cancel
Showing results for 
Search instead for 
Did you mean: 

57792 - Apache HTTP Server httpOnly Cookie Information Disclosure

Hi,

Is there any hotfix or patches to resolve this vulnerabilty? The solution is to upgrade the apache version to 2.2.22 or later and EPO4.6.3 is using 2.2.21.

Synopsis

The web server running on the remote host has an information disclosure vulnerability.

Description

The version of Apache HTTP Server running on the remote host has an information disclosure vulnerability. Sending a request with HTTP headers long enough to exceed the server limit causes the web server to respond with an HTTP 400. By default, the offending HTTP header and value are displayed on the 400 error page. When used in conjunction with other attacks (e.g., cross-site scripting), this could result in the compromise of httpOnly cookies.

See Also

http://fd.the-wildcat.de/apache_e36a9cf46c.php

http://httpd.apache.org/security/vulnerabilities_22.html

http://svn.apache.org/viewvc?view=revision&revision=1235454

Solution

Upgrade to Apache version 2.2.22 or later.

https://kc.mcafee.com/corporate/index?page=content&id=KB73310

https://kc.mcafee.com/corporate/index?page=content&id=KB61057

Best regards,

CM

1 Reply

Re: 57792 - Apache HTTP Server httpOnly Cookie Information Disclosure

We are also seeing this same error in the latest update 4.6.4L which was just installed.