CVE-2007-3304

Name of the Vulnerable Software and Affected Versions Apache httpd versions 1.3.37, 2.0.59, and 2.2.4

Description The issue allows local users to cause a denial of service by modifying the worker score and process score arrays to reference an arbitrary process ID, which is sent a SIGUSR1 signal from the master process. This is possible because the Apache HTTP server does not verify that a process is an Apache child process before sending it signals. A local attacker with the ability to run scripts on the HTTP server could manipulate the scoreboard and cause arbitrary processes to be terminated, leading to a denial of service.

Recommendations For Apache httpd versions 1.3.37, 2.0.59, and 2.2.4, consider restricting access to the scoreboard and limiting the ability to run scripts on the HTTP server to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.