|
|
Apache 2.0存在路径泄露漏洞
发布时间:2002-08-21
更新时间:2002-08-21
严重程度:中
威胁程度:服务器信息泄露
错误类型:输入验证错误
利用方式:服务器模式
BUGTRAQ ID:5485
CVE(CAN) ID:CAN-2002-0654
受影响系统Apache Software Foundation Apache 2.0
Apache Software Foundation Apache 2.0.28 -BETA win32
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP2
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Apache Software Foundation Apache 2.0.28 Beta
Apache Software Foundation Apache 2.0.28
Apache Software Foundation Apache 2.0.32 -BETA win32
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP2
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Apache Software Foundation Apache 2.0.32
Apache Software Foundation Apache 2.0.34 -BETA win32
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP2
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Apache Software Foundation Apache 2.0.35
Apache Software Foundation Apache 2.0.36
Apache Software Foundation Apache 2.0.37
Apache Software Foundation Apache 2.0.38
Apache Software Foundation Apache 2.0.39 详细描述
Apache 2.0.x存在漏洞可导致路径泄露。
当服务器接收到包含部分类型文件请求时处理存在问题。攻击者可以请求一个.var扩展名的不存在的文件,就会返回出错信息而导致信息泄露。
问题是由于APACHE服务程序对MIME协商失败造成的。
测试代码
http://target/error/HTTP_NOT_FOUND.html.var
解决方案
补丁下载:
Apache Software Foundation Apache 2.0:
Apache Software Foundation Apache 2.0.28 -BETA win32:
Apache Software Foundation Upgrade Apache httpd 2.0.40
http://www.apache.org/dist/httpd/
Apache Software Foundation Apache 2.0.28 Beta:
Apache Software Foundation Upgrade Apache httpd 2.0.40
http://www.apache.org/dist/httpd/
Apache Software Foundation Apache 2.0.28:
Apache Software Foundation Upgrade Apache httpd 2.0.40
http://www.apache.org/dist/httpd/
Apache Software Foundation Apache 2.0.32 -BETA win32:
Apache Software Foundation Upgrade Apache httpd 2.0.40
http://www.apache.org/dist/httpd/
Apache Software Foundation Apache 2.0.32:
Apache Software Foundation Upgrade Apache httpd 2.0.40
http://www.apache.org/dist/httpd/
Apache Software Foundation Apache 2.0.34 -BETA win32:
Apache Software Foundation Upgrade Apache httpd 2.0.40
http://www.apache.org/dist/httpd/
Apache Software Foundation Apache 2.0.35:
Apache Software Foundation Upgrade Apache httpd 2.0.40
http://www.apache.org/dist/httpd/
Apache Software Foundation Apache 2.0.36:
Apache Software Foundation Upgrade Apache httpd 2.0.40
http://www.apache.org/dist/httpd/
Apache Software Foundation Apache 2.0.37:
Apache Software Foundation Upgrade Apache httpd 2.0.40
http://www.apache.org/dist/httpd/
Apache Software Foundation Apache 2.0.38:
Apache Software Foundation Upgrade Apache httpd 2.0.40
http://www.apache.org/dist/httpd/
Apache Software Foundation Apache 2.0.39:
Apache Software Foundation Upgrade Apache httpd 2.0.40
http://www.apache.org/dist/httpd/
相关信息
Auriemma Luigi <aluigi@pivx.com>.
参考:http://online.securityfocus.com/archive/1/287766
相关主页:http://www.apache.org/
|
