ClearOS Documentation

×

Warning

301 error for file:https://clearos.com/dokuwiki2/lib/exe/css.php?t=dokuwiki&tseed=82873f9c9a1f5784b951644363f20ef8

User Tools

Site Tools


CVE 2018-1283

'In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a “Session” header. This comes from the “HTTP_SESSION” variable name used by mod_session to forward its data to CGIs, since the prefix “HTTP_” is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications.'

ClearCenter response

This issue affects ClearOS 7 but does not affect ClearOS 6.

Short response

This vulnerability is useful against CGI applications under ClearOS by manipulation of content by way of the session header. If your web application is not CGI then you are not affected by this vulnerability.

Long response

This vulnerability is useful against CGI applications under ClearOS by manipulation of content by way of the session header. If your web application is not CGI then you are not affected by this vulnerability.

A fix been submitted for Fedora version affected by this vulnerability but no fix from Redhat/CentOS is available.

Resolution

If your web server is running CGI applications, consider blocking access via other means to authorized users. For example, use the Dynamic Firewall application from the ClearOS Marketplace or make the application only available to networks containing trusted users. Alternately, you can move your CGI application to a Fedora instance of apache while the bug is being fixed upstream.

content/en_us/announcements_cve_cve-2018-1283.txt · Last modified: 2018/10/03 14:31 by dloper

https://clearos.com/dokuwiki2/lib/exe/indexer.php?id=content%3Aen_us%3Aannouncements_cve_cve-2018-1283&1558403351