HTTP: Apache HTTP Server mod_dav MERGE Request Denial of Service
This signature detects attempts to exploit a known vulnerability in the mod_dav component of Apache HTTP Server. It is due to a NULL pointer deference when processing a MERGE request with a URI whose source href points to a non-DAV configured URI. A remote attacker may send a crafted HTTP request to cause a denial of service condition.
Extended Description
mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI.
Affected Products
Redhat enterprise_linux_workstation
References
CVE: CVE-2013-1896
Short Name
HTTP:APACHE:MOD-DAV-MERGE-DOS
Severity
Major
Recommended
False
Recommended Action
Drop
Category
HTTP
Keywords
Apache CVE-2013-1896 Denial HTTP MERGE Request Server Service mod_dav of
Release Date
08/07/2013
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3590
False Positive
Unknown
Vendors
Apache
Opensuse
Redhat
Canonical
CVSS Score
4.3