Signature Detail
Short Name |
HTTP:APACHE:MOD-DAV-MERGE-DOS |
|---|---|
Severity |
High |
Recommended |
No |
Recommended Action |
Drop |
Category |
HTTP |
Keywords |
Apache HTTP Server mod_dav MERGE Request Denial of Service |
Release Date |
2013/08/07 |
Update Number |
2288 |
Supported Platforms |
idp-4.0+, isg-3.1.134269+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+ |
HTTP: Apache HTTP Server mod_dav MERGE Request Denial of Service
This signature detects attempts to exploit a known vulnerability in the mod_dav component of Apache HTTP Server. It is due to a NULL pointer deference when processing a MERGE request with a URI whose source href points to a non-DAV configured URI. A remote attacker may send a crafted HTTP request to cause a denial of service condition.
Extended Description
mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI.
Affected Products
- apache http_server 2.2.0
- apache http_server 2.2.1
- apache http_server 2.2.10
- apache http_server 2.2.11
- apache http_server 2.2.12
- apache http_server 2.2.13
- apache http_server 2.2.14
- apache http_server 2.2.15
- apache http_server 2.2.16
- apache http_server 2.2.17
- apache http_server 2.2.18
- apache http_server 2.2.19
- apache http_server 2.2.2
- apache http_server 2.2.20
- apache http_server 2.2.21
- apache http_server 2.2.22
- apache http_server 2.2.23
- apache http_server 2.2.3
- apache http_server 2.2.4
- apache http_server 2.2.6
- apache http_server 2.2.8
- apache http_server 2.2.9
- apache http_server up to 2.2.24
References
- CVE: CVE-2013-1896