VULHUB ™

Split-logfiles in Apache webserver allow seperate log files to be created for each individual host name. A problem exists in the implementation of the split-logfile functionality which may allow attacker-supplied data to be appended to files with the .log extension. A HTTP request with a Host: header that starts with a "/" will cause an error message to be displayed, but will also still append the entry to the appropriate access file. This can be exploited to cause attacker-supplied data to be appended to an arbitrary .log file if the Host: header is specially crafted. Red Hat Secure Web Server 3.2 is also affected by this issue.

Split-logfiles in Apache webserver allow seperate log files to be created for each individual host name. A problem exists in the implementation of the split-logfile functionality which may allow attacker-supplied data to be appended to files with the .log extension. A HTTP request with a Host: header that starts with a "/" will cause an error message to be displayed, but will also still append the entry to the appropriate access file. This can be exploited to cause attacker-supplied data to be appended to an arbitrary .log file if the Host: header is specially crafted. Red Hat Secure Web Server 3.2 is also affected by this issue.