Apache HTTP Server 2.4.7 dav_xml_get_cdata DoS

2014.03.19

Credit: Apache

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2013-6438

CWE: CWE-20

CVSS Base Score: 5/10

Impact Subscore: 2.9/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: None

Integrity impact: None

Availability impact: Partial

The dav_xml_get_cdata function in main/util.c in the mod_dav module in the Apache HTTP Server before 2.4.8 does not properly remove whitespace characters from CDATA sections, which allows remote attackers to cause a denial of service (daemon crash) via a crafted DAV WRITE request.

--- httpd/httpd/trunk/modules/dav/main/util.c	2013/10/03 05:29:35	1528718
+++ httpd/httpd/trunk/modules/dav/main/util.c	2014/01/08 02:40:38	1556428
@@ -396,8 +396,10 @@
 
     if (strip_white) {
         /* trim leading whitespace */
-        while (apr_isspace(*cdata))     /* assume: return false for '\0' */
+        while (apr_isspace(*cdata)) {     /* assume: return false for '\0' */
             ++cdata;
+            --len;
+        }
 
         /* trim trailing whitespace */
         while (len-- > 0 && apr_isspace(cdata[len]))

References:

http://www.apache.org/dist/httpd/CHANGES_2.4.9

http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/util.c?r1=1528718&r2=1556428&diff_format=h

http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/util.c

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}