Vigil@nce - Apache HTTP Server: denial of service via mod_dav
July 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can send a MERGE query for mod_dav of Apache HTTP
Server, in order to trigger a denial of service.
Impacted products: Apache httpd, MBS, MES
Severity: 2/4
Creation date: 15/07/2013
DESCRIPTION OF THE VULNERABILITY
The mod_dav (DAV, Distributed Authoring and Versioning) module can
be installed in Apache HTTP Server.
The MERGE command of mod_dav_svn applies differences between two
Subversion information sources. However, if this command indicates
an URI which is not configured for DAV, a segmentation fault
occurs in mod_dav.
An attacker can therefore send a MERGE query for mod_dav of Apache
HTTP Server, in order to trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Apache-HTTP-Server-denial-of-service-via-mod-dav-13117