PT-2003-1910 · Apache · Mod Gzip

Matthew Murphy

Published

2003-10-09

Updated

2016-10-18

CVE-2003-0843

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions mod gzip versions 1.3.26.1a and earlier

Description The issue allows remote attackers to execute arbitrary code via format string characters in an HTTP GET request with an "Accept-Encoding: gzip" header, when mod gzip is running in debug mode and using the Apache log.

Recommendations For mod gzip versions 1.3.26.1a and earlier, consider disabling the debug mode as a temporary workaround until a patch is available. Restrict access to the Apache log to minimize the risk of exploitation. Avoid using format string characters in HTTP GET requests with an "Accept-Encoding: gzip" header until the issue is resolved.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2003-0843

Affected Products

Mod Gzip

PT-2003-1910 · Apache · Mod Gzip

CVE-2003-0843

Related Identifiers

Affected Products

References · 2