Computer Security
[EN] securityvulns.ru no-pyccku


Apache apr-util webDav DoS
updated since 02.06.2009
Published:05.06.2009
Source:
SecurityVulns ID:9954
Type:remote
Threat Level:
5/10
Description:Memory consuption on large number of Entity elements.
Affected:APACHE : Apr-util 1.2
CVE:CVE-2009-1956 (Off-by-one error in the apr_brigade_vprintf function in Apache APR-util before 1.3.5 on big-endian platforms allows remote attackers to obtain sensitive information or cause a denial of service (application crash) via crafted input.)
 CVE-2009-1955 (The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.)
 CVE-2009-0023 (The apr_strmatch_precompile function in strmatch/apr_strmatch.c in Apache APR-util before 1.3.5 allows remote attackers to cause a denial of service (daemon crash) via crafted input involving (1) a .htaccess file used with the Apache HTTP Server, (2) the SVNMasterURI directive in the mod_dav_svn module in the Apache HTTP Server, (3) the mod_apreq2 module for the Apache HTTP Server, or (4) an application that uses the libapreq2 library, which triggers a heap-based buffer underflow.)
Original documentdocumentDEBIAN, [SECURITY] [DSA 1812-1] New apr-util packages fix several vulnerabilities (05.06.2009)
 documentKingcope Kingcope, The father of all bombs - another webdav fiasco (02.06.2009)
Files:Apache mod_dav / svn Remote Denial of Service Exploit

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod