oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2011-3368 suggested patch incomplete for apache2 < 2.2.18

From: Marcus Meissner <meissner () suse de>
Date: Wed, 26 Oct 2011 18:02:00 +0200
Hi,

during our QA we noticed that the mod_proxy fix for CVE-2011-3368
was incomplete for HTTP 0.9 style requests. 

https://bugzilla.novell.com/show_bug.cgi?id=722545

to cross check, with the RewriteRules setup as in the exploit:

$ telnet testhost 80
GET @www.otherhost/foo.png
... should give a 400 error, and not the 404 code from www.otherhost

Ciao, Marcus
Previous By Date Next
Previous By Thread Next

Current thread: