Scan of RSA Certificate Manager 6.7 show vulnerabilities with Apache 1.3.33
Originally Published: 2007-05-11
Article Number
Applies To
RSA Certificate Manager 6.7
Apache 1.3.33
Issue
Resolution
1) 86727 - Apache Mod_IMAP Referer Cross-Site Scripting Vulnerability
Analysis:
- The WebServer is not built with mod_imap in RSA Certificate Manager (RCM) and RSA Registration Manager (RRM) 6.7. Here is the list from RCM and RRM's Apache:-
apache.exe -l
Compiled-in modules:
http_core.c
mod_so.c
mod_mime.c
mod_access.c
mod_auth.c
mod_negotiation.c
mod_include.c
mod_autoindex.c
mod_dir.c
mod_cgi.c
mod_gencert.c
mod_userdir.c
mod_alias.c
mod_rewrite.c
mod_env.c
mod_log_config.c
mod_asis.c
mod_actions.c
mod_xudaacl.c
mod_setenvif.c
mod_isapi.c
mod_ssl.c
2) 86695 - Apache Mod_SSL Log Function Format String Vulnerability (1)
Analysis:
- The WebServer in 6.7 is not built with mod_proxy and the document mentions that the offending call is implemented in mod_proxy hook functions.
- This is issue is reported with Apache 1.3.30/mod_ssl 2.8.18. This is fixed in mod_ssl 2.8.19-1.3.31. The WebServer version in 6.7 is Apache 1.3.33/mod_ssl 2.8.22. This problem does not exist in RCM and RRM 6.7.
3) 86731 - Multiple Apache Web Server (1.3.26 and Earlier) Vulnerabilities
Analysis:
- The vulnerabilities CVE-2002-0843 and CVE-2002-0839 are reported in older versions of Apache. Since the current Apache version is 1.3.33, this problem does not exist in RCM and RRM 6.7.
4) EXT-M-005: Apache SSLVerifyClient Bypass Restrictions
Analysis:
- This parameter is not configured as a global parameter in httpd.conf and is configured per virtual host. This problem does not occur in RCM and RRM 6.7.
5) EXT-M-006: mod_ssl ssl_engine_ext Format String Error
Analysis:
- This problem is reported for mod_ssl versions before 2.8.19. The 6.7 webserver is using 2.8.22. This problem is not applicable to RCM and RRM 6.7.
Notes
BZ 53842
Related Articles
Apache vulnerability 'Apache HTTP Server mod_rewrite' from scan Number of Views KCA Apache web server showing security vulnerability with scan due patch level/version Number of Views Security scan shows a possible denial of service vulnerability Number of Views StandAlone Scan Number of Views What files on a workstation with RSA Authentication Agent 7.4.x for Windows may potentially show as false positive from a … Number of Views
Trending Articles
How to download and install the AFX Server Archive in RSA Identity Governance & Lifecycle RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide The Template ({Connector Template Name}) has missing file content error when creating AFX Connectors in RSA Identity Gover… Downloading RSA Authentication Manager license files or RSA Software token seed records Troubleshooting RSA MFA Agent for Microsoft Windows
Don't see what you're looking for?
