 |
|
|
|
Apache mod_proxy_http information leak
updated since 14.06.2010 | | Published: |  | 19.08.2010 | | Source: |  | BUGTRAQ | | SecurityVulns ID: |  | 10925 | | Type: |  | remote | | Level: |  | 4/10 | | Description: |  | Under some conditions, server reply may be sent to wrong client. |
| Affected: |  | APACHE : Apache 2.2 | | CVE: |  | CVE-2010-2791 (mod_proxy in httpd in Apache HTTP Server 2.2.9, when running on Unix, does not close the backend connection if a timeout occurs when reading a response from a persistent connection, which allows remote attackers to obtain a potentially sensitive response intended for a different client in opportunistic circumstances via a normal HTTP request. NOTE: this is the same issue as CVE-2010-2068, but for a different OS and set of affected versions.) | | | | CVE-2010-2068 (mod_proxy_http.c in mod_proxy_http in the Apache HTTP Server 2.2.9 through 2.2.15, 2.3.4-alpha, and 2.3.5-alpha on Windows, NetWare, and OS/2, in certain configurations involving proxy worker pools, does not properly detect timeouts, which allows remote attackers to obtain a potentially sensitive response intended for a different client in opportunistic circumstances via a normal HTTP request.) |
|
|
|
|
|
|
|
|
