9523 : Apache HTTP Server mod_ssl Aborted Connection DoS
Printer | http://osvdb.org/9523 | Email This | Edit Vulnerability

Views This Week

1

Views All Time

99

Info

Last Modified

10 months ago

Percent Complete

100%

Disclosure

Jul 07, 2004

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

mod_ssl on Apache 2 contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker forces an SSL connection to abort during a particular state causing the ssl_io_input_getline function to enter into an infinite loop, resulting in a loss of availability for the Apache server.

Classification

Location: Remote/Network Access Required
Attack Type: Denial of Service
Impact: Loss of Availability
Exploit: Exploit Unknown
Disclosure: OSVDB Verified

Solution

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround:

1. Disable mod_ssl in your Apache configuration file.

2. Apply appropriate operating system vendor released upgrade.

3. An unstable patch is available.

Products

Apache Software Foundation

Apache

2.0.x

References

Security Tracker: 1011340
Bugtraq ID: 11094
Secunia Advisory ID: 12434 12443 12474 12646 13025
ISS X-Force ID: 17200
CVE ID: 2004-0748 (see also: NVD)
Related OSVDB ID: 9742
Vendor Specific Solution URL: http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.124& ......
Other Advisory URL: http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000868
http://www.suse.de/de/security/2004_30_apache2.html
Vendor URL: http://httpd.apache.org
http://www.modssl.org/
Vendor Specific Advisory URL: http://nagoya.apache.org/bugzilla/show_bug.cgi?id=29964
http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01090
RedHat RHSA: RHSA-2004:349-10

Tools & Filters

Nessus	14624 14667 14748 14752 14766 14807 15575 15898

Credit

Keil Hartmut -

Blogs

Provided by Technorati

None found at this time

Comments

Add Comment Hide Add Comment

No Comments.

User Status

Account
- Login
- Sign-Up

Quick Searches

Advertisements

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

© Copyright 2008 Open Source Vulnerability Database (OSVDB), All Rights Reserved.
Privacy Statement - Terms of Use