{"vuid":"VU#481998","idnumber":"481998","name":"Apache vulnerable to buffer overflow when expanding environment variables","keywords":["Apache","buffer overflow","ENVVAR constructs",".htaccess","httpd.conf files","ap_resolve_env()","server/util.c"],"overview":"There is a buffer overflow vulnerability in ap_resolve_env() function of Apache that could allow a local user to gain elevated privileges.","clean_desc":"The Apache HTTP Server is a freely available web server that runs on a variety of operating systems including Unix, Linux, and Microsoft Windows. The ap_resolve_env() function is responsible for expanding environment variables when parsing configurations files such as .htaccess or httpd.conf. There is a vulnerability in this function that could allow a local user to trigger a buffer overflow. The Apache Software Foundation notes that in order to exploit this vulnerability, a local user would need to install the malicious configuration file on the server and force the server to parse this file.","impact":"A local user with the ability to force a vulnerable to server to parse a malicious configuration file could gain elevated privileges.","resolution":"Upgrade or Apply Patch\nUpgrade or apply patch as specified by your vendor. This issue is resolved in Apache version 2.0.51.","workarounds":"","sysaffected":"","thanks":"This vulnerability was reported by the Swedish IT Incident Centre within the National Post and Telecom Agency (SITIC).","author":"This document was written by Damon Morda.","public":["http://www.apache.org/dist/httpd/Announcement2.html","http://www.uniras.gov.uk/vuls/2004/403518/index.htm","http://secunia.com/advisories/12540/","http://www.securitytracker.com/alerts/2004/Sep/1011303.html","http://rhn.redhat.com/errata/RHSA-2004-463.html"],"cveids":["CVE-2004-0747"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2004-09-16T14:52:45Z","publicdate":"2004-09-15T00:00:00Z","datefirstpublished":"2004-09-17T20:09:21Z","dateupdated":"2004-09-17T20:09:27Z","revision":11,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"15","cam_population":"20","cam_impact":"15","cam_easeofexploitation":"2","cam_attackeraccessrequired":"10","cam_scorecurrent":"3.375","cam_scorecurrentwidelyknown":"3.9375","cam_scorecurrentwidelyknownexploited":"6.1875","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":3.375,"vulnote":null}