CVE-2022-28615 performanceani redu larger takeursday comment Z break

CVE-2022-28615 performanceani redu larger takeursday comment Z break

The issue may be mitigated by limiting the size of the lua script or module being loaded. Apache HTTP server does not limit the length of the path parameter that can be passed to the lua module. This can lead to remote code execution when unvalidated user-provided input is passed to ap_strcmp_match() . As ap_strcmp_match() is used by all modules that handle static content (e.g. mod_php ), it is possible for unvalidated user-provided input to be used by arbitrary code on other hosts. For example, if a remote user uploads a file with a length of 1GB to an innocent-looking website and that website then serves that file directly, Apache HTTP server will crash as the buffer provided to ap_strcmp_match() will be too large.

Mitigation

The issue may be mitigated by limiting the size of the lua script or module being loaded.

Apache HTTP server code execution vulnerability

The Apache HTTP Server is vulnerable to remote code execution. With this vulnerability, an attacker can run arbitrary code on any Apache HTTP Server instance running the vulnerable version of the software. This flaw can be exploited in multiple ways, including a denial-of-service attack, where an attacker floods the server with a large file. This can also be exploited by an attacker to gain access to sensitive data stored in memory. The most common exploit vector for this vulnerability is via uploading a file as it is referenced by another URL that was not sanitized properly by the developer.

CVE-2023-28616

The issue may be mitigated by limiting the size of the lua script or module being loaded. Apache HTTP server does not limit the length of the path parameter that can be passed to the lua module. This can lead to remote code execution when unvalidated user-provided input is passed to ap_strcmp_match() . As ap_strcmp_match() is used by all modules that handle static content (e.g. mod_php ), it is possible for unvalidated user-provided input to be used by arbitrary code on other hosts. For example, if a remote user uploads a file with a length of 1GB to an innocent-looking website and that website then serves that file directly, Apache HTTP server will crash as the buffer provided to ap_strcmp_match() will be too large.
# If you're looking for more information about how this vulnerability works in practice, check out http://wiki.apache.org/security/CVE-2022-28615

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe