CVE-2010-0010: Apache mod_proxy vulnerability

After contact with Apache security team i can publish new advisory. This bug exists only in apache 1.3 version in mod_proxy modules, only in 64 bits architecture.

I would like to thanks Colm MacCárthaigh – the guy responsible for contact with me and patch this hole.

Bugfix is available in a forthcoming version of Apache 1.3.x.

If you have any question just contact with me. Advisory is avaible here:

30

Dec

by admin

This will be very short post… I have found (few months ago) security vulnerability in one of Apache server/module. I contact with apache security team. After few days I will decide about “future” of this bug – publish or wait for security path and publish after it. Now I can paste here simple output from gdb:

15

Dec

by admin

More than year ago I was publish advisory in ‘mtr’ software. I think, personally, it is great bug because it can’t exist without unspecified situation in  libresolv library :) The question is why have I written information about it on blog?

I forgot add this advisory in my site (sic!) :) Now it’s ok and you can find this advisory here.

I attached to this advisory details and Proof Of Concept. If you haven’t read it yet i strongly recommend you to do it because it shows that sometimes if  we read source code we think bug doesn’t exists but sometimes other external stuff/bugs/unspecified situation help us to trigger and exploit unexisting bug :)

6

Dec

by admin

Is it a dream? Impossible? Bugs in CPU? No… it’s reality! CPU is only a piece of hardware. Everything have bugs… CPU too. I will give here only a piece of information about bugs in INTEL products…

OK. I haven’t written long time on blog. Today I want to show you what sometimes
yum can do without your knowledge. Few days ago I was upgrading one of system using yum.
Everything looked fine. I was happy that sometimes yum is useful. After work I went sleep
and next day I received messages that smth is fu** up with www…

13

Nov

by admin

CERN – The European Organization for Nuclear Research…

Now I have more time so I can write something more about my job…

23

Oct

by admin

CERN – The European Organization for Nuclear Research…

Last few weeks I was talking(mailing) with Derek (xpdf developer – btw. really nice guy) about some vulnerabilities in his product. 14th of October he published path for bugs (not only my vulnerabilites) so i decide to release advisory…

26

Sep

by admin

SecDay 2009

Plakietka

Zanim zacznę opisywać swoje wrażenia odnośnie konferencji, napiszę parę zdań o blogu, który właśnie czytasz :) Tak sobie obiecałem (i dla Icewall‘a :>), że w końcu trzeba by było zrobić jakąś swoją mini www. Było mi trochę głupio za każdym razem przy prowadzeniu prezentacji musiałem informować, że moja strona nie działa (i tak od ponad roku). No i w końcu sie stało :) Kupilem domenkę (mimo, że ktoś mi “ukradł” tą, którą chciałem bardziej :>) i dzięki uprzejmości buz‘a (thanks!) pobawiłem się VPS’em, który od niego dostałem :) Co prawda nie mogę zmieniać jajka (sic!), ale i tak ułatwi(ło) mi to ogromnie pracę nad stroną i blogiem. Jednak co posiadać swój serwerek (mimo ograniczeń – VPS) to co innego :)

25

Sep

by admin

To jest testowy post… testujemy bloga oraz stronkę domową;-)