News
Vigil@nce: Apache httpd, information disclosure via SubRequest
March 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
When Apache httpd uses a SubRequest and a multi-threaded MPM, session data can be returned to another user.
Severity: 2/4
Consequences: data reading
Provenance: internet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 03/03/2010
IMPACTED PRODUCTS
Apache httpd
Mandriva Corporate
Mandriva Enterprise Server
Mandriva Linux
DESCRIPTION OF THE VULNERABILITY
The MPM (Multi-Processing Module) feature of Apache httpd 2
defines how clients sessions are handled. Several modules are
available:
prefork: multi-process, but no thread (similar to httpd 1.3)
worker: multi-process and multi-thread
mpm_winnt : multi-thread optimized for Windows
mpmt_os2: multi-process and multi-thread optimized for OS/2
etc.
The administrator choses the module during Apache server compilation.
Apache uses "SubRequest" to simulate a new client query. SubRequests are for example used for error management or for url rewriting.
When Apache manages a SubRequest, it copies references to headers, instead of copying headers. If a multi-threaded MPM is used, these reference can then point to data belonging to another session.
When Apache httpd uses a SubRequest and a multi-threaded MPM, session data can therefore be returned to another user.
CHARACTERISTICS
Identifiers: 48359, BID-38494, BID-38580, CVE-2010-0434, MDVSA-2010:057, VIGILANCE-VUL-9490
