CVE-2002-0842

Name of the Vulnerable Software and Affected Versions mod dav versions in certain third party modifications (e.g. Oracle9i Application Server 9.0.2)

Description The issue allows remote attackers to execute arbitrary code via a destination URI that forces a "502 Bad Gateway" response. This response causes format string specifiers to be returned from dav lookup uri() in mod dav.c, which is then used in a call to ap log rerror().

Recommendations For mod dav versions in certain third party modifications (e.g. Oracle9i Application Server 9.0.2), consider disabling the logging of bad gateway messages as a temporary workaround until a patch is available. Restrict access to the dav lookup uri() function in mod dav.c to minimize the risk of exploitation. Avoid using the ap log rerror() function with untrusted input until the issue is resolved.