|
|
>> Apache "mod_ssl" Custom Error Remote Denial Of Service Vulnerability
|
Title : Apache "mod_ssl" Custom Error Remote Denial Of Service Vulnerability
VUPEN ID : VUPEN/ADV-2006-0056
CVE ID : CVE-2005-3357
Rated as : Moderate Risk 
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-01-06
|
A vulnerability has been identified in Apache, which could be exploited by remote attackers to cause a denial of service. This flaw is due to a NULL pointer dereference in the "mod_ssl" [modules/ssl/ssl_engine_kernel.c] module that does not properly handle a specially crafted non-SSL request sent to an SSL virtual host configured with access control and a custom 400 error document, which could be exploited by remote attackers to crash a vulnerable system.
Affected Products
Apache version 2.0.55 and prior
Solution
Upgrade to Apache version 2.0.58 :
http://httpd.apache.org
References
http://www.vupen.com/english/advisories/2006/0056
http://issues.apache.org/bugzilla/show_bug.cgi?id=37791
Credits
Vulnerability reported by Hartmut Keil
ChangeLog
2006-01-06 : Initial release
2006-05-01 : Updated Solution
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time e-mail and SMS alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
|
