Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 16 Apr 2015 17:15:44 -0400 (EDT)
Subject: Re: Potential CVE request: flaw in comment handling

Hash: SHA1

> we were notified of a flaw in the way Apache's mod_access_compat and
> mod_authz_host handled comments in configuration files. When a comment
> was defined on the same line that contained an "Allow" directive,
> any potential IP ranges in that comment were also allowed to access
> a resource.

> Reproducer:
> ...
> Allow from # not 10

> This flaw was fixed in:
> The docs do specify that comments are not allowed on the same line:
> "There must be no other characters or white space between the backslash and the end of the line."
> []

This doesn't seem to be the applicable documentation for your
reproducer. The documentation says:

   Lines that begin with the hash character "#" are considered
   comments, and are ignored. Comments may not be included on the same
   line as a configuration directive.

> MITRE, does this qualify for a CVE?

We can't make that decision without knowing the perspective of the
upstream vendor. Because the upstream vendor has a process for
assigning CVE IDs, we feel it would be simplest and best here to use
that process, even if it is often not used in cases of publicly known
vulnerabilities. See the address on the page. It's their
decision on how to proceed; possibilities include:

  - no CVE because the behavior with a # character is undefined

  - a single CVE for both because they intended "Comments may not be
    included" to only mean that a syntax error would be reported

  - a CVE only for mod_authz_host because they had actually wanted to
    support # comments for that one

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.