Release date: 2007-11-30
Update date: 2007-12-04
Affected systems:
Apache Group Apache 2.2.4
Apache Group Apache 2.2.3
Apache Group Apache 2.0.59
Apache Group Apache 2.0.55
Apache Group Apache 2.0.51
Apache Group Apache 2.0.46
Description:
BUGTRAQ ID: 26663
Apache HTTP Server is a popular web server.
There is a vulnerability when Apache HTTP Server handles malformed user requests. Remote attackers may use this vulnerability to obtain script source code.
If a malformed HTTP request submitted by a remote user carries one of the following forms of payload (such as JavaScript) and invalid length data, it will cause the Apache HTTP server to return the script code provided by the client:
Two Content-length headers are equal to 0, such as Content-Length: 0 [LF] Content-Length: 0
One Content-length header is equal to two values, such as Content-length: 0, 0
One Content-length: header is equal to a negative number, For example, Content-length: -1.
A Content-length header is equal to a very large value, such as Content-length: 99999999999999999999999999999999999999999999999.
Apache will return a 413 Request Entity Too Large error after submitting invalid length data, leading to the execution of arbitrary HTML and script code in the user's browser session.
Apache Group: At present, the manufacturer has not provided patches or upgrades. We recommend that users of this software always pay attention to the manufacturer's homepage to obtain the latest version: http://www.apache.org