Информационная безопасность
[RU] switch to English

Дополнительная информация

  Утечка информации через mod_proxy_http в Apache

  [ MDVSA-2010:153 ] apache

Date:14 июня 2010 г.
Subject:[advisory] httpd Timeout detection flaw (mod_proxy_http) CVE-2010-2068

Vulnerability; httpd Timeout detection flaw (mod_proxy_http) CVE-2010-2068

Classification; important


   A timeout detection flaw in the httpd mod_proxy_http module causes
   proxied response to be sent as the response to a different request,
   and potentially served to a different client, from the HTTP proxy
   pool worker pipeline.

   This may represent a confidential data revealing flaw.

   This affects only Netware, Windows or OS2 builds of httpd version
   2.2.9 through 2.2.15, 2.3.4-alpha and 2.3.5-alpha, when the proxy
   worker pools have been enabled.  Earlier 2.2, 2.0 and 1.3 releases
   were not affected.


   We would like to thank Loren Anderson for the thorough research
   and reporting of this flaw.


   Apply any one of the following mitigations to avert the possibility
   of confidential information disclosure.

   * Do not load mod_proxy_http.

   * Do not configure/enable any http proxy worker pools with ProxySet
     or ProxyPass optional arguments.

   * The straightforward workaround to disable mod_proxy_http's reuse
     of backend connection pipelines is to set the following global

       SetEnv proxy-nokeepalive 1

   * Replace mod_proxy_http.so with a patched version, for source code
     see http://www.apache.org/dist/httpd/patches/apply_to_2.2.15/ or
     http://www.apache.org/dist/httpd/patches/apply_to_2.3.5/ and for
     binaries see the http://www.apache.org/dist/httpd/binaries/ tree
     for win32 or netware, as appropriate.

   * Upgrade to Apache httpd 2.2.16 or higher, once released.  There
     is no tentative release date scheduled.

Update Released; 11th June 2010

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород