Apache SSL <1.47 overflow
Results 1 to 3 of 3

Thread: Apache SSL <1.47 overflow

  1. #1
    Senior since the 3 dot era
    Join Date
    Nov 2001

    Apache SSL <1.47 overflow

    Source: www.securityspace.com

    Title: Apache-SSL overflow
    ID: 10918
    Category: Gain a shell remotely
    URL: http://www.securityspace.com/smysecu....html?id=10918
    Summary: Checks for version of Apache-SSL
    ** The remote host is using a version of Apache-SSL which is
    ** older than 1.47

    ** This version is vulnerable to a buffer overflow which,
    ** albeit difficult to exploit, may allow an attacker
    ** to obtain a shell on this host.

    ** Solution : Upgrade to version 1.47 or newer
    ** Risk factor : High

  2. #2
    Senior Member
    Join Date
    Dec 2001
    Is regular apache affected?
    Search First Ask Second. www.google.com

  3. #3
    Senior since the 3 dot era
    Join Date
    Nov 2001
    I don't think so... at www.apache.org there was no panic but at http://www.apache-ssl.org there was...

    source: http://www.apache-ssl.org/advisory-20020301.txt

    Apache-SSL buffer overflow condition (all versions prior to 1.3.22+1.46)


    A buffer overflow was recently found in mod_ssl, see:


    for details. The offending code in mod_ssl was, in fact, derived from
    Apache-SSL, and Apache-SSL is also vulnerable.

    As in mod_ssl, this flaw can only be exploited if client certificates
    are being used, and the certificate in question must be issued by a
    trusted CA.


    Download Apache-SSL 1.3.22+1.47 from the usual places (see

    (note that 1.46 had a bug in it, so you should use 1.47)


    Thanks to Ed Moyle for finding the flaw.


    No thanks to anyone at all for alerting me before going
    public. Cheers, guys.

    Ben Laurie, March 1, 2002.
    It's only a prob with Apache-SSL

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts