Apache HTTP Server 2.4.7 dav_xml_get_cdata DoS

2014.03.19

Credit: Apache

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2013-6438

CWE: CWE-20

CVSS Base Score: 5/10

Impact Subscore: 2.9/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: None

Integrity impact: None

Availability impact: Partial

The dav_xml_get_cdata function in main/util.c in the mod_dav module in the Apache HTTP Server before 2.4.8 does not properly remove whitespace characters from CDATA sections, which allows remote attackers to cause a denial of service (daemon crash) via a crafted DAV WRITE request.
--- httpd/httpd/trunk/modules/dav/main/util.c 2013/10/03 05:29:35 1528718
+++ httpd/httpd/trunk/modules/dav/main/util.c 2014/01/08 02:40:38 1556428
@@ -396,8 +396,10 @@
if (strip_white) {
/* trim leading whitespace */
- while (apr_isspace(*cdata)) /* assume: return false for '\0' */
+ while (apr_isspace(*cdata)) { /* assume: return false for '\0' */
++cdata;
+ --len;
+ }
/* trim trailing whitespace */
while (len-- > 0 && apr_isspace(cdata[len]))

References:

http://www.apache.org/dist/httpd/CHANGES_2.4.9

http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/util.c?r1=1528718&r2=1556428&diff_format=h

http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/util.c

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}