Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 16 Apr 2015 10:08:54 +0200
From: Martin Prpic <>
To: "oss-security\" <>
Subject: Potential CVE request: flaw in comment handling 

Hi, we were notified of a flaw in the way Apache's mod_access_compat and
mod_authz_host handled comments in configuration files. When a comment
was defined on the same line that contained an "Allow" directive,
any potential IP ranges in that comment were also allowed to access
a resource.

This flaw was fixed in:

The docs do specify that comments are not allowed on the same line:

"There must be no other characters or white space between the backslash and the end of the line."

MITRE, does this qualify for a CVE?


$ sudo yum -y install httpd

$ echo hest123 | sudo tee /var/www/html/secret.txt

$ echo '<Location "/secret.txt">
> Order allow,deny
> Allow from # not 10
> </Location>' | sudo tee -a /etc/httpd/conf/httpd.conf
sudo service httpd restart

client on 10.x.x.x:
200 OK

The security implications of this flaw were discovered by Espen
Fjellvaer Olsen from Basefarm AS.

Martin Prpič / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ