exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 15 of 15 RSS Feed

CVE-2013-5704

Status Candidate

Overview

The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."

Related Files

Red Hat Security Advisory 2016-0062-01
Posted Jan 21, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-0062-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks.

tags | advisory, java, remote, web
systems | linux, redhat
advisories | CVE-2012-0876, CVE-2012-1148, CVE-2013-5704, CVE-2015-3183
SHA-256 | 1636a44af0501528e041cd74d9e0faab81917561cfbed4a1bef6268292d7e47c
Red Hat Security Advisory 2016-0061-01
Posted Jan 21, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-0061-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks.

tags | advisory, java, remote, web
systems | linux, redhat
advisories | CVE-2013-5704, CVE-2015-3183
SHA-256 | 24a856d50a46db75a2b42715c16401c84cab00721d784dc0aaf04982e3864f7b
Red Hat Security Advisory 2015-2661-01
Posted Dec 16, 2015
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2015-2661-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. It was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and prevent further, legitimate connections to the Tomcat server.

tags | advisory, java, remote, web
systems | linux, redhat
advisories | CVE-2013-5704, CVE-2014-0230, CVE-2015-3183
SHA-256 | cf1a4249c4f08aac42a4d15cf5cb14bcad7304449de1390dcbf1127a209baab1
Red Hat Security Advisory 2015-2660-01
Posted Dec 16, 2015
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2015-2660-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. It was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and prevent further, legitimate connections to the Tomcat server.

tags | advisory, java, remote, web
systems | linux, redhat
advisories | CVE-2013-5704, CVE-2014-0230, CVE-2015-3183
SHA-256 | 66e05ca1b341f7d3c1b9cca1e65d11a6cababeedfb7b575eef78359569661f63
Red Hat Security Advisory 2015-2659-01
Posted Dec 16, 2015
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2015-2659-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. It was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and prevent further, legitimate connections to the Tomcat server.

tags | advisory, java, remote, web
systems | linux, redhat
advisories | CVE-2013-5704, CVE-2014-0230, CVE-2015-3183
SHA-256 | 4c1a70a35cd943eaffc8cf30bea91ac0cda719d92d0f834d27138d3c8ca550ef
HPE Security Bulletin HPSBUX03512 SSRT102254 1
Posted Oct 16, 2015
Authored by Hewlett Packard Enterprise | Site hpe.com

HPE Security Bulletin HPSBUX03512 SSRT102254 1 - Potential security vulnerabilities have been identified with HP-UX Web Server Suite running Apache. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS) and other impacts including.. - The TLS vulnerability using US export-grade 512-bit keys in Diffie-Hellman key exchange known as "Logjam" could be exploited remotely to allow unauthorized modification. - The RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah" could be exploited remotely to allow disclosure of information. Revision 1 of this advisory.

tags | advisory, web, denial of service, vulnerability
systems | hpux
advisories | CVE-2013-5704, CVE-2014-0118, CVE-2014-0226, CVE-2014-0231, CVE-2015-2808, CVE-2015-3183, CVE-2015-4000
SHA-256 | 18b317e7f0098c34b8f49719b2e63ed788cd23d93ced85911b489c5da5329541
Apple Security Advisory 2015-09-16-4
Posted Sep 19, 2015
Authored by Apple | Site apple.com

Apple Security Advisory 2015-09-16-4 - OS X Server 5.0.3 is now available and addresses denial of service, code execution, and various other vulnerabilities.

tags | advisory, denial of service, vulnerability, code execution
systems | apple, osx
advisories | CVE-2013-5704, CVE-2014-0067, CVE-2014-3581, CVE-2014-3583, CVE-2014-8109, CVE-2014-8161, CVE-2014-8500, CVE-2015-0228, CVE-2015-0241, CVE-2015-0242, CVE-2015-0243, CVE-2015-0244, CVE-2015-0253, CVE-2015-1349, CVE-2015-3165, CVE-2015-3166, CVE-2015-3167, CVE-2015-3183, CVE-2015-3185, CVE-2015-5911
SHA-256 | 8254c8d55f2667e65687c75dc0e4ebbbd127b907729adba11b4a141d12fc30b2
Red Hat Security Advisory 2015-1249-02
Posted Jul 22, 2015
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2015-1249-02 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers.

tags | advisory, web
systems | linux, redhat
advisories | CVE-2013-5704
SHA-256 | 5e827fff47382462caa857b8a6283c762c10188d93625edd9f85e26558e90984
HP Security Bulletin HPSBUX03337 SSRT102066 1
Posted Jun 11, 2015
Authored by HP | Site hp.com

HP Security Bulletin HPSBUX03337 SSRT102066 1 - Potential security vulnerabilities have been identified with the HP-UX Apache Web Server Suite, Tomcat Servlet Engine, and PHP. These could be exploited remotely to create a Denial of Service (DoS) and other vulnerabilities. Revision 1 of this advisory.

tags | advisory, web, denial of service, php, vulnerability
systems | hpux
advisories | CVE-2013-5704, CVE-2014-0118, CVE-2014-0226, CVE-2014-0227, CVE-2014-0231, CVE-2014-8142, CVE-2014-9709, CVE-2015-0231, CVE-2015-0273, CVE-2015-1352, CVE-2015-2301, CVE-2015-2305, CVE-2015-2331, CVE-2015-2783
SHA-256 | 754fae670041f7a697aa8004120dac15eb6d07f2889f1104112f7ee98c3f9f82
Slackware Security Advisory - httpd Updates
Posted Apr 22, 2015
Authored by Slackware Security Team | Site slackware.com

Slackware Security Advisory - New httpd packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.

tags | advisory
systems | linux, slackware
advisories | CVE-2013-5704, CVE-2014-3581, CVE-2014-3583, CVE-2014-8109
SHA-256 | fabbf00be913fbc1ea322e0c9f5f56231cc9f149ec2cb6f5840f0655e2e5c915
Apple Security Advisory 2015-04-08-2
Posted Apr 9, 2015
Authored by Apple | Site apple.com

Apple Security Advisory 2015-04-08-2 - OS X Yosemite 10.10.3 and Security Update 2015-004 are now available and address privilege escalation, code execution, information disclosure, and various other vulnerabilities.

tags | advisory, vulnerability, code execution, info disclosure
systems | apple, osx
advisories | CVE-2013-0118, CVE-2013-5704, CVE-2013-6438, CVE-2013-6712, CVE-2014-0098, CVE-2014-0117, CVE-2014-0118, CVE-2014-0207, CVE-2014-0226, CVE-2014-0231, CVE-2014-0237, CVE-2014-0238, CVE-2014-2497, CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487, CVE-2014-3523, CVE-2014-3538, CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-3587, CVE-2014-3597, CVE-2014-3668, CVE-2014-3669, CVE-2014-3670
SHA-256 | bfdc53ae50c366d1018234c77470fabd66ae9360537370dafd782122121b89cd
Ubuntu Security Notice USN-2523-1
Posted Mar 10, 2015
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 2523-1 - Martin Holst Swende discovered that the mod_headers module allowed HTTP trailers to replace HTTP headers during request processing. A remote attacker could possibly use this issue to bypass RequestHeaders directives. Mark Montague discovered that the mod_cache module incorrectly handled empty HTTP Content-Type headers. A remote attacker could use this issue to cause the server to stop responding, leading to a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. Various other issues were also addressed.

tags | advisory, remote, web, denial of service
systems | linux, ubuntu
advisories | CVE-2013-5704, CVE-2014-3581, CVE-2014-3583, CVE-2014-8109, CVE-2015-0228
SHA-256 | b5a9d704b449f39d01062d26900f37e7a1d8336e27bd24dc58719568e3d644a3
Red Hat Security Advisory 2015-0325-02
Posted Mar 5, 2015
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2015-0325-02 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers. A NULL pointer dereference flaw was found in the way the mod_cache httpd module handled Content-Type headers. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP server was configured to proxy to a server with caching enabled.

tags | advisory, web
systems | linux, redhat
advisories | CVE-2013-5704, CVE-2014-3581
SHA-256 | 1ddce30a492cff7722f5739d62b0043eb5a198952e350c072d68c819dfa88edf
Red Hat Security Advisory 2014-1972-01
Posted Dec 9, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-1972-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. A NULL pointer dereference flaw was found in the way the mod_cache httpd module handled Content-Type headers. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP server was configured to proxy to a server with caching enabled. A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers.

tags | advisory, web
systems | linux, redhat
advisories | CVE-2013-5704, CVE-2014-3581
SHA-256 | b15033df8966e461bd230191dc61a940f431119df00b767cbba93b9ab386f18c
Mandriva Linux Security Advisory 2014-174
Posted Sep 4, 2014
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2014-174 - The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass RequestHeader unset directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states this is not a security issue in httpd as such. The updated packages have been upgraded to the latest 2.2.29 version which is not vulnerable to this issue.

tags | advisory, remote, web
systems | linux, mandriva
advisories | CVE-2013-5704
SHA-256 | fcee1df5464ebe1c1e6cd586ef4fa054f4e6a4553cd41003cf8e0cff62185e2c
Page 1 of 1
Back1Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close