-
Notifications
You must be signed in to change notification settings - Fork 91
CVE 2014 8109
Kayla Nussbaum edited this page Dec 15, 2016
·
5 revisions
mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts. This allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory. Refer to the [CVE Page](URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8109) for more details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8109.
- Discovered on [2014-11-12 14:52 UTC](URL: https://bz.apache.org/bugzilla/show_bug.cgi?id=57204). https://bz.apache.org/bugzilla/show_bug.cgi?id=57204
- Reported by Eric Covener: Eric is a senior software engineer at IBM. He is a valuable contribution member of the apache foundation. He have also served as their chair since 2011. See more information about his background: https://www.linkedin.com/in/covener
- Details have been found in the [original conversation](URL: http://www.openwall.com/lists/oss-security/2014/11/28/5) about the vulnerability. http://www.openwall.com/lists/oss-security/2014/11/28/5
- Several people reported this issue: David Walser reported the bug to Mageia on 2014-12-30; Murray McAllister reported the bug to Red Hat on 2014-12-15.
- Introduced in vulnerability history that goes back as far as Apache 2.4.3 up to 2.4.10: http://www.securityfocus.com/bid/71353/info
- Git Fix Hash: 3f1693d558d0758f829c8b53993f1749ddf6ffcb https://github.com/apache/httpd/commit/3f1693d558d0758f829c8b53993f1749ddf6ffcb
- Date: 2014-12-2
- Fixed By: Edward Lu and Eric Covener. Edwards is a software engineer at Microsoft. Graudate with Bsc in CS at Pennsylvania State University.
-
Fix Details: This fix changed the
mod_lua.cfile. The fix consisted of removing an args variable and changing it to include a struct that would better define the arguments for headers and authorization. It also included adding proper allocation of memory via malloc and changing how the arguments are added to the array.