Date: Fri, 23 Mar 2018 21:50:00 -0500 From: Daniel Ruggeri <druggeri@...che.org> To: announce@...pd.apache.org, oss-security@...ts.openwall.com, security@...pd.apache.org Subject: CVE-2018-1283: Tampering of mod_session data for CGI applications CVE-2018-1283: Tampering of mod_session data for CGI applications. Severity: Medium Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.0 to 2.4.29 Description: When mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a "Session" header. This comes from the "HTTP_SESSION" variable name used by mod_session to forward its data to CGIs, since the prefix "HTTP_" is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications. The severity is set to Medium because "SessionEnv on" is not a default nor common configuration, it should be considered High when this is the case though, because of the possible remote exploitation. Mitigation: All httpd users should upgrade to 2.4.30 or later. Credit: The issue was discovered internally by the Apache HTTP Server team. References: https://httpd.apache.org/security/vulnerabilities_24.html
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.