CVE-2012-0053

Apache HTTP Server <2.2.21 - Info Disclosure

Title source: llm

Description

protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script.

Exploits (1)

exploitdb WORKING POC VERIFIED

by pilate · htmlremotemultiple

https://www.exploit-db.com/exploits/18442

View Code ZIP pw:eip

References (45)

[Broken Link] http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041

[Vendor Advisory] http://httpd.apache.org/security/vulnerabilities_22.html

[Third Party Advisory] http://kb.juniper.net/JSA10585

[Broken Link, Mailing List] http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00026.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00002.html

[Issue Tracking, Mailing List, Third Party Advisory] http://marc.info/?l=bugtraq&m=133294460209056&w=2

[Issue Tracking, Mailing List, Third Party Advisory] http://marc.info/?l=bugtraq&m=133494237717847&w=2

[Issue Tracking, Mailing List, Third Party Advisory] http://marc.info/?l=bugtraq&m=133951357207000&w=2

[Issue Tracking, Mailing List, Third Party Advisory] http://marc.info/?l=bugtraq&m=136441204617335&w=2

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2012-0128.html

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2012-0542.html

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2012-0543.html

[Not Applicable] http://secunia.com/advisories/48551

[Third Party Advisory] http://support.apple.com/kb/HT5501

[Patch, Vendor Advisory] http://svn.apache.org/viewvc?view=revision&revision=1235454

[Third Party Advisory] http://www.debian.org/security/2012/dsa-2405

[Broken Link] http://www.mandriva.com/security/advisories?name=MDVSA-2012:012

[Broken Link] http://www.mandriva.com/security/advisories?name=MDVSA-2013:150

[Third Party Advisory] http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

... and 25 more

Scores

EPSS 0.5595

EPSS Percentile 98.1%

Details

Status published

Products (13)

apache/http_server 2.0.0 - 2.0.65

debian/debian_linux 5.0

debian/debian_linux 6.0

debian/debian_linux 7.0

opensuse/opensuse 11.4

redhat/enterprise_linux_desktop 6.0

redhat/enterprise_linux_eus 6.2

redhat/enterprise_linux_server 6.0

redhat/enterprise_linux_workstation 6.0

redhat/jboss_enterprise_web_server 1.0.0

... and 3 more

Published Jan 28, 2012

Tracked Since Feb 18, 2026