CVE-2011-4415
Description
The ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, does not restrict the size of values of environment variables, which allows local users to cause a denial of service (memory consumption or NULL pointer dereference) via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, related to (1) the "len +=" statement and (2) the apr_pcalloc function call, a different vulnerability than CVE-2011-3607.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Apache < 2.0.64 / < 2.2.21 mod_setenvif - Integer Overflow
OS impact
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 2.4.1-1 |
| sid | Fixed | 2.4.1-1 |
| forky | Fixed | 2.4.1-1 |
| bullseye | Fixed | 2.4.1-1 |
| bookworm | Fixed | 2.4.1-1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| apache | http_server | 2.0 | |
| apache | http_server | 2.0.9 | |
| apache | http_server | 2.0.28 | |
| apache | http_server | 2.0.32 | |
| apache | http_server | 2.0.34 | |
| apache | http_server | 2.0.35 | |
| apache | http_server | 2.0.36 | |
| apache | http_server | 2.0.37 | |
| apache | http_server | 2.0.38 | |
| apache | http_server | 2.0.39 | |
| apache | http_server | 2.0.40 | |
| apache | http_server | 2.0.41 | |
| apache | http_server | 2.0.42 | |
| apache | http_server | 2.0.43 | |
| apache | http_server | 2.0.44 | |
| apache | http_server | 2.0.45 | |
| apache | http_server | 2.0.46 | |
| apache | http_server | 2.0.47 | |
| apache | http_server | 2.0.48 | |
| apache | http_server | 2.0.49 | |
| apache | http_server | 2.0.50 | |
| apache | http_server | 2.0.51 | |
| apache | http_server | 2.0.52 | |
| apache | http_server | 2.0.53 | |
| apache | http_server | 2.0.54 | |
| apache | http_server | 2.0.55 | |
| apache | http_server | 2.0.56 | |
| apache | http_server | 2.0.57 | |
| apache | http_server | 2.0.58 | |
| apache | http_server | 2.0.59 | |
| apache | http_server | 2.0.60 | |
| apache | http_server | 2.0.61 | |
| apache | http_server | 2.0.63 | |
| apache | http_server | 2.0.64 | |
| apache | http_server | 2.2.0 | |
| apache | http_server | 2.2.1 | |
| apache | http_server | 2.2.2 | |
| apache | http_server | 2.2.3 | |
| apache | http_server | 2.2.4 | |
| apache | http_server | 2.2.6 | |
| apache | http_server | 2.2.8 | |
| apache | http_server | 2.2.9 | |
| apache | http_server | 2.2.10 | |
| apache | http_server | 2.2.11 | |
| apache | http_server | 2.2.12 | |
| apache | http_server | 2.2.13 | |
| apache | http_server | 2.2.14 | |
| apache | http_server | 2.2.15 | |
| apache | http_server | 2.2.16 | |
| apache | http_server | 2.2.18 | |
| apache | http_server | 2.2.19 | |
| apache | http_server | 2.2.20 | |
| apache | http_server | 2.2.21 | |
References
- https://security-tracker.debian.org/tracker/CVE-2011-4415
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041
- http://www.gossamer-threads.com/lists/apache/dev/403775
- http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/
- http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/DemoExploit.html
CWEs
CWE-20
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.