Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 68564 - net-www/apache-1.3: buffer overflow in mod_include (CAN-2004-0940)
Summary: net-www/apache-1.3: buffer overflow in mod_include (CAN-2004-0940)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa] vorlon
Depends on:
Reported: 2004-10-22 09:12 UTC by Matthias Geerdsen (RETIRED)
Modified: 2004-11-09 22:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-22 09:12:34 UTC

Fixed in Apache httpd 1.3.33-dev

    moderate: mod_include overflow CAN-2004-0940

    A buffer overflow in mod_include could allow a local user who is authorised to create server side include (SSI) files to gain the privileges of a httpd child.
    Affects: 1.3.32, 1.3.31, 1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0


Secunia Advisory:	SA12898
Release Date:	2004-10-22

Less critical
Impact:	Privilege escalation
Where:	Local system
Solution Status:	Vendor Patch

Software:	Apache 1.3.x

CVE reference:	CAN-2004-0940

Crazy Einstein has discovered a vulnerability in Apache, which can be exploited by malicious, local users to gain escalated privileges.

The vulnerability is caused due to a boundary error in the "get_tag()" function of the "mod_include" module. This can be exploited to cause a buffer overflow when a specially crafted document with malformed server-side includes is requested through a HTTP session.

Successful exploitation can lead to execution of arbitrary code with escalated privileges, but requires that server-side includes (SSI) is enabled.

The vulnerability has been confirmed on version 1.3.31. Other versions may also be affected.

The vulnerability has been fixed in version 1.3.33-dev.

Disable server-side includes (SSI).

Provided and/or discovered by:
Crazy Einstein


SecurityTracker Alert ID:  1011783
SecurityTracker URL:
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 19 2004
Impact:  Execution of arbitrary code via local system, User access via local system
Exploit Included:  Yes  
Version(s): 1.3.x
Description:  Crazy Einstein reported a buffer overflow in Apache mod_include. A local user may be able to gain elevated privileges.

It is reported that the get_tag() function contains a buffer overflow that can be triggered, for example, from the handle_echo() function. A local user can create specially crafted HTML that, when processed by Apache, will execute arbitrary code with the privileges of the httpd child process.
Impact:  A local user can execute arbitrary code with the privileges of the Apache httpd child process.
Solution:  No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:  Boundary error
Underlying OS:  Linux (Any), UNIX (Any)
Reported By:  Crazy Einstein <>
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-22 09:41:36 UTC
apache team, pls review/patch as appropriate
Comment 2 rob holland (RETIRED) gentoo-dev 2004-10-25 13:47:43 UTC
commited as 1.3.32-r1
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-25 13:57:46 UTC
thx stuart and tigger

arches, pls test apache-1.3.32-r1 and mark stable if possible

current KEYWORDS="~x86 ~ppc ~sparc ~alpha ~hppa ~amd64 ~ia64 ~mips"
target KEYWORDS="x86 ppc sparc alpha hppa amd64 ia64 mips"
Comment 4 Karol Wojtaszek (RETIRED) gentoo-dev 2004-10-25 16:30:59 UTC
Stable on amd64
Comment 5 Jason Wever (RETIRED) gentoo-dev 2004-10-25 17:39:44 UTC
Stable on sparc
Comment 6 Jochen Maes (RETIRED) gentoo-dev 2004-10-25 23:56:37 UTC
stable on ppc
Comment 7 Bryan Østergaard (RETIRED) gentoo-dev 2004-10-26 01:44:53 UTC
Stable on alpha.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2004-10-28 03:06:32 UTC
Could apache maintainers or someone on x86 test and mark x86 stable ?
Comment 9 Stuart Herbert (RETIRED) gentoo-dev 2004-10-29 01:28:34 UTC

Apache-1.3.33 is now in the tree.  Upstream haven't released a corresponding mod_ssl yet, however, so this ebuild is masked for the moment.

At this rate of Apache releases, we should start thinking about a dedicated apache security & arch test group ;-)

Best regards,
Comment 10 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-29 06:40:28 UTC
arches, mod_ssl-2.8.21 is also needed to be marked stable

current KEYWORDS="x86 ~ppc ~sparc ~alpha ~hppa ~mips"
target KEYWORDS="x86 ppc sparc alpha hppa mips"
Comment 11 Jason Wever (RETIRED) gentoo-dev 2004-10-29 08:50:26 UTC
Stable on sparc.
Comment 12 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2004-10-29 10:32:26 UTC
Stable on ppc.
Comment 13 Bryan Østergaard (RETIRED) gentoo-dev 2004-10-30 04:49:40 UTC
Stable on alpha.
Comment 14 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-31 11:32:22 UTC
mod_ssl-2.8.21 still missing amd64 to test and mark stable
otherwise ready for GLSA
Comment 15 Simon Stelling (RETIRED) gentoo-dev 2004-11-02 02:55:18 UTC
stable on amd64
Comment 16 Matthias Geerdsen (RETIRED) gentoo-dev 2004-11-02 05:34:00 UTC
GLSA 200411-03

hppa, ia64 and mips, please mark stable to benefit from GLSA
Comment 17 Joshua Kinard gentoo-dev 2004-11-07 15:28:10 UTC
mips stable.