CVE-2008-0456

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 1.3.39 and earlier in the 1.3.x series Apache HTTP Server versions 2.0.61 and earlier in the 2.0.x series Apache HTTP Server versions 2.2.6 and earlier in the 2.2.x series

Description A CRLF injection issue in the mod negotiation module allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks. This is achieved by uploading a file with a multi-line name containing HTTP header sequences and a file extension. The issue leads to injection within a "406 Not Acceptable" or "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file. The vulnerability can be exploited on sites that use mod negotiation and allow untrusted uploads to locations with MultiViews enabled.

Recommendations For Apache HTTP Server versions 1.3.39 and earlier in the 1.3.x series, update to a version later than 1.3.39 to resolve the issue. For Apache HTTP Server versions 2.0.61 and earlier in the 2.0.x series, update to a version later than 2.0.61 to resolve the issue. For Apache HTTP Server versions 2.2.6 and earlier in the 2.2.x series, update to a version later than 2.2.6 to resolve the issue. As a temporary workaround, consider disabling the mod negotiation module until a patch is available. Restrict access to locations with MultiViews enabled to minimize the risk of exploitation.