Apache mod_ssl SSLCipherSuite Restriction Bypass Vulnerability

Apache 2.x mod_ssl is reported prone to a restriction-bypass vulnerability. This issue presents itself when mod_ssl is configured to be used with the 'SSLCipherSuite' directive in a 'Directory' or 'Location' context. Reportedly, this vulnerability allows a client to use any cipher suite allowed by the virtual host configuration regardless of cipher suites specified for a specific directory. This can allow an attacker to bypass security policies and use potentially weaker encryption types than allowed.

Apache 2.0.35 to 2.0.52 are reported vulnerable to this issue.


Privacy Statement
Copyright 2010, SecurityFocus