Apache HTTP Server mod_cgid module information disclosure

apache-modcgi-info-disclosure (13552) The risk level is classified as MediumMedium Risk

Description:

Apache HTTP Server could allow a remote attacker to obtain sensitive information, caused by improper handling of the AF_UNIX socket by the mod_cgid module. If a threaded MPM is used, a local attacker could cause CGI output to be sent to the incorrect client.


Consequences:

Obtain Information

Remedy:

Upgrade to the latest version of Apache HTTP Server (2.0.48 or later), available from the Apache Web site. See References.

For Gentoo Linux:
Upgrade to the latest version of net-www/apache (2.0.48 or later), as listed in Gentoo Linux Security Announcement 200310-04. See References.

For Mandrake Linux:
Upgrade to the latest apace package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2003:103 : apache for more information. See References.

Mandrake Linux 9.0 and Corporate Server 2.1: 1.3.26-6.3.90mdk or later
Mandrake Linux 9.1: 1.3.27-8.1.91mdk or later
Mandrake Linux 9.2: 1.3.28-3.1.92mdk or later
Mandrake Multi Network Firewall 8.2: 1.3.23-4.3.M82mdk or later

For Conectiva Linux:
Upgrade to the latest apache package, as listed below. Refer to Conectiva Linux Security Announcement CLSA-2003:775 for more information. See References.

Conectiva Linux 7.0: 1.3.28-1U70_2cl or later
Conectiva Linux 8: 1.3.28-1U80_2cl or later
Conectiva Linux 9: 2.0.45-2879OU90_5cl or later

For Trustix Secure Linux 1.2, 1.5, and 2.0:
Upgrade to the latest apache package (1.3.29-1tr or 2.0.48-1tr or later), as listed in Trustix Secure Linux Security Advisory #2003-0041. See References.

For Red Hat Linux:
Upgrade to the latest httpd package, as listed below. Refer to RHSA-2003:320-09 for more information. See References.

Red Hat 8.0: 2.0.40-11.9 or later
Red Hat 9: 2.0.40-21.9

For HP-UX 11.00, 11.11, 11.20, and 11.22 :
Apply the appropriate patch for your system, as listed in HEWLETT-PACKARD COMPANY SECURITY BULLETIN: HPSBUX0311-301. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

Platforms Affected:

  • Apache HTTP Server 2.0
  • Apache HTTP Server 2.0 A9
  • Apache HTTP Server 2.0.28 Beta
  • Apache HTTP Server 2.0.28
  • Apache HTTP Server 2.0.32
  • Apache HTTP Server 2.0.32 Beta
  • Apache HTTP Server 2.0.34 Beta
  • Apache HTTP Server 2.0.35
  • Apache HTTP Server 2.0.36
  • Apache HTTP Server 2.0.37
  • Apache HTTP Server 2.0.38
  • Apache HTTP Server 2.0.39
  • Apache HTTP Server 2.0.40
  • Apache HTTP Server 2.0.41
  • Apache HTTP Server 2.0.42
  • Apache HTTP Server 2.0.43
  • Apache HTTP Server 2.0.44
  • Apache HTTP Server 2.0.45
  • Apache HTTP Server 2.0.46
  • Apache HTTP Server 2.0.47
  • Apache HTTP Server 2.0.48
  • Conectiva Linux 7.0
  • Conectiva Linux 8.0
  • Conectiva Linux 9.0
  • Gentoo Linux
  • HP HP-UX 11.00
  • HP HP-UX 11.11
  • HP HP-UX 11.20
  • HP HP-UX 11.22
  • MandrakeSoft Mandrake Linux 9.0
  • MandrakeSoft Mandrake Linux 9.1
  • MandrakeSoft Mandrake Linux 9.1 PPC
  • MandrakeSoft Mandrake Linux 9.2
  • MandrakeSoft Mandrake Linux Corporate Server 2.1 X86_64
  • MandrakeSoft Mandrake Linux Corporate Server 2.1
  • MandrakeSoft Mandrake Multi Network Firewall 8.2
  • RedHat Linux 8.0
  • RedHat Linux 9.0
  • Trustix Secure Linux 1.2
  • Trustix Secure Linux 1.5
  • Trustix Secure Linux 2.0

Reported:

Oct 24, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page