Apache 2.x HTTPS mod_php hijacking 2.1
 
Plugin ID205
Plugin nameApache 2.x HTTPS mod_php hijacking
Plugin filenameApache 2.x HTTPS mod_php hijacking.plugin
Plugin filesize3594 bytes
Plugin familyHTTP
Plugin created nameMo
Plugin created emailmomolly at wireless-warrior dot org
Plugin created webhttp://www.wireless-warrior.org
Plugin created date2003/12/30
Plugin updated nameMarc Ruef
Plugin updated emailmarc dot ruef at computec dot ch
Plugin updated webhttp://www.computec.ch
Plugin updated companycomputec.ch
Plugin updated date2004/11/13
Plugin version2.1
Plugin changelogDid some major changes in version 2.0 because this plugin was first written for ATK 1.0 and not released until the release week of ATK 2.1. Corrected the plugin structure and added the accuracy values in 2.1
Plugin protocoltcp
Plugin port80
Plugin procedure detectionopen|send HEAD / HTTP/1.0\n\n|sleep|close|pattern_exists HTTP/1.[0-1] ### *Server: Apache/4.[2-3]* OR HTTP/1.[0-1] ### *Server: Apache/2.0.*
Plugin detection accuracy80
Plugin commentThe trigger works not perfectly. But the last few vulnerable Apache versions could be identified.
Bug published nameSteve Grubb
Bug published emaillinux_4ever at yahoo dot com
Bug published date2003/12/26
Bug advisoryhttp://www.securityfocus.com/archive/1/348368
Bug produced nameApache Software Foundation
Bug produced emailapache at apache dot org
Bug produced webhttp://httpd.apache.org
Bug affectedMod_php under Apache 2.0.x
Bug vulnerability classConfiguration
Bug descriptionWhen using mod_php, many file descriptors are leaked to the php script process. If the script page calls external programs by passthru(), exec(), or system(), thedescriptors are leaked to that program as well. One of these descriptors is the listening descriptor to port 443, also known as https. Port 443 is a privileged port and can only be bound to by a root process. It is not normal for that descriptor to be leaked to any or all programs. As a side note, this descriptor seems to be opened by apache regardless of whether or not you use https.
Bug solutionUpgrade your mod_php to the latest version.
Bug fixing timeApprox. 20 minutes
Bug exploit availabilityMaybe
Bug exploit urlhttp://www.securityfocus.com/bid/9302/exploit/
Bug remoteYes
Bug localYes
Bug severityHigh
Bug popularity8
Bug simplicity5
Bug impact8
Bug risk7
Source SecurityFocus BID9302
Source Secunia ID10507
Source SecuriTeam URLhttp://www.securiteam.com/unixfocus/5JP091FBPI.html
Source scipID460
Source LiteratureHacking Intern - Angriffe, Strategien, Abwehr, Marc Ruef, Marko Rogge, Uwe Velten and Wolfram Gieseke, November 1, 2002, Data Becker, Düsseldorf, ISBN 381582284X
Source Misc.http://www.computec.ch

This file was generated by the Attack Tool Kit (ATK), the open-sourced security scanner and exploiting framework.