Vigil@nce - Apache HTTP Server: denial of service via mod_dav
July 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can send a MERGE query for mod_dav of Apache HTTP Server, in order to trigger a denial of service.
Impacted products: Apache httpd, MBS, MES
Creation date: 15/07/2013
DESCRIPTION OF THE VULNERABILITY
The mod_dav (DAV, Distributed Authoring and Versioning) module can be installed in Apache HTTP Server.
The MERGE command of mod_dav_svn applies differences between two Subversion information sources. However, if this command indicates an URI which is not configured for DAV, a segmentation fault occurs in mod_dav.
An attacker can therefore send a MERGE query for mod_dav of Apache HTTP Server, in order to trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN