Multiple vulnerabilities were identified in IBM HTTP Server, which could be exploited by attackers to execute arbitrary commands or bypass certain security policies.
The first flaw is due to an error when IHS handles byterange requests to CGI scripts, which could be exploited by remote attackers to exhaust all RAM and swap space on the server and cause a denial of service. For additional information, see : FrSIRT/ADV-2005-1526
The second vulnerability is due to an integer overflow error in PCRE [pcre_compile.c] when handling specially crafted regular expressions, which could be exploited by malicious users to gain elevated privileges via a specially crafted ".htaccess" file. For additional information, see : FrSIRT/ADV-2005-1628
The third issue is due to a memory leak in the "accept()" error paths in "worker.c".
The fourth flaw occurs when processing an HTTP request with both a "Transfer-Encoding: chunked" header and a "Content-Length" header, which could be exploited to conduct "HTTP Request Smuggling" attacks.
The fifth issue is due to a buffer overflow error in "mod_cgid" when processing "ScriptSock" directives, which could be exploited by attackers to execute arbitrary commands.
The sixth vulnerability is due to an error when handling terminal escape sequences from error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.
The seventh flaw resides in "mod_dav" and could be exploited by remote attackers to cause a denial of service via a certain sequence of LOCK requests.
The eighth issue is due to an error when handling HTTP GET requests with MIME headers containing multiple lines with a large number of space characters, which could cause a denial of service.
The ninth problem resides in the IPv6 URI parsing routines, which could be exploited to cause a denial of service.
The tenth flaw is due to a buffer overflow error when extremely large environment variables are referenced in "httpd.conf" or ".htaccess", which could be exploited by local attackers to execute arbitrary commands.
The eleventh vulnerability resides in the "ap_get_mime_headers_core" function when handling malformed headers, which could be exploited by attackers to cause a DoS.
The twelfth issue is due to an unspecified error in "mod_ibm_ssl" when using client auth, which could be exploited by attackers to cause a denial of service.
ChangeLog
2005-10-19 : Initial release
Vulnerability Management
Subscribe to FrSIRT VNS and receive real-time e-mail and SMS alerts when new vulnerabilities, exploits, or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form or by email to updates@frsirt.com.
French
