ISS X-Force Database: apache-moddiskcache-obtain-info(15547): Apache HTTP Server mod_disk

Apache HTTP Server mod_disk_cache local information disclosure

apache-moddiskcache-obtain-info (15547)

Medium Risk

Description:

Apache HTTP Server could allow a local attacker to obtain sensitive information. The mod_disk_cache module stores cached client authentication credentials on the local hard disk. If the mod_disk_cache module is enabled, a local attacker could use this information to obtain sensitive information including passwords in plain text.

Consequences:

Obtain Information

Remedy:

For Gentoo Linux:
Upgrade to the latest version of apache (2.0.49 or later), as listed in GLSA 200403-04. See References.

References:

Apache HTTP Server Project Web site: Welcome! - The Apache HTTP Server Project.
BugTraq Mailing List, Sat Mar 20 2004 - 10:00:37 CST: Apache mod_disk_cache stores client authentication credentials on .
GLSA 200403-04: Multiple security vulnerabilities in Apache 2. (From LinuxSecurity archive)
BID-9933: Apache mod_disk_cache Module Client Authentication Credential Storage Weakness
CVE-2004-1834: mod_disk_cache in Apache 2.0 through 2.0.49 stores client headers, including authentication information, on the hard disk, which could allow local users to gain sensitive information.
OSVDB ID: 4446: Apache HTTP Server mod_disk_cache Stores Credentials
RHSA-2004-562: httpd security update
SA11176: Apache 2 mod_disk_cache Stores Credentials
SA19072: Sun Solaris Multiple Apache2 Vulnerabilities
SECTRACK ID: 1009509: Apache mod_disk_cache Stores Authentication Credentials on Disk
VUPEN/ADV-2006-0789: Sun Security Update Fixes Multiple Apache Web Server Vulnerabilities

Platforms Affected:

Apache HTTP Server 2.0
Apache HTTP Server 2.0.28
Apache HTTP Server 2.0.28 Beta
Apache HTTP Server 2.0.32
Apache HTTP Server 2.0.35
Apache HTTP Server 2.0.36
Apache HTTP Server 2.0.37
Apache HTTP Server 2.0.38
Apache HTTP Server 2.0.39
Apache HTTP Server 2.0.40
Apache HTTP Server 2.0.41
Apache HTTP Server 2.0.42
Apache HTTP Server 2.0.43
Apache HTTP Server 2.0.44
Apache HTTP Server 2.0.45
Apache HTTP Server 2.0.46
Apache HTTP Server 2.0.47
Apache HTTP Server 2.0.48
Apache HTTP Server 2.0.49
Apache HTTP Server 2.0.9A
Gentoo Linux
RedHat Enterprise Linux 3 ES
RedHat Enterprise Linux 3 AS
RedHat Enterprise Linux 3 Desktop
RedHat Enterprise Linux 3 WS

Reported:

Mar 20, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page