CVE-2012-0053

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.2.x through 2.2.21

Description The issue allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a long or malformed header in conjunction with crafted web script, specifically when the server constructs Bad Request (400) error documents without proper restriction of header information. This flaw could be used by an attacker to expose "httpOnly" cookies when no custom ErrorDocument is specified.

Recommendations For Apache HTTP Server versions 2.2.x through 2.2.21, consider specifying a custom ErrorDocument for status code 400 to prevent exposure of "httpOnly" cookies. At the moment, there is no information about a newer version that contains a fix for this vulnerability.