CVE-2018-1283: Tampering of mod_session data for CGI applications.

Severity: Medium

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.0 to 2.4.29


When mod_session is configured to forward its session data to CGI
applications (SessionEnv on, not the default), a remote user may influence
their content by using a "Session" header. This comes from the "HTTP_SESSION"
variable name used by mod_session to forward its data to CGIs, since the
prefix "HTTP_" is also used by the Apache HTTP Server to pass HTTP header
fields, per CGI specifications.

The severity is set to Medium because "SessionEnv on" is not a default nor
common configuration, it should be considered High when this is the case
though, because of the possible remote exploitation.

All httpd users should upgrade to 2.4.30 or later.

The issue was discovered internally by the Apache HTTP Server team.


Reply via email to