Actu
Vigil@nce - Apache httpd: data reading via mod_proxy
August 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
When mod_proxy is installed Unix, an attacker can obtain documents
belonging to the session of another user.
Severity: 1/4
Creation date: 30/07/2010
DESCRIPTION OF THE VULNERABILITY
The Apache httpd mod_proxy module is installed between clients and
backend web servers. The mod_proxy module use HTTP Keep-Alive
connections to backend servers, which are kept open in order to
deliver several documents.
However, on Unix, the timeout state of HTTP Keep-Alive connections
is not processed, and data belonging to another connection can be
returned to the user.
When mod_proxy is installed Unix, an attacker can therefore obtain
documents belonging to the session of another user. In order to
cause this error, the attacker for example has to slow down the
server, in order to generate a timeout.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Apache-httpd-data-reading-via-mod-proxy-9801
