CVE-2009-1195

 

Published at: - 28-05-2009 10:30

Last modified: - 30-06-2022 05:18

Total changes: - 4

Description

The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly handle Options=IncludesNOEXEC in the AllowOverride directive, which allows local users to gain privileges by configuring (1) Options Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a .htaccess file, and then inserting an exec element in a .shtml file.

Common Vulnerability Scoring System (CVSS)

AV:L/AC:L/Au:N/C:N/I:N/A:C

 

Verification logic

 

Reference

• 35264-Vendor Advisory
• https://bugzilla.redhat.com/show_bug.cgi?id=489436
• http://svn.apache.org/viewvc?view=rev&revision=772997
• 35261-
• RHSA-2009:1075-
• 54733-
• 1022296-
• ADV-2009-1444-
• [apache-httpd-dev] 20090423 Includes vs IncludesNoExec security issue - help needed-
• 35115-
• MDVSA-2009:124-
• DSA-1816-
• 35453-
• USN-787-1-
• 35395-
• RHSA-2009:1156-
• 35721-
• GLSA-200907-04-
• FEDORA-2009-8812-
• SUSE-SA:2009:050-
• 37152-
• APPLE-SA-2009-11-09-1-
• http://support.apple.com/kb/HT3937
• ADV-2009-3184-
• http://wiki.rpath.com/Advisories:rPSA-2009-0142
• HPSBUX02612-
• apache-allowoverrides-security-bypass(50808)-
• oval:org.mitre.oval:def:8704-
• oval:org.mitre.oval:def:12377-
• oval:org.mitre.oval:def:11094-
• 20091113 rPSA-2009-0142-2 httpd mod_ssl-
• 20091112 rPSA-2009-0142-1 httpd mod_ssl-
• [httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.html security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-
• [httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.html security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-
• [httpd-cvs] 20200401 svn commit: r1058586 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.html security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-
• [httpd-cvs] 20200401 svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.html security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-
• [httpd-cvs] 20210330 svn commit: r1073140 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-
• [httpd-cvs] 20210330 svn commit: r1888194 [5/13] - /httpd/site/trunk/content/security/json/-
• [httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/-
• [httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/-
• [httpd-cvs] 20210330 svn commit: r1073146 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.html security/vulnerabilities_22.html security/vulnerabilities_24.html-
• [httpd-cvs] 20210330 svn commit: r1073139 [5/13] - in /websites/staging/httpd/trunk/content: ./ security/json/-
• [httpd-cvs] 20210606 svn commit: r1075470 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-
• [httpd-cvs] 20210330 svn commit: r1073149 [6/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/-

 

Keywords

NVD

 

CVE-2009-1195

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures