• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Apache Mod_SSL Custom Error Document Remote Denial Of Service Vulnerability

Apache's mod_ssl module is susceptible to a remote denial-of-service vulnerability. A flaw in the module results in a NULL-pointer dereference that causes the server to crash. This issue is present only when virtual hosts are configured with a custom 'ErrorDocument' statement for '400' errors or 'SSLEngine optional'.

Depending on the configuration of Apache, attackers may crash the entire webserver or individual child processes. Repeated attacks are required to deny service to legitimate users when Apache is configured for multiple child processes to handle connections.

This issue affects Apache 2.x versions.