Vigil@nce - Apache httpd: denial of service via mod_cgid
July 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, who is allowed to upload a malicious CGI script on
the server, can block mod_cgid of Apache httpd, in order to
trigger a denial of service.
Impacted products: Apache httpd
Severity: 1/4
Creation date: 17/07/2014
DESCRIPTION OF THE VULNERABILITY
The mod_cgid module of Apache httpd manages CGI scripts.
However, if a CGI script does not consume its standard input, the
child process hangs indefinitely.
An attacker, who is allowed to upload a malicious CGI script on
the server, can therefore block mod_cgid of Apache httpd, in order
to trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Apache-httpd-denial-of-service-via-mod-cgid-15070