Apache – CVE-2015-0253

Description

Kayran has detected that the Version of Apache HTTP Server being used has a ‘Crash in ErrorDocument 400 handling’ vulnerability.
CVE-2015-0253 is categorized as an ‘NULL Pointer Dereference’ vulnerability (CWE-476).
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is actually NULL.
That, will probably cause a crash or an exit.

NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions.

The read_request_line function in server/protocol.c in the version of Apache being used does not initialize the protocol structure member.
That could be abused by attackers to cause Denial of Service (DoS) by sending a request that lacks a method to an installation that enables the INCLUDES filter and has an ErrorDocument 400 directive specifying a local URI.

There’s a chance that it will cause a decrease in performance and also for interruptions in the availability of resources.

Recommendation

To fix CVE-2015-0253, upgrade the version of Apache HTTP Server being used to 2.4.16 or higher.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-0253

https://cwe.mitre.org/data/definitions/476.html

< Return to all Vulnerabilities

HAR Files

In this article, I’ll talk and explain about HAR Files, so if you don’t know what they are, or, what do we use them for,

Read More »

Browser Exploitation

We know that it’s possible to exploit weaknesses (or vulnerabilities) that exist in anything, from a certain code to the entire application, let’s talk about

Read More »