Vulnerability CVE-2002-1157

Vulnerability Name:

CVE-2002-1157 (CCN-10457)

Assigned:

2002-10-22

Published:

2002-10-22

Updated:

2008-09-05

Summary:

Cross-site scripting vulnerability in the mod_ssl Apache module 2.8.9 and earlier, when UseCanonicalName is off and wildcard DNS is enabled, allows remote attackers to execute script as other web site visitors, via the server name in an HTTPS response on the SSL port, which is used in a self-referencing URL, a different vulnerability than CAN-2002-0840.

CVSS v3 Severity:

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-Other

Vulnerability Consequences:

Gain Access

References:

Source: BUGTRAQ
Type: UNKNOWN
20021026 GLSA: mod_ssl

Source: CCN
Type: Gentoo Linux Security Announcement 200210-009
mod_ssl

Source: MITRE
Type: CNA
CVE-2002-1157

Source: CONECTIVA
Type: UNKNOWN
CLA-2002:541

Source: CCN
Type: Conectiva Linux Announcement CLSA-2002:541
Cross site scripting vulnerability in mod_ssl

Source: BUGTRAQ
Type: UNKNOWN
20021023 [OpenPKG-SA-2002.010] OpenPKG Security Advisory (apache)

Source: CCN
Type: RHSA-2002-222
Updated apache

Source: CCN
Type: RHSA-2002-248
apache

Source: CCN
Type: RHSA-2002-251
apache security update

Source: CCN
Type: RHSA-2003-106
Updated apache and mod_ssl packages available

Source: DEBIAN
Type: Patch, Vendor Advisory
DSA-181

Source: DEBIAN
Type: DSA-181
libapache-mod-ssl -- cross site scripting

Source: XF
Type: Vendor Advisory
apache-modssl-host-xss(10457)

Source: MANDRAKE
Type: UNKNOWN
MDKSA-2002:072

Source: ENGARDE
Type: UNKNOWN
ESA-20021029-027

Source: CCN
Type: EnGarde Secure Linux Security Advisory ESA-20021029-027
apache

Source: CCN
Type: mod_ssl Web site
mod_ssl: The Apache Interface to OpenSSL

Source: OSVDB
Type: UNKNOWN
2107

Source: CCN
Type: OSVDB ID: 2107
Apache HTTP Server mod_ssl Host: Header XSS

Source: REDHAT
Type: UNKNOWN
RHSA-2002:222

Source: REDHAT
Type: UNKNOWN
RHSA-2002:243

Source: REDHAT
Type: UNKNOWN
RHSA-2002:244

Source: REDHAT
Type: UNKNOWN
RHSA-2002:248

Source: REDHAT
Type: UNKNOWN
RHSA-2002:251

Source: REDHAT
Type: UNKNOWN
RHSA-2003:106

Source: BID
Type: UNKNOWN
6029

Source: CCN
Type: BID-6029
Mod_SSL Wildcard DNS Cross Site Scripting Vulnerability

Source: XF
Type: UNKNOWN
apache-modssl-host-xss(10457)

Vulnerable Configuration:

Configuration 1:

cpe:/a:mod_ssl:mod_ssl:*:*:*:*:*:*:*:* (Version <= 2.8.9)

Configuration CCN 1:

cpe:/a:apache:http_server:1.3.26:*:*:*:*:*:*:*

OR cpe:/a:apache:http_server:1.3.9:*:*:*:*:*:*:*

AND

cpe:/o:redhat:linux:6.2:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:2.2:*:*:*:*:*:*:*

OR cpe:/o:redhat:linux:7:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:7.2:*:*:*:*:*:*:*

OR cpe:/o:conectiva:linux:6.0:*:*:*:*:*:*:*