{"vuid":"VU#165803","idnumber":"165803","name":"Apache Web Server ap_log_rerror() function discloses full path to CGI script","keywords":["Apache Web Server","ap_log_rerror() function","path disclosure","CGI script"],"overview":"There is a vulnerability in Apache 2.0 through 2.035 that could disclose the real path to a CGI script or other file.","clean_desc":"A vulnerability in the Apache web server could disclose sensitive information. Quoting from the Apache Change Log: *) [Security] Added the APLOG_TOCLIENT flag to ap_log_rerror() to explicitly tell the server that warning messages should be sent  to the client in addition to being recorded in the error log. Prior to this change, ap_log_rerror() always sent warning  messages to the client. In one case, a faulty CGI script caused the server to send a warning message to the client that contained the full path to the CGI script. This could be considered a minor security exposure. [Bill Stoddard] This vulnerability may disclose sensitive information.","impact":"Sensitive information may be disclosed.","resolution":"if you are running version 2.0, upgrade to Apache 2.036 or later.","workarounds":"","sysaffected":"","thanks":"Our thanks to the Apache group for their change log.","author":"This document was written by Shawn V Hernan, based upon information in the Apache Change Log.","public":["h","t","t","p",":","/","/","w","w","w",".","a","p","a","c","h","e",".","o","r","g","/","d","i","s","t","/","h","t","t","p","d","/","C","H","A","N","G","E","S","_","2",".","0"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2002-05-08T13:11:35Z","publicdate":"2002-05-06T00:00:00Z","datefirstpublished":"2002-07-11T21:16:07Z","dateupdated":"2002-07-11T21:16:07Z","revision":5,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"13","cam_exploitation":"0","cam_internetinfrastructure":"17","cam_population":"15","cam_impact":"2","cam_easeofexploitation":"15","cam_attackeraccessrequired":"20","cam_scorecurrent":"5.0625","cam_scorecurrentwidelyknown":"6.24375","cam_scorecurrentwidelyknownexploited":"9.61875","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":5.0625,"vulnote":null}