Security issues affecting Apache httpd 1.3.1

This page gives a list of all the vulnerabilities that are known to affect version 1.3.1 of Apache httpd. Note however that some vendor versions of Apache may already contain backported security patches for some of these issues, so if you're using a vendor-supplied version of Apache contact your vendor for details.

You can also see an alternative view of this data which lists which vulnerabilities were fixed in each version

Apache Week rates the severity of each issue based on the overall impact to users

Examine another version -- 2.0.52 -- 2.0.51 -- 2.0.50 -- 2.0.49 -- 2.0.48 -- 2.0.47 -- 2.0.46 -- 2.0.45 -- 2.0.44 -- 2.0.43 -- 2.0.42 -- 2.0.40 -- 2.0.39 -- 2.0.37 -- 2.0.36 -- 2.0.35 -- 1.3.32 -- 1.3.31 -- 1.3.29 -- 1.3.28 -- 1.3.27 -- 1.3.26 -- 1.3.24 -- 1.3.22 -- 1.3.20 -- 1.3.19 -- 1.3.17 -- 1.3.14 -- 1.3.12 -- 1.3.11 -- 1.3.9 -- 1.3.6 -- 1.3.4 -- 1.3.3 -- 1.3.2 -- 1.3.1 -- 1.3.0

critical: Apache Chunked encoding vulnerability CVE-2002-0392

Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively harmless increase in system resources through to denial of service attacks and in some cases the ability to be remotely exploited.

important: Allow/Deny parsing on big-endian 64-bit platforms CVE-2003-0993

A bug in the parsing of Allow/Deny rules using IP addresses without a netmask on big-endian 64-bit platforms causes the rules to fail to match.

important: Buffer overflows in ab utility CAN-2002-0843

Buffer overflows in the benchmarking utility ab could be exploited if ab is run against a malicious server

important: Shared memory permissions lead to local privilege escalation CAN-2002-0839

The permissions of the shared memory used for the scoreboard allows an attacker who can execute under the Apache UID to send a signal to any process as root or cause a local denial of service attack.

important: Cross-site scripting can reveal private session information CAN-2000-1205

Apache was vulnerable to cross site scripting issues. It was shown that malicious HTML tags can be embedded in client web requests if the server or script handling the request does not carefully encode all information displayed to the user. Using these vulnerabilities attackers could, for example, obtain copies of your private cookies used to authenticate you to other sites.

important: Denial of service attack on Win32

There have been a number of important security fixes to Apache on Windows. The most important is that there is much better protection against people trying to access special DOS device names (such as "nul").

important: Multiple header Denial of Service vulnerability CVE-1999-1199

A serious problem exists when a client sends a large number of headers with the same header name. Apache uses up memory faster than the amount of memory required to simply store the received data itself. That is, memory use increases faster and faster as more headers are received, rather than increasing at a constant rate. This makes a denial of service attack based on this method more effective than methods which cause Apache to use memory at a constant rate, since the attacker has to send less data.

important: Denial of service attacks

Apache 1.3.2 has better protection against denial of service attacks. These are when people make excessive requests to the server to try and prevent other people using it. In 1.3.2 there are several new directives which can limit the size of requests (these directives all start with the word Limit).

moderate: mod_include overflow CAN-2004-0940

A buffer overflow in mod_include could allow a local user who is authorised to create server side include (SSI) files to gain the privileges of a httpd child.

moderate: split-logfile can cause arbitrary log files to be written to CVE-2001-0730

A vulnerability was found in the split-logfile support program. A request with a specially crafted Host: header could allow any file with a .log extension on the system to be written to.

low: Error log escape filtering CVE-2003-0020

Apache does not filter terminal escape sequences from error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.

low: mod_digest nonce checking CAN-2003-0987

mod_digest does not properly verify the nonce of a client response by using a AuthNonce secret. This could allow a malicious user who is able to sniff network traffic to conduct a replay attack against a website using Digest protection. Note that mod_digest implements an older version of the MD5 Digest Authentication specification which is known not to work with modern browsers. This issue does not affect mod_auth_digest.

low: Local configuration regular expression overflow CAN-2003-0542

By using a regular expression with more than 9 captures a buffer overflow can occur in mod_alias or mod_rewrite. To exploit this an attacker would need to be able to create a carefully crafted configuration file (.htaccess or httpd.conf)

low: Error page XSS using wildcard DNS CVE-2002-0840

Cross-site scripting (XSS) vulnerability in the default error page of Apache 2.0 before 2.0.43, and 1.3.x up to 1.3.26, when UseCanonicalName is "Off" and support for wildcard DNS is present, allows remote attackers to execute script as other web page visitors via the Host: header.

low: Filtered escape sequences CAN-2003-0083

Apache does not filter terminal escape sequences from its access logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences,

critical: Win32 Apache Remote command execution CVE-2002-0061

Apache for Win32 before 1.3.24 and 2.0.34-beta allows remote attackers to execute arbitrary commands via parameters passed to batch file CGI scripts.

important: listening socket starvation CAN-2004-0174

A starvation issue on listening sockets occurs when a short-lived connection on a rarely-accessed listening socket will cause a child to hold the accept mutex and block out new connections until another connection arrives on that rarely-accessed listening socket. This issue is known to affect some versions of AIX, Solaris, and Tru64; it is known to not affect FreeBSD or Linux.

important: RotateLogs DoS CAN-2003-0460

The rotatelogs support program on Win32 and OS/2 would quit logging and exit if it received special control characters such as 0x1A.

important: Multiviews can cause a directory listing to be displayed CVE-2001-0731

A vulnerability was found when Multiviews are used to negotiate the directory index. In some configurations, requesting a URI with a QUERY_STRING of M=D could return a directory listing rather than the expected index page.

important: Denial of service attack on Win32 and OS2 CVE-2001-1342

A vulnerability was found in the Win32 and OS2 ports of Apache 1.3. A client submitting a carefully constructed URI could cause a General Protection Fault in a child process, bringing up a message box which would have to be cleared by the operator to resume operation. This vulnerability introduced no identified means to compromise the server other than introducing a possible denial of service.

important: Rewrite rules that include references allow access to any file CVE-2000-0913

The Rewrite module, mod_rewrite, can allow access to any file on the web server. The vulnerability occurs only with certain specific cases of using regular expression references in RewriteRule directives: If the destination of a RewriteRule contains regular expression references then an attacker will be able to access any file on the server.

moderate: Requests can cause directory listing to be displayed on NT CVE-2000-0505

A security hole on Apache for Windows allows a user to view the listing of a directory instead of the default HTML page by sending a carefully constructed request.

moderate: Mass virtual hosting security issue CAN-2000-1206

A security problem can occur for sites using mass name-based virtual hosting (using the new mod_vhost_alias module) or with special mod_rewrite rules.