Vulnerability Bulletins

int(809)

Vulnerability Bulletins

Vulnerabilidad en el filtrado de los logs de error en Apache
Vulnerability classification
Property	Value
Confidence level	Oficial
Impact	Obtener acceso
Dificulty	Experto
Required attacker level	Acceso remoto sin cuenta a un servicio estandar
System information
Property	Value
Affected manufacturer	GNU/Linux
Affected software	Apache 1.3 <=1.3.29 Apache 2.0 <=2.0.48
Description
Se ha descubierto una vulnerabilidad en las ramas 1.3 y 2.0 del servidor Web Apache, concretamente las versiones vulnerables son las anteriores a la 1.3.31 y la 2.0.49. La vulnerabilidad reside en que Apache no filtra las secuencias de escape de terminales de los logs de errores; esto podría permitir a un atacante remoto insertar secuencias en emuladores de terminal que se utilicen para visualizar los logs de error y que contengan vulnerabilidades relacionadas con las secuencias de escape.
Solution
Si lo desea, aplique los mecanismos de actualización propios de su distribución, o bien baje las fuentes del software y compílelo usted mismo. Actualización de software Apache Apache httpd 1.3.31 Apache httpd 2.0.49 http://httpd.apache.org/download.cgi Mandrake Linux Mandrake Linux 9.1 i386 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/apache-1.3.27-8.2.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/apache-devel-1.3.27-8.2.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/apache-modules-1.3.27-8.2.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/apache-source-1.3.27-8.2.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/SRPMS/apache-1.3.27-8.2.91mdk.src.rpm PPC ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/apache-1.3.27-8.2.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/apache-devel-1.3.27-8.2.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/apache-modules-1.3.27-8.2.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/apache-source-1.3.27-8.2.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/SRPMS/apache-1.3.27-8.2.91mdk.src.rpm Mandrake Linux 9.2 i386 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache-1.3.28-3.2.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache-devel-1.3.28-3.2.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache-modules-1.3.28-3.2.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache-source-1.3.28-3.2.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/SRPMS/apache-1.3.28-3.2.92mdk.src.rpm AMD64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache-1.3.28-3.2.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache-devel-1.3.28-3.2.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache-modules-1.3.28-3.2.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache-source-1.3.28-3.2.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/SRPMS/apache-1.3.28-3.2.92mdk.src.rpm Mandrake Multi Network Firewall 8.2 i386 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/mnf8.2/RPMS/apache-1.3.23-4.4.M82mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/mnf8.2/RPMS/apache-common-1.3.23-4.4.M82mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/mnf8.2/RPMS/apache-modules-1.3.23-4.4.M82mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/mnf8.2/SRPMS/apache-1.3.23-4.4.M82mdk.src.rpm Mandrake Corporate Server 2.1 i386 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/RPMS/apache-1.3.26-7.1.C21mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/RPMS/apache-common-1.3.26-7.1.C21mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/RPMS/apache-devel-1.3.26-7.1.C21mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/RPMS/apache-manual-1.3.26-7.1.C21mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/RPMS/apache-modules-1.3.26-7.1.C21mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/RPMS/apache-source-1.3.26-7.1.C21mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/SRPMS/apache-1.3.26-7.1.C21mdk.src.rpm x86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/RPMS/apache-1.3.26-7.1.C21mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/RPMS/apache-common-1.3.26-7.1.C21mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/RPMS/apache-devel-1.3.26-7.1.C21mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/RPMS/apache-manual-1.3.26-7.1.C21mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/RPMS/apache-modules-1.3.26-7.1.C21mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/RPMS/apache-source-1.3.26-7.1.C21mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/SRPMS/apache-1.3.26-7.1.C21mdk.src.rpm Mandrakelinux 10.0 i386 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache-1.3.29-1.1.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache-devel-1.3.29-1.1.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache-modules-1.3.29-1.1.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache-source-1.3.29-1.1.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/SRPMS/apache-1.3.29-1.1.100mdk.src.rpm Mandrake Linux (apache-mod_perl) Mandrakelinux 9.1 i386 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/HTML-Embperl-1.3.27_1.3.4-7.1.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/apache-mod_perl-1.3.27_1.27-7.1.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/mod_perl-common-1.3.27_1.27-7.1.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/mod_perl-devel-1.3.27_1.27-7.1.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/SRPMS/apache-mod_perl-1.3.27_1.27-7.1.91mdk.src.rpm PPC ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/HTML-Embperl-1.3.27_1.3.4-7.1.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/apache-mod_perl-1.3.27_1.27-7.1.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/mod_perl-common-1.3.27_1.27-7.1.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/mod_perl-devel-1.3.27_1.27-7.1.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/SRPMS/apache-mod_perl-1.3.27_1.27-7.1.91mdk.src.rpm Mandrakelinux 9.2 i386 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/HTML-Embperl-1.3.28_1.3.4-1.1.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache-mod_perl-1.3.28_1.28-1.1.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/mod_perl-common-1.3.28_1.28-1.1.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/mod_perl-devel-1.3.28_1.28-1.1.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/SRPMS/apache-mod_perl-1.3.28_1.28-1.1.92mdk.src.rpm AMD64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/HTML-Embperl-1.3.28_1.3.4-1.1.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache-mod_perl-1.3.28_1.28-1.1.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/mod_perl-common-1.3.28_1.28-1.1.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/mod_perl-devel-1.3.28_1.28-1.1.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/SRPMS/apache-mod_perl-1.3.28_1.28-1.1.92mdk.src.rpm Mandrakelinux 10.0 i386 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/HTML-Embperl-1.3.29_1.3.6-3.1.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache-mod_perl-1.3.29_1.29-3.1.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/mod_perl-common-1.3.29_1.29-3.1.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/mod_perl-devel-1.3.29_1.29-3.1.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/SRPMS/apache-mod_perl-1.3.29_1.29-3.1.100mdk.src.rpm AMD64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/HTML-Embperl-1.3.29_1.3.6-3.1.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache-mod_perl-1.3.29_1.29-3.1.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/mod_perl-common-1.3.29_1.29-3.1.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/mod_perl-devel-1.3.29_1.29-3.1.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/SRPMS/apache-mod_perl-1.3.29_1.29-3.1.100mdk.src.rpm Corporate Server 2.1 i386 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/RPMS/HTML-Embperl-1.3.26_1.3.4-7.1.C21mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/RPMS/apache-mod_perl-1.3.26_1.27-7.1.C21mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/RPMS/mod_perl-common-1.3.26_1.27-7.1.C21mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/RPMS/mod_perl-devel-1.3.26_1.27-7.1.C21mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/SRPMS/apache-mod_perl-1.3.26_1.27-7.1.C21mdk.src.rpm X86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/RPMS/HTML-Embperl-1.3.26_1.3.4-7.1.C21mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/RPMS/apache-mod_perl-1.3.26_1.27-7.1.C21mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/RPMS/mod_perl-common-1.3.26_1.27-7.1.C21mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/RPMS/mod_perl-devel-1.3.26_1.27-7.1.C21mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/SRPMS/apache-mod_perl-1.3.26_1.27-7.1.C21mdk.src.rpm OpenBSD OpenBSD 3.4 ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/025_httpd3.patch OpenBSD 3.5 ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/013_httpd.patch HP-UX IPv4 Usuarios de HP-UX B.11.00 y HP-UX B.11.11: instalen la revisión hpuxwsAPACHE A.2.0.49.00 Usuarios de HP-UX B.11.22: instalen la revisión hpuxwsAPACHE B.11.23 IPv6 Usuarios de HP-UX B.11.11: instalen la revisión de hpuxwsAPACHE B.2.0.49.00 Usuarios de HP-UX B.11.23: instalen la revisión de hpuxwsAPACHE B.2.0.49.00 HP-UX B.11.04 Virtualvault A.04.70: instale los parches PHSS_30944 (actualización de Virtualvault 4.7 IWS) y PHSS_31058 (actualización de Virtualvault 4.7 OWS) Virtualvault A.04.60: instale los parches PHSS_30946 (actualización de Virtualvault 4.6 IWS) y PHSS_31057 (actualización de Virtualvault 4.6 OWS) Virtualvault A.04.50: instale los parches PHSS_30647 (actualización de Virtualvault 4.5 IWS) y PHSS_30648 (actualización de Virtualvault 4.5 OWS) Webproxy A.02.10: instale el parche PHSS_30950 (actualización de Webproxy server 2.1) Webproxy A.02.00: instale el parche PHSS_30949 (actualización de Webproxy server 2.0) http://software.hp.com Sun Solaris 9 SPARC http://sunsolve.sun.com/search/document.do?assetkey=1-21-113146-05-1 x86 http://sunsolve.sun.com/search/document.do?assetkey=1-21-114145-04-1 Solaris 8 SPARC http://sunsolve.sun.com/search/document.do?assetkey=1-21-116973-01-1 x86 http://sunsolve.sun.com/search/document.do?assetkey=1-21-116974-01-1 SPARC Platform Solaris 8 con parche 116973-02 o posterior Solaris 9 con parche 113146-05 o posterior x86 Platform Solaris 8 con parche 116974-02 o posterior Solaris 9 con parche 114145-04 o posterior
Standar resources
Property	Value
CVE	CAN-2003-0020
BID
Other resources
Overview of security vulnerabilities in Apache httpd 1.3 http://www.apacheweek.com/features/security-13 Overview of security vulnerabilities in Apache httpd 2.0 http://www.apacheweek.com/features/security-20 MandrakeSoft Security Advisory MDKSA-2004:046 http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:046 Mandrakesoft Security Advisory MDKSA-2004:046-1 http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:046-1 OpenBSD Security Advisories http://www.openbsd.org/security.html HP SECURITY BULLETIN HPSBUX01022 http://www5.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01022 HP Security Bulletin HPSBTU01049 http://www5.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTU01049 HP Security Bulletin HPSBUX01069 http://www5.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01069 Sun(sm) Alert Notification 57628 http://sunsolve.sun.com/search/document.do?assetkey=1-26-57628-1 Sun Alert Notification (101555) http://sunsolve.sun.com/search/document.do?assetkey=1-26-101555-1&searchclause=%22category:security%22%20%22availability,%20security%22%20category:security.com

Version history
Version	Comments	Date
1.0	Aviso emitido	2004-05-14
1.1	Aviso emitido por Mandrake (MDKSA-2004:046)	2004-05-18
1.2	Aviso emitido por Mandrake (MDKSA-2004:046-1)	2004-05-21
1.3	Aviso emitido por OpenBSD	2004-06-14
1.4	Aviso emitido por HP (HPSBUX01022)	2004-07-15
1.5	Aviso emitido por HP (HPSBTU01049)	2004-08-10
1.6	Aviso emitido por HP (HPSBUX01069)	2004-08-13
1.7	Aviso emitido por Sun (57628)	2004-09-09
1.8	Aviso actualizado por Sun (57628)	2004-10-13
1.9	Aviso actualizado por SUN (101555)	2005-08-19

Vulnerability Bulletins

Vulnerabilidad en el filtrado de los logs de error en Apache

Vulnerability classification

System information

Description

Solution

Standar resources

Other resources

Version history