First published: Mon Dec 15 2014(Updated: )
If an authorization script for LuaAuthzProvider were provided in the configuration multiple times, only the arguments of the last specification were used when invoking the script. This could lead to scripts being invoked with unexpected arguments. Further details are available in the thread of the original report and bug: <a href="http://www.openwall.com/lists/oss-security/2014/11/28/5">http://www.openwall.com/lists/oss-security/2014/11/28/5</a> <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=57204">https://issues.apache.org/bugzilla/show_bug.cgi?id=57204</a> Upstream fix: <a href="https://github.com/apache/httpd/commit/3f1693d558d0758f829c8b53993f1749ddf6ffcb">https://github.com/apache/httpd/commit/3f1693d558d0758f829c8b53993f1749ddf6ffcb</a> This affects Apache HTTP Server versions 2.3 and later (such as what is shipped in Red Hat Enterprise Linux 7), as mod_lua is not available in earlier releases. Note that support for LuaAuthzProvider is experimental.
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Http Server | >=2.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of REDHAT-BUG-1174077 is considered moderate as it affects the expected behavior of the LuaAuthzProvider.
To fix REDHAT-BUG-1174077, ensure that the authorization script for LuaAuthzProvider is specified only once in the configuration.
REDHAT-BUG-1174077 affects the Apache HTTP Server version 2.3 and higher.
REDHAT-BUG-1174077 is an issue related to improper argument handling in script invocations.
Exploitation of REDHAT-BUG-1174077 may lead to scripts being invoked with unexpected arguments, potentially resulting in unauthorized access.