You are viewing a plain text version of this content. The canonical link for it is here.
Posted to docs@httpd.apache.org by "Hollstein, Mathias" <ma...@destatis.de> on 2014/03/24 11:43:30 UTC
Apche 2.4 docs /wr to CVE-2014-0098 log_cookie directive
Hello everyone,
after reading CVE-2014-0098 ([L1]) one of my colleagues came up with the
conclusion that "log_cookie" function in file "mod_log_config.c" is not
used in Apache 2.4 anymore.
However the documents ([L2]) are somehow not reflecting the codebase
([L3]) as far as I can see. The SVN repository clearly indicates the
code actually does exist.
Now I ask my self whether the official documentation is wrong (missing
CookieLog Directive for "current") or the code is deactivated somehow. I
also ask myself whether the CVE applies to Apache 2.4 or not at all. So
far all certs worldwide tell me/us so but the documents do not reflect
that. During apache test we receive "Invalid command 'CookieLog',
perhaps misspelled or defined by a module not included in the server
configuration". But again, it's in the SVN code repository.
Your help is appreciated. Thanks in advance! :)
[L1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0098
[L2] http://httpd.apache.org/docs/current/mod/mod_log_config.html
[L3]
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/loggers/mod_log_config.c?r1=1575394&r2=1575400&diff_format=h
Kind regards
Mathias Hollstein
______________________
Mathias Hollstein
Referat BIT II 5 (Wiesbaden)
Telefon: +49 (0) 611 75 2549
Telefax: +49 (0) 611 72 4000
Email: Mathias.Hollstein@bva.bund.de
Email: mathias.hollstein@destatis.de
Internet: www.bundesverwaltungsamt.de
www.bit.bund.de
www.destatis.de
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: Apche 2.4 docs /wr to CVE-2014-0098 log_cookie directive
Posted by "Hollstein, Mathias" <ma...@destatis.de>.
Hello Eric,
a thousand thanks for your replies! They pointed me/us into the right
direction and therefore we can handle things much better now. Believe me
- we really had a situation here.
Keep up with the good work and I hope we'll have a chat again soon! :]
Best regards
Mathias
______________________
Mathias Hollstein
Referat BIT II 5 (Wiesbaden)
Telefon: +49 (0) 611 75 2549
Telefax: +49 (0) 611 72 4000
Email: Mathias.Hollstein@bva.bund.de
Email: mathias.hollstein@destatis.de
Internet: www.bundesverwaltungsamt.de
www.bit.bund.de
www.destatis.de
On 24.03.2014 12:50, Eric Covener wrote:
> On Mon, Mar 24, 2014 at 7:34 AM, Hollstein, Mathias
> <ma...@destatis.de> wrote:
>> Hello Eric,
>>
>> so I can safely assume that when using "%{VARNAME}C" for .e.g. like
>> (below) it does the trick/causes serious pain to me?
>
> yes
>
>> # CustomLog with format nickname
>> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{mycookie-name}i\"" common
>> CustomLog logs/access_log common
> s/i/C
>
>>
>>
>> Can I also assume the documents (current) are perfectly fine since
>> "CookieLog Directive" does not have to be specified anymore like
>> "CookieLog 'filename'", but the imply is active "automagically" and can
>> be used like described above?
>
> I don't think when "CookieLog" did anything it had anything to do with
> individual format strings used by the rest of mod_log_config.
>
>> So this essentially mean I have to go through the configs and look for
>> such \"%{mycookie-name}i\" statements, right?
>
> "C", not "i"
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
> For additional commands, e-mail: docs-help@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: Apche 2.4 docs /wr to CVE-2014-0098 log_cookie directive
Posted by Eric Covener <co...@gmail.com>.
On Mon, Mar 24, 2014 at 7:34 AM, Hollstein, Mathias
<ma...@destatis.de> wrote:
> Hello Eric,
>
> so I can safely assume that when using "%{VARNAME}C" for .e.g. like
> (below) it does the trick/causes serious pain to me?
yes
> # CustomLog with format nickname
> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{mycookie-name}i\"" common
> CustomLog logs/access_log common
s/i/C
>
>
> Can I also assume the documents (current) are perfectly fine since
> "CookieLog Directive" does not have to be specified anymore like
> "CookieLog 'filename'", but the imply is active "automagically" and can
> be used like described above?
I don't think when "CookieLog" did anything it had anything to do with
individual format strings used by the rest of mod_log_config.
> So this essentially mean I have to go through the configs and look for
> such \"%{mycookie-name}i\" statements, right?
"C", not "i"
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: Apche 2.4 docs /wr to CVE-2014-0098 log_cookie directive
Posted by "Hollstein, Mathias" <ma...@destatis.de>.
Hello Eric,
so I can safely assume that when using "%{VARNAME}C" for .e.g. like
(below) it does the trick/causes serious pain to me?
# CustomLog with format nickname
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{mycookie-name}i\"" common
CustomLog logs/access_log common
Can I also assume the documents (current) are perfectly fine since
"CookieLog Directive" does not have to be specified anymore like
"CookieLog 'filename'", but the imply is active "automagically" and can
be used like described above?
So this essentially mean I have to go through the configs and look for
such \"%{mycookie-name}i\" statements, right?
A "yes, yes, yes" to all questions would cause me relief. Thanks in
advance! :D
Best regards
Mathias Hollstein
______________________
Mathias Hollstein
Referat BIT II 5 (Wiesbaden)
Telefon: +49 (0) 611 75 2549
Telefax: +49 (0) 611 72 4000
Email: Mathias.Hollstein@bva.bund.de
Email: mathias.hollstein@destatis.de
Internet: www.bundesverwaltungsamt.de
www.bit.bund.de
www.destatis.de
On 24.03.2014 12:14, Eric Covener wrote:
> The vulnerability is not related to the archaic CookieLog directive.
> It's in the impl of logformat %{cookie-name}C.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
> For additional commands, e-mail: docs-help@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: Apche 2.4 docs /wr to CVE-2014-0098 log_cookie directive
Posted by Eric Covener <co...@gmail.com>.
On Mon, Mar 24, 2014 at 6:43 AM, Hollstein, Mathias
<ma...@destatis.de> wrote:
> Hello everyone,
>
> after reading CVE-2014-0098 ([L1]) one of my colleagues came up with the
> conclusion that "log_cookie" function in file "mod_log_config.c" is not
> used in Apache 2.4 anymore.
>
> However the documents ([L2]) are somehow not reflecting the codebase
> ([L3]) as far as I can see. The SVN repository clearly indicates the
> code actually does exist.
>
> Now I ask my self whether the official documentation is wrong (missing
> CookieLog Directive for "current") or the code is deactivated somehow
The vulnerability is not related to the archaic CookieLog directive.
It's in the impl of logformat %{cookie-name}C.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org