Plugin ID | 205 |
Plugin name | Apache 2.x HTTPS mod_php hijacking |
Plugin filename | Apache 2.x HTTPS mod_php hijacking.plugin |
Plugin filesize | 3594 bytes |
Plugin family | HTTP |
Plugin created name | Mo |
Plugin created email | momolly at wireless-warrior dot org |
Plugin created web | http://www.wireless-warrior.org |
Plugin created date | 2003/12/30 |
Plugin updated name | Marc Ruef |
Plugin updated email | marc dot ruef at computec dot ch |
Plugin updated web | http://www.computec.ch |
Plugin updated company | computec.ch |
Plugin updated date | 2004/11/13 |
Plugin version | 2.1 |
Plugin changelog | Did some major changes in version 2.0 because this plugin was first written for ATK 1.0 and not released until the release week of ATK 2.1. Corrected the plugin structure and added the accuracy values in 2.1 |
Plugin protocol | tcp |
Plugin port | 80 |
Plugin procedure detection | open|send HEAD / HTTP/1.0\n\n|sleep|close|pattern_exists HTTP/1.[0-1] ### *Server: Apache/4.[2-3]* OR HTTP/1.[0-1] ### *Server: Apache/2.0.* |
Plugin detection accuracy | 80 |
Plugin comment | The trigger works not perfectly. But the last few vulnerable Apache versions could be identified. |
Bug published name | Steve Grubb |
Bug published email | linux_4ever at yahoo dot com |
Bug published date | 2003/12/26 |
Bug advisory | http://www.securityfocus.com/archive/1/348368 |
Bug produced name | Apache Software Foundation |
Bug produced email | apache at apache dot org |
Bug produced web | http://httpd.apache.org |
Bug affected | Mod_php under Apache 2.0.x |
Bug vulnerability class | Configuration |
Bug description | When using mod_php, many file descriptors are leaked to the php script process. If the script page calls external programs by passthru(), exec(), or system(), thedescriptors are leaked to that program as well. One of these descriptors is the listening descriptor to port 443, also known as https. Port 443 is a privileged port and can only be bound to by a root process. It is not normal for that descriptor to be leaked to any or all programs. As a side note, this descriptor seems to be opened by apache regardless of whether or not you use https. |
Bug solution | Upgrade your mod_php to the latest version. |
Bug fixing time | Approx. 20 minutes |
Bug exploit availability | Maybe |
Bug exploit url | http://www.securityfocus.com/bid/9302/exploit/ |
Bug remote | Yes |
Bug local | Yes |
Bug severity | High |
Bug popularity | 8 |
Bug simplicity | 5 |
Bug impact | 8 |
Bug risk | 7 |
Source SecurityFocus BID | 9302 |
Source Secunia ID | 10507 |
Source SecuriTeam URL | http://www.securiteam.com/unixfocus/5JP091FBPI.html |
Source scipID | 460 |
Source Literature | Hacking Intern - Angriffe, Strategien, Abwehr, Marc Ruef, Marko Rogge, Uwe Velten and Wolfram Gieseke, November 1, 2002, Data Becker, Düsseldorf, ISBN 381582284X |
Source Misc. | http://www.computec.ch |