Short Name |
HTTP:MISC:NEG-CTN-LENGTH-STC
|
Severity |
Medium
|
Recommended |
No
|
Category |
HTTP
|
Keywords |
Negative Content-Length Overflow (STC)
|
Release Date |
2013/09/20
|
Update Number |
2302
|
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vsrx-12.1+
|
HTTP: Negative Content-Length Overflow (STC)
This signature detects a negative Content-Length value. Apache Web servers 1.3.26 through 1.3.32 shipped with mod_proxy, which contains a buffer overflow vulnerability. Attackers can exploit this vulnerability by sending a negative Content-Length value to the server, enabling them to run malicious code or crash the server.
Extended Description
A remote buffer overflow vulnerability exists in Apache mod_proxy.
The source of this issue is that a negative user-specified length value may be used in a memory copy operation, allowing for corruption of memory. This may triggered if a remote server returns a negative Content-Length: HTTP header field to be passed through the proxy.
Exploitation will likely result in a denial of service, though there is an unconfirmed potential for execution of arbitrary code on some platforms (such as BSD implementations). Versions that have the optional AP_ENABLE_EXCEPTION_HOOK define enabled may also be exploitable on some platforms.
This issue affects Apache servers 1.3.26 through 1.3.32 that have mod_proxy enabled and configured. Apache 2.0.x releases are not affected by this issue.
Affected Products
- Apache Software Foundation Apache 1.3.0
- Apache Software Foundation Apache 1.3.1
- Apache Software Foundation Apache 1.3.11
- Apache Software Foundation Apache 1.3.12
- Apache Software Foundation Apache 1.3.14
- Apache Software Foundation Apache 1.3.17
- Apache Software Foundation Apache 1.3.18
- Apache Software Foundation Apache 1.3.19
- Apache Software Foundation Apache 1.3.20
- Apache Software Foundation Apache 1.3.22
- Apache Software Foundation Apache 1.3.23
- Apache Software Foundation Apache 1.3.24
- Apache Software Foundation Apache 1.3.25
- Apache Software Foundation Apache 1.3.26
- Apache Software Foundation Apache 1.3.27
- Apache Software Foundation Apache 1.3.28
- Apache Software Foundation Apache 1.3.29
- Apache Software Foundation Apache 1.3.3
- Apache Software Foundation Apache 1.3.31
- Apache Software Foundation Apache 1.3.32
- Apache Software Foundation Apache 1.3.4
- Apache Software Foundation Apache 1.3.6
- Apache Software Foundation Apache 1.3.7 -Dev
- Apache Software Foundation Apache 1.3.9
- HP HP-UX 11.0.0
- HP HP-UX 11.11.0
- HP HP-UX 11.20.0
- HP HP-UX 11.22.0
- HP HP-UX B.11.00
- HP HP-UX B.11.11
- HP HP-UX B.11.22
- HP HP-UX (VVOS) 11.0.0 4
- HP OpenVMS Secure Web Server 1.1
- HP OpenVMS Secure Web Server 1.1.0 -1
- HP OpenVMS Secure Web Server 1.2.0
- HP OpenVMS Secure Web Server 2.1-1
- HP VirtualVault 11.0.4
- HP VirtualVault A.04.50
- HP VirtualVault A.04.60
- HP VirtualVault A.04.70
- HP Webproxy 2.0.0
- HP Webproxy 2.1.0
- HP Webproxy A.02.00
- HP Webproxy A.02.10
- IBM HTTP Server 1.3.26
- IBM HTTP Server 1.3.26 .1
- IBM HTTP Server 1.3.26 .2
- IBM HTTP Server 1.3.28
- OpenBSD 3.4
- OpenBSD 3.5
- OpenBSD -Current
- Red Hat Advanced Workstation for the Itanium Processor 2.1.0
- Red Hat Advanced Workstation for the Itanium Processor 2.1.0 IA64
- Red Hat Enterprise Linux AS 2.1
- Red Hat Enterprise Linux AS 2.1 IA64
- Red Hat Enterprise Linux ES 2.1
- Red Hat Enterprise Linux ES 2.1 IA64
- Red Hat Enterprise Linux WS 2.1
- Red Hat Enterprise Linux WS 2.1 IA64
- Red Hat Linux 7.3.0
- SGI ProPack 2.4.0
- Slackware Linux 10.0.0
- Slackware Linux 8.1.0
- Slackware Linux 9.0.0
- Slackware Linux 9.1.0
- Sun Solaris 8 Sparc
- Sun Solaris 8 X86
- Sun Solaris 9 Sparc
- Sun Solaris 9 X86
- Trustix Secure Linux 1.5.0
References