| VID |
22303 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Cherokee Web Server, according to its version number, has a format string vulnerability.
Cherokee Web Server is a compact, open-source web server for Microsoft Windows, Linux and Unix-based operating systems. Cherokee Web Server versions prior to 0.4.17.1 are vulnerable to a format string attack, due to a failure of the application to properly sanitize user-supplied input before using it as the format specifier in a formatted printing function. A remote attacker could send a specially-crafted URL when processing authentication requests using auth_pam and execute arbitrary code on the system.
* Note: This check solely relied on the version number of the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://bugs.gentoo.org/show_bug.cgi?id=67667
http://secunia.com/advisories/13057/
* Platforms Affected:
Cherokee Development Team, Cherokee Web Server prior to 0.4.17.1
Linux Any version
Microsoft Windows Any version
Unix Any version |
| Recommendation |
Upgrade to the latest version of Cherokee Web Server (0.4.17.1 or later), available from the Cherokee Download Web page at http://www.alobbs.com/cherokee/download
For Gentoo Linux:
Upgrade to the latest version of Cherokee (0.4.17.1 or later), as listed in Gentoo Linux Security Advisory GLSA 200411-02 at http://www.gentoo.org/security/en/glsa/glsa-200411-02.xml
For other distributions:
Contact your vendor for upgrade or patch information. |
| Related URL |
CVE-2004-1097 (CVE) |
| Related URL |
11574 (SecurityFocus) |
| Related URL |
17934 (ISS) |
|
