‘Apache Discloses Source Code via POST Requests to a Location with WebDAV and CGI enabled’


‘There is an information leakage in Apache that results from an interaction between WebDAV and CGI.’


‘The original advisory can be downloaded by going to:
The information has been provided by CERT.’


Vulnerable systems:
 * Apache version 2.0.42

Immune systems:
 * Apache version 2.0.43

Apache allows remote attackers to obtain the source of CGI scripts that are stored in locations for which both CGI and WebDAV are enabled. When a POST request is sent to a CGI script on an affected server, this vulnerability will cause the source code of the script to be returned to the attacker.

Remote attackers can obtain the source code of CGI scripts located on affected servers.

Apply a patch from your vendor

This vulnerability was addressed in Apache version 2.0.43, available at http://httpd.apache.org/download.cgi. For vendor-specific information regarding this issue, please see the Systems Affected section of this document.’

Categories: UNIX