CVE-2002-0840

Cross-site scripting (XSS) vulnerability in the default error page of Apache 2.0 before 2.0.43, and 1.3.x up to 1.3.26, when UseCanonicalName is "Off" and support for wildcard DNS is present, allows remote attackers to execute script as other web page visitors via the Host: header, a different vulnerability than CAN-2002-1157.

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.apacheweek.com/issues/02-10-04	Vendor Advisory
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0003.html
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000530
http://www.linuxsecurity.com/advisories/other_advisory-2414.html
http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-068.php
http://www.debian.org/security/2002/dsa-187
http://www.debian.org/security/2002/dsa-188
http://www.debian.org/security/2002/dsa-195
http://online.securityfocus.com/advisories/4617
http://archives.neohapsis.com/archives/bugtraq/2002-10/0254.html
http://www.redhat.com/support/errata/RHSA-2002-222.html
http://www.redhat.com/support/errata/RHSA-2002-243.html
http://www.redhat.com/support/errata/RHSA-2002-244.html
http://www.redhat.com/support/errata/RHSA-2002-248.html
http://www.redhat.com/support/errata/RHSA-2002-251.html
http://www.redhat.com/support/errata/RHSA-2003-106.html
ftp://patches.sgi.com/support/free/security/advisories/20021105-02-I
http://www.kb.cert.org/vuls/id/240329	US Government Resource
http://www.securityfocus.com/bid/5847
http://www.osvdb.org/862
http://marc.info/?l=bugtraq&m=103357160425708&w=2
http://marc.info/?l=bugtraq&m=103376585508776&w=2
http://marc.info/?l=apache-httpd-announce&m=103367938230488&w=2
https://exchange.xforce.ibmcloud.com/vulnerabilities/10241
https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rd00b45b93fda4a5bd013b28587207d0e00f99f6e3308dbb6025f3b01@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r5f9c22f9c28adbd9f00556059edc7b03a5d5bb71d4bb80257c0d34e4@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e@%3Ccvs.httpd.apache.org%3E

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:http_server:1.3.18:::::::*
	cpe:2.3:a:apache:http_server:1.3.19:::::::*
	cpe:2.3:a:apache:http_server:1.3.4:::::::*
	cpe:2.3:a:apache:http_server:1.3.6:::::::*
	cpe:2.3:a:apache:http_server:2.0.37:::::::*
	cpe:2.3:a:apache:http_server:2.0.38:::::::*
	cpe:2.3:a:oracle:application_server:1.0.2.2:::::::*
	cpe:2.3:a:oracle:application_server:9.0.2:::::::*
	cpe:2.3:a:oracle:oracle8i:8.1.7_.0.0_enterprise:::::::*
	cpe:2.3:a:oracle:oracle8i:8.1.7_.1.0_enterprise:::::::*
	cpe:2.3:a:apache:http_server:1.3:::::::*
	cpe:2.3:a:oracle:application_server:9.0.2.1:::::::*
	cpe:2.3:a:oracle:oracle9i:9.0.1:::::::*
	cpe:2.3:a:oracle:database_server:8.1.7:::::::*
	cpe:2.3:a:apache:http_server:2.0.35:::::::*
	cpe:2.3:a:apache:http_server:1.3.1:::::::*
	cpe:2.3:a:oracle:oracle9i:9.0:::::::*
	cpe:2.3:a:apache:http_server:2.0.39:::::::*
	cpe:2.3:a:oracle:application_server:9.0.2:r2::::::
	cpe:2.3:a:apache:http_server:1.3.20:::::::*
	cpe:2.3:a:oracle:oracle8i:8.1.7.1:::::::*
	cpe:2.3:a:oracle:oracle8i:8.1.7:::::::*
	cpe:2.3:a:oracle:application_server:1.0.2.1s:::::::*
	cpe:2.3:a:apache:http_server:1.3.3:::::::*
	cpe:2.3:a:apache:http_server:1.3.17:::::::*
	cpe:2.3:a:apache:http_server:1.3.26:::::::*
	cpe:2.3:a:apache:http_server:1.3.9:::::::*
	cpe:2.3:a:apache:http_server:2.0.40:::::::*
	cpe:2.3:a:apache:http_server:2.0.36:::::::*
	cpe:2.3:a:apache:http_server:1.3.14:::::::*
	cpe:2.3:a:apache:http_server:1.3.22:::::::*
	cpe:2.3:a:apache:http_server:2.0:::::::*
	cpe:2.3:a:oracle:application_server:1.0.2:::::::*
	cpe:2.3:a:apache:http_server:2.0.42:::::::*
	cpe:2.3:a:apache:http_server:1.3.23:::::::*
	cpe:2.3:a:oracle:oracle9i:9.0.2:::::::*
	cpe:2.3:a:apache:http_server:1.3.25:::::::*
	cpe:2.3:a:oracle:database_server:9.2.1:::::::*
	cpe:2.3:a:apache:http_server:1.3.24:::::::*
	cpe:2.3:a:apache:http_server:2.0.41:::::::*
	cpe:2.3:a:apache:http_server:2.0.32:::::::*
	cpe:2.3:a:oracle:oracle9i:9.0.1.3:::::::*
	cpe:2.3:a:apache:http_server:1.3.12:::::::*
	cpe:2.3:a:oracle:oracle9i:9.0.1.2:::::::*
	cpe:2.3:a:apache:http_server:1.3.11:::::::*
	cpe:2.3:a:apache:http_server:2.0.28:::::::*
	cpe:2.3:a:oracle:database_server:9.2.2:::::::*

Information

Published : 2002-10-10 21:00

Updated : 2021-06-06 04:15

NVD link : CVE-2002-0840

Mitre link : CVE-2002-0840

JSON object : View

CWE

NVD-CWE-Other

Products Affected

oracle

application_server
oracle8i
database_server
oracle9i

apache

http_server

6.8 /10