oss-sec mailing list archives
Re: Potential CVE request: flaw in comment handling
From: cve-assign () mitre org
Date: Thu, 16 Apr 2015 17:15:44 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
we were notified of a flaw in the way Apache's mod_access_compat and mod_authz_host handled comments in configuration files. When a comment was defined on the same line that contained an "Allow" directive, any potential IP ranges in that comment were also allowed to access a resource.
Reproducer: ... Allow from 127.0.0.1 # not 10
This flaw was fixed in: https://github.com/apache/httpd/commit/5e1affc271a429f267198eee61fce2b209a83c66 The docs do specify that comments are not allowed on the same line: "There must be no other characters or white space between the backslash and the end of the line." [https://httpd.apache.org/docs/2.2/configuring.html#syntax]
This doesn't seem to be the applicable documentation for your reproducer. The documentation says: Lines that begin with the hash character "#" are considered comments, and are ignored. Comments may not be included on the same line as a configuration directive.
MITRE, does this qualify for a CVE?
We can't make that decision without knowing the perspective of the upstream vendor. Because the upstream vendor has a process for assigning CVE IDs, we feel it would be simplest and best here to use that process, even if it is often not used in cases of publicly known vulnerabilities. See the security () apache org address on the http://www.apache.org/security/committers.html page. It's their decision on how to proceed; possibilities include: - no CVE because the behavior with a # character is undefined - a single CVE for both because they intended "Comments may not be included" to only mean that a syntax error would be reported - a CVE only for mod_authz_host because they had actually wanted to support # comments for that one - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVMCXsAAoJEKllVAevmvmsx1AH/ivWmhJm1RAzVk1H8bWQLfio aNk5M1NI4wV6iS4P3SpK5xd5oahAiQNb25bxFiqQTIVys+Q3dvhDroG6ZsiNxmKJ SaR2wRYIHsZmsmjkqxqyuH3KATtXsekzYF1kob0PhGvgL8BFbgqtQorZacYUZpjv yHMXMaSJrSLa8+yMRRcpoLvL7IKZdf8yvh2LUSIp6lvn2qtvNSk7UbB4I23ummiE 2bhUn0EhaVBqoDIOdbMi9uTGj25oJLdzHhHbNvfOxEbKS1hSTCRy5c/PbBxSslC8 J6a0OqCXUJ5zv7jixaLO/jlcJbdrM0YYlK+yZ6wc5W1K887TiJosKKr1Lgo38+U= =Wu5Y -----END PGP SIGNATURE-----
Current thread:
- Potential CVE request: flaw in comment handling Martin Prpic (Apr 16)
- Re: Potential CVE request: flaw in comment handling cve-assign (Apr 16)