Apache 'Options' 和 'AllowOverride' 指令安全

发布时间:2009-06-26浏览次数:2430

 

       安全漏洞:CN-VA09-40
  发布日期:2009年6月2日
  漏洞类型:安全绕过漏洞
  漏洞评估:严重
  受影响的系统:
  RedHat Enterprise Linux Desktop Workstation 5 client
  RedHat Enterprise Linux Desktop 5 client
  RedHat Enterprise Linux 5 server
  MandrakeSoft Linux Mandrake 2009.1 x86_64
  MandrakeSoft Linux Mandrake 2009.1
  MandrakeSoft Linux Mandrake 2009.0 x86_64
  MandrakeSoft Linux Mandrake 2009.0
  MandrakeSoft Linux Mandrake 2008.1 x86_64
  MandrakeSoft Linux Mandrake 2008.1
  MandrakeSoft Linux Mandrake 2008.0 x86_64
  MandrakeSoft Linux Mandrake 2008.0
  MandrakeSoft Corporate Server 4.0 x86_64
  MandrakeSoft Corporate Server 4.0
  Apache Software Foundation Apache 2.2.8
  Apache Software Foundation Apache 2.2.6
  Apache Software Foundation Apache 2.2.5
  Apache Software Foundation Apache 2.2.4
  Apache Software Foundation Apache 2.2.3
  Apache Software Foundation Apache 2.2.2
  Apache Software Foundation Apache 2.2.2
  Apache Software Foundation Apache 2.2.2
  Apache Software Foundation Apache 2.2.2
  Apache Software Foundation Apache 2.2.2
  Apache Software Foundation Apache 2.2.1
  Apache Software Foundation Apache 2.2
  
  漏洞描述:
  Apache HTTP server 在处理"AllowOverride"和"options"指令时存在漏洞,局域网攻击者可以利用漏洞在网络服务器进程范围内执行任意代码,进而导致攻击者权限提升或发起进一步的攻击。目前厂商已经提供解决方案,请广大用户及时下载更新。
  
  参考信息:
  http://www.doecirc.energy.gov/bulletins/t-149.shtml
  http://www.apache.org/
  http://www.securityfocus.com/bid/35115
  http://www.apache.org/dist/httpd/CHANGES_2.2
  
  信息提供者:
  Apache
  
  其它信息:
  
  相关CVE编号:
  CVE-2009-1195
  
  漏洞报告文档编写:
  
  CNCERT/CC
  
  安全公告文档编写:
  
  CNCERT/CC