| VID |
22281 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Apache HTTP Server, according to its banner, has an access control bypass vulnerability.
Apache HTTP Server version 2.0.51 could allow a remote attacker to gain unauthorized access to restricted resources, due to an unspecified error in the merging of the 'Satisfy' directive. As a result, the attacker could bypass access controls and gain unauthorized access to restricted resources without authenticating.
* Note: This check solely relied on the banner of the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://www.apacheweek.com/features/security-20
http://www.securitytracker.com/alerts/2004/Sep/1011385.html
* Platforms Affected:
Apache Software Foundation, Apache HTTP Server 2.0.51
Microsoft Windows Any version
Linux Any version
Unix Any version |
| Recommendation |
Upgrade to the latest version of Apache HTTP Server (2.0.52 or later), available from the Apache HTTP Server Web site at http://httpd.apache.org/download.cgi
-- OR --
For Apache HTTP Server version 2.0.51, apply the patch for this vulnerability, available from the Apache HTTP Server Web site at http://www.apache.org/dist/httpd/patches/apply_to_2.0.51/CAN-2004-0811.patch
For Gentoo Linux:
Upgrade to the latest version of Apache (2.0.51-r1, < 2.0.51 or later), as listed in Gentoo Linux Security Advisory GLSA 200409-33 at http://www.gentoo.org/security/en/glsa/glsa-200409-33.xml
For Trustix Secure Linux:
Upgrade to the latest Apache package, as listed in Trustix Secure Linux Security Advisory #2004-0049 at at http://www.trustix.net/errata/2004/0049/
For other distributions:
Contact your vendor for upgrade or patch information. |
| Related URL |
CVE-2004-0811 (CVE) |
| Related URL |
11239 (SecurityFocus) |
| Related URL |
17473 (ISS) |
|
