‘Apache Discloses Source Code via POST Requests to a Location with WebDAV and CGI enabled’

Summary

‘There is an information leakage in Apache that results from an interaction between WebDAV and CGI.’

Credit:

‘The original advisory can be downloaded by going to:
http://www.kb.cert.org/vuls/id/910713
The information has been provided by CERT.’


Details

Vulnerable systems:
 * Apache version 2.0.42

Immune systems:
 * Apache version 2.0.43

Apache allows remote attackers to obtain the source of CGI scripts that are stored in locations for which both CGI and WebDAV are enabled. When a POST request is sent to a CGI script on an affected server, this vulnerability will cause the source code of the script to be returned to the attacker.

Impact:
Remote attackers can obtain the source code of CGI scripts located on affected servers.

Solution:
Apply a patch from your vendor

This vulnerability was addressed in Apache version 2.0.43, available at http://httpd.apache.org/download.cgi. For vendor-specific information regarding this issue, please see the Systems Affected section of this document.’

Categories: UNIX