You are here

Apache httpd: mod_dav segfault

IDs: 
CVE-2013-1896
Keywords: 
Apache, httpd, mod_dav
Description: 

Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML) pointing to a URI that is not configured for DAV will trigger a segfault.

Airlock itself is not vulnerable since it does not use mod_dav or mod_dav_svn.

To protect back-end server Airlock includes restrictive default allow rules  (whitelist rules). Those default rules are preventing the use of WEBDAV commands. An integrator has to allow those commands explicitly. For this reason back-end servers are not exploitable "by default". The Airlock configuration scheme using path-based mappings leads the administrator to a secure configuration where DAV commands are only allowed on paths where they are needed.

Resolution: 

The default configuration of Airlock secures back-end servers. No action is required. Nevertheless we recommend to update known vulnerable sofware anyway: update Apache http servers with activated mod_dav functionality to version >= 2.2.26 or version >= 2.4.6 respectively.

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Does not affect back-end behind Airlock