacks. NOTE:
this issue exists because of an incomplete fix for CVE-2007-3385
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01476437
Version: 1
HPSBUX02342 SSRT080063 rev.1 - HP-UX Running Apache or Tomcat with PHP, Remote Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-06-10
Last Updated: 2008-06-10
Apache mod_isapi Dangling Pointer Vulnerability - Security Advisory -
SOS-10-002
Release Date. 5-Mar-2010
Last Update. -
Vendor Notification Date. 9-Feb-2010
Product. Apache HTTP Server
Platform. Microsoft Windows
Affected versions. 2.2.14 verified and
possibly others.
> servers' settings in order to deliver a hosting product that best
> suits their unique customers.
>
> After thoroughly investigating your report, we have come to the
> conclusion that this does not represent any deviation from the
> intended and documented behavior of Apache. As noted in your report,
> Apache's behavior with regard to symlinks is easily configurable via
> the FollowSymlinks and SymLinksIfOwnerMatch options. These settings
> can be changed inside WHM via Service Configuration -> Apache
> Configuration -> Global Configuration. Simply uncheck
> "FollowSymLinks" in the "Directory / Options" section, save your
Problem Description:
Multiple security vulnerabilities has been identified and fixed in
apr and apr-util:
Multiple integer overflows in the Apache Portable Runtime (APR)
library and the Apache Portable Utility library (aka APR-util)
0.9.x and 1.3.x allow remote attackers to cause a denial of service
(application crash) or possibly execute arbitrary code via vectors that
trigger crafted calls to the (1) allocator_alloc or (2) apr_palloc
function in memory/unix/apr_pools.c in APR; or crafted calls to
Hello Assurent & Oracle,
On Tue, 13 Jan 2009, VR-Subscription-noreply@assurent.com wrote:
: Oracle BEA WebLogic Server Apache Connector Buffer Overflow
:
: Reference: http://www.bea.com/weblogic/server/
:
: 2. Vulnerability Summary
:
Dear users of TYPO3,
It has been discovered that the default value of the TYPO3 configuration variable fileDenyPattern allows arbitrary code execution on Apache web servers. Besides that, the library fe_adminlib.inc allows Cross Site Scripting (XSS).
=== Component Type ===
TYPO3 Core
=== Affected Versions ===
TYPO3 versions 3.x, 4.0 to 4.0.7, 4.1 to 4.1.6, 4.2
PR07-37: XSS on Apache HTTP Server 413 error pages via malformed HTTP method
Vulnerability found: 7 November 2007
Vendor contacted: 14 November 2007
Risk factor: N/A
The reason why we didn't consider this vulnerability a security risk is because the attacker needs to force the victim's browser to submit a malformed HTTP method.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02752210
Version: 1
HPSBUX02645 SSRT100387 rev.1 - HP-UX Apache Web Server, Remote Information Disclosure, Cross-Site Scripting (XSS), Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-03-29
Last Updated: 2011-03-29
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[Apache2 Undefined Charset UTF-7 XSS Vulnerability ]
Author: SecurityReason
Maksymilian Arciemowicz (cXIb8O3)
Date:
- - Written: 08.08.2007
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2007-0026
Package names: apache, clamav, kerberos5, php, rsync, tar, vim
Summary: Multiple vulnerabilities
Date: 2007-09-17
Affected versions: Trustix Secure Linux 2.2
Trustix Secure Linux 3.0
Trustix Secure Linux 3.0.5
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Apache: Denial of Service
Date: July 09, 2008
Bugs: #222643, #227111
ID: 200807-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Next Page>>
|
