If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Critical security Vulnerability In Webserver



Enterprise Information Security
5 years ago
2 years ago


(Reporter: Tushar Kumbhare, Assigned: tinfoil)





5 years ago
Site - https://lists.mozilla.org
Vulnerability - Multiple Vulnerabilities.

Current version found -  Apache/2.2.15 (Red Hat) Server at lists.mozilla.org Port 443

Version can be found here - https://lists.mozilla.org/ORxvcglX41
Vulnerability 1)  envvars (aka envvars-std) in the Apache HTTP Server before 2.4.2
places a zero-length directory name in the LD_LIBRARY_PATH, which
allows local users to gain privileges via a Trojan horse DSO in the
current working directory during execution of apachectl.

Risk level - High

Imapcts -

Confidentiality Impact - Complete (There is total information
disclosure, resulting in all system files being revealed.)

Integrity Impact - Complete (There is a total compromise of system
integrity. There is a complete loss of system protection, resulting in
the entire system being compromised.)

Availability Impact - Complete (There is a total shutdown of the
affected resource. The attacker can render the resource completely

Reference - http://www.cvedetails.com/cve/CVE-2012-0883/

Vulnerability 2) scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might
allow local users to cause a denial of service (daemon crash during
shutdown) or possibly have unspecified other impact by modifying a
certain type field within a scoreboard shared memory segment, leading
to an invalid call to the free function.

Risk level - High

Impact -

Confidentiality Impact - Partial (There is considerable informational

Integrity Impact - Partial (Modification of some system files or
information is possible, but the attacker does not have control over
what can be modified, or the scope of what the attacker can affect is

Availability Impact -Partial (There is reduced performance or
interruptions in resource availability.)

Refrence - http://www.cvedetails.com/cve/CVE-2012-0031/

Vulnerability 3) The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through
2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a
denial of service (memory and CPU consumption) via a Range header that
expresses multiple overlapping ranges, as exploited in the wild in
August 2011, a different vulnerability than CVE-2007-0086.

Risk level - Critically high.

Availability Impact - Complete (There is a total shutdown of the
affected resource. The attacker can render the resource completely

(1 public exploit)      (1 Metasploit modules) available.

Reference - http://www.cvedetails.com/cve/CVE-2011-3192/

Vulnerability 4) Vulnerability description

A denial of service vulnerability has been found in the way the
multiple overlapping ranges are handled by the Apache HTTPD server:


An attack tool is circulating in the wild. Active use of this tools
has been observed. The attack can be done remotely and with a modest
number of requests can cause very significant memory and CPU usage on
the server.

Affected Apache versions (1.3.x, 2.0.x through 2.0.64, and 2.2.x
through 2.2.19).

Reference - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192

The list of vulnerabilities and their impact can be found here :



working exploit can be found here :


These vulnerabilities affects webserver:

Total Compromisation of all the users data Confidentiality, Integrity
and  Availability.

How to fix this vulnerability

Upgrade to the latest version of Apache HTTP Server (2.2.20 or later),
available from the Apache HTTP Server Project Web site.

Must be patched soon


5 years ago
Assignee: nobody → mhenry

Comment 1

5 years ago
Thank you for your report!

Is your assessment based strictly on version number, or have you successfully exploited a vulnerability?

I'm asking because the server is running RedHat.  RedHat is well known for backpatching security fixes into older versions of software.  In other words, finding vulnerabilities by CVE and version numbers with RedHat is an exercise in futility.

I've checked the server and it's currently running the lastest patches available from RedHat, which includs fixes for:


If your finding is not based on version number alone, let me know.  Otherwise I'll close this bug as resolved-invalid.
Group: mozilla-services-security
Last Resolved: 5 years ago
Component: Web Site → Security Assurance: Operations
Product: Mozilla Services → mozilla.org
Resolution: --- → INVALID
Version: unspecified → other
Component: Operations Security (OpSec): General → General
Product: mozilla.org → Enterprise Information Security
You need to log in before you can comment on or make changes to this bug.