Apache HTTP server Apple HFS+ filesystem obtain information

apache-hfs-obtain-info (18349)

Medium Risk

Description:

Apache HTTP server running on Mac OS X versions 10.3.6 and 10.2.8 with the Apple HFS+ filesystem could allow a remote attacker to obtain sensitive information. By sending a specially-crafted HTTP request, a remote attacker could bypass the Apache file handler and gain unauthorized access to file data and resource fork content.

Platforms Affected:

• Apache, HTTP Server
• Apple, Mac OS X 10.2.8
• Apple, Mac OS X 10.3.6
• Apple, Mac OS X Server 10.2.8
• Apple, Mac OS X Server 10.3.6

Remedy:

Apply Security Update 2004-12-02, as listed in AppleCare Knowledge Base Document 61798. See References.

Consequences:

Obtain Information

References:

• AppleCare Knowledge Base Document 300422, Mac OS X Server: Protection for sensitive files when using Apache on an HFS+ volume at http://docs.info.apple.com/article.html?artnum=300422.
• AppleCare Knowledge Base Document 61798, Security Update 2004-12-02 at http://docs.info.apple.com/article.html?artnum=61798.
• CIAC Information Bulletin P-049, Apple Security Update 2004-12-02 at http://www.ciac.org/ciac/bulletins/p-049.shtml.
• CIAC Information Bulletin P-276, Apple Security Update 2005-007 at http://www.ciac.org/ciac/bulletins/p-276.shtml.
• BID-11802: Apple Mac OS X Multiple Remote And Local Vulnerabilities
• BID-14567: Apple Mac OS X Multiple Vulnerabilities
• CVE-2004-1084: Apache for Apple Mac OS X 10.2.8 and 10.3.6 allows remote attackers to read files and resource fork content via HTTP requests to certain special file names related to multiple data streams in HFS+, which bypass Apache file handles.
• SA13362: Mac OS X Security Update Fixes Multiple Vulnerabilities

Reported:

Not available

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page