Plugin ID | 309 |
Plugin name | Apache prior 1.3.31 and prior 2.0.49 error log escape sequence injection |
Plugin filename | Apache prior 1.3.31 and prior 2.0.49 error log escape sequence injection.plugin |
Plugin filesize | 2583 bytes |
Plugin family | HTTP |
Plugin version | 1.1 |
Plugin protocol | tcp |
Plugin port | 80 |
Plugin procedure detection | open|sleep|close|pattern_exists|open|send HEAD / HTTP/1.0\n\n|sleep|close|pattern_exists HTTP/#.# ###*Server: Apache*1.[0-2].* OR HTTP/#.# ###*Server: Apache*1.3.[0-2]* OR HTTP/#.# ###*Server: Apache*1.3.3[0-1]* OR HTTP/#.# ###*Server: Apache*2.0.[0-3]* OR HTTP/#.# ###*Server: Apache*2.0.4[0-9]* |
Plugin detection accuracy | 85 |
Plugin comment | The NASL script is Copyright (C) 2004 George A. Theall |
Bug produced name | Apache Software Foundation |
Bug produced email | apache at apache dot org |
Bug produced web | http://httpd.apache.org |
Bug affected | Apache prior 1.3.31 or prior 2.0.49 |
Bug not affected | Apache newer than 1.3.31 or newer than 2.0.49 |
Bug vulnerability class | Unknown |
Bug description | The target is running an Apache web server which allows for the injection of arbitrary escape sequences into its error logs. An attacker might use this vulnerability in an attempt to exploit similar vulnerabilities in terminal emulators. |
Bug solution | Upgrade to Apache version 1.3.31 or 2.0.49 or newer. |
Bug fixing time | Approx. 20 minutes |
Bug exploit availability | Maybe |
Bug exploit url | http://www.securityfocus.com/bid/9930/exploit/ |
Bug remote | Yes |
Bug local | Yes |
Bug severity | Low |
Bug popularity | 7 |
Bug simplicity | 4 |
Bug impact | 6 |
Bug risk | 4 |
Bug Nessus risk | Low |
Bug check tools | Nessus can check this flaw with the plugin 12239 (Apache Error Log Escape Sequence Injection). |
Source CVE | CAN-2003-0020 |
Source SecurityFocus BID | 9930 |
Source Nessus ID | 12239 |
Source RedHat Security Advisory ID | RHSA-2003-139 |
Source Literature | Hacking Exposed: Network Security Secrets & Solutions, Stuart McClure, Joel Scambray and George Kurtz, February 25, 2003, 4th Edition, McGraw-Hill Osborne Media, ISBN 0072227427 |
Source Misc. | SuSE-SA:2004:009 |