cve/2012/CVE-2012-0021.md

CVE-2012-0021

Description

The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not properly handle a %{}C format string, which allows remote attackers to cause a denial of service (daemon crash) via a cookie that lacks both a name and a value.

POC

Reference

• http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
• http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html

Github

• https://github.com/8ctorres/SIND-Practicas
• https://github.com/syadg123/pigat
• https://github.com/teamssix/pigat