CVE-2012-0053 Information
Share on:Description
protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script.
Reference
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041 http://httpd.apache.org/security/vulnerabilities_22.html http://kb.juniper.net/JSA10585 http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00026.html http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00002.html http://marc.info/?l=bugtraq&m=133294460209056&w=2 http://marc.info/?l=bugtraq&m=133494237717847&w=2 http://marc.info/?l=bugtraq&m=133951357207000&w=2 http://marc.info/?l=bugtraq&m=136441204617335&w=2 http://rhn.redhat.com/errata/RHSA-2012-0128.html http://rhn.redhat.com/errata/RHSA-2012-0542.html http://rhn.redhat.com/errata/RHSA-2012-0543.html http://secunia.com/advisories/48551 http://support.apple.com/kb/HT5501 http://svn.apache.org/viewvc?view=revision&revision=1235454 http://www.debian.org/security/2012/dsa-2405 http://www.mandriva.com/security/advisories?name=MDVSA-2012:012 http://www.mandriva.com/security/advisories?name=MDVSA-2013:150 http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html http://www.securityfocus.com/bid/51706 https://bugzilla.redhat.com/show_bug.cgi?id=785069 https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac@3Ccvs.httpd.apache.org3E https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79@3Ccvs.httpd.apache.org3E https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@3Ccvs.httpd.apache.org3E https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@3Ccvs.httpd.apache.org3E https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc@3Ccvs.httpd.apache.org3E https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7@3Ccvs.httpd.apache.org3E https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb@3Ccvs.httpd.apache.org3E https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b@3Ccvs.httpd.apache.org3E