| VID |
22273 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Apache web server, according to its banner, is vulnerable to an Access Rule Bypass Vulnerability.
The Apache web server, maintained by the Apache Software Foundation, is an extremely popular open-source Web server. Apache HTTP Server versions 1.3.29 and earlier for big-endian 64-bit platforms could allow a remote attacker to bypass intended access restrictions, caused by a flaw in the mod_access module, a fail to match the proper rule when IP addresses are specified without a netmask in an Allow or Deny rule. A remote attacker could gain unauthorized access to files and directories, while other users could be denied access when these rules fail.
* Note: This check solely relied on the banner of the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://securitytracker.com/alerts/2004/Mar/1009338.html
* Platforms Affected:
Apache HTTP Server 1.3.29 and earlier
Gentoo Linux Any version
Mandrake Linux 10.0, 9.2
Mandrake Linux Corporate Server 1.0.1, 2.1
Mandrake Multi Network Firewall 8.2
OpenBSD 3.3, OpenBSD 3.4
Slackware Linux 8.1, 9.0, 9.1, current
Trustix Secure Linux 1.5
Linux Any version
Unix Any version |
| Recommendation |
Upgrade to the latest version of Apache HTTP Server (1.3.30-dev or later), available from Apache Software Foundation download site at http://httpd.apache.org
For other distributions:
Contact your vendor for upgrade or patch information. |
| Related URL |
CVE-2003-0993 (CVE) |
| Related URL |
9829 (SecurityFocus) |
| Related URL |
15422 (ISS) |
|
