Summary

Security Advisory ID : BSA-2018-559

Component : Apache HTTPD

Revision : 2.0: Final

Apache HTTP Server (httpd) mod_session module has an improper input validation flaw in the way it handles HTTP session headers in some configurations. A remote attacker may influence their content by using a "Session" header. When mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a "Session" header.

This comes from the "HTTP_SESSION" variable name used by mod_session to forward its data to CGIs, since the prefix "HTTP_" is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications.

The severity is set to Moderate because "SessionEnv on" is not a default nor common configuration, it should be considered more severe when this is the case though, because of the possible remote exploitation.

Affected Products
No Brocade Fibre Channel technology products from Broadcom are currently known to be affected by this vulnerability.

Revision History