Vigil@nce - mod_nss: information disclosure via NSSVerifyClient
December 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can access to a resource without sending a client
certificate, even if the NSSVerifyClient directive of mod_nss
requires it, in order to obtain sensitive information.
– Impacted products: Apache httpd, Fedora, RHEL
– Severity: 2/4
– Creation date: 05/12/2013
DESCRIPTION OF THE VULNERABILITY
The mod_nss module can be installed on Apache httpd, and uses
NSPR/NSS to manage SSL sessions.
The NSSVerifyClient directive indicates if the client has to send
an X.509 certificate, in order to access to a resource. However,
if the certificate is not required globally, and if it is only
required in a sub-directory, then the access logic is invalid.
An attacker can therefore access to a resource without sending a
client certificate, even if the NSSVerifyClient directive of
mod_nss requires it, in order to obtain sensitive information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/mod-nss-information-disclosure-via-NSSVerifyClient-13877