Apache web server MS-DOS设备名任意命令可执行漏洞发布时间:2003-01-22 更新时间:2003-01-22 严重程度:中 威胁程度:普通用户访问权限 错误类型:输入验证错误 利用方式:服务器模式 BUGTRAQ ID:6659 CVE(CAN) ID:CAN-2003-0016 受影响系统 Apache Software Foundation Apache 2.0.36详细描述 Apache WEB服务程序是流行的HTTP程序,可使用在UNIX和WINDOWS操作系统上。 Windows9x系统上的APACHE WEB服务程序不正确处理部分HTTP请求,问题是由于CGI输入重定向缘故。当POST一个CGI十,stdin流指向输入表单数据。通过发送POST到ScriptAlias目录下的"con.xxx",POST数据就可能被解析器执行。 测试代码 尚无 解决方案 升级程序: Apache Software Foundation Apache 2.0.36: Apache Software Foundation Upgrade Apache httpd 2.0.44 http://www.apache.org/dist/httpd/ Apache Software Foundation Apache 2.0.37: Apache Software Foundation Upgrade Apache httpd 2.0.44 http://www.apache.org/dist/httpd/ Apache Software Foundation Apache 2.0.38: Apache Software Foundation Upgrade Apache httpd 2.0.44 http://www.apache.org/dist/httpd/ Apache Software Foundation Apache 2.0.39: Apache Software Foundation Upgrade Apache httpd 2.0.44 http://www.apache.org/dist/httpd/ Apache Software Foundation Apache 2.0.40: Apache Software Foundation Upgrade Apache httpd 2.0.44 http://www.apache.org/dist/httpd/ Apache Software Foundation Apache 2.0.41: Apache Software Foundation Upgrade Apache httpd 2.0.44 http://www.apache.org/dist/httpd/ Apache Software Foundation Apache 2.0.42: Apache Software Foundation Upgrade Apache httpd 2.0.44 http://www.apache.org/dist/httpd/ Apache Software Foundation Apache 2.0.43: Apache Software Foundation Upgrade Apache httpd 2.0.44 http://www.apache.org/dist/httpd/ 相关信息 参考:http://www.apache.org/dist/httpd/Announcement2.html http://www.apache.org/dist/httpd/CHANGES_2.0 http://lists.netsys.com/pipermail/full-disclosure/2003-January/003653.html |
