Apache 2.0 through 2.0.39 on Windows, OS2, and Netware allows remote attackers to determine the full pathname of the server via (1) a request for a .var file, which leaks the pathname in the resulting error message, or (2) via an error message that occurs when a script (child process) cannot be invoked.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Http_server | Apache | 2.0.28 | 2.0.28 |
Http_server | Apache | 2.0.35 | 2.0.35 |
Http_server | Apache | 2.0.37 | 2.0.37 |
Http_server | Apache | 2.0.32 | 2.0.32 |
Http_server | Apache | 2.0.34 | 2.0.34 |
Http_server | Apache | 2.0.39 | 2.0.39 |
Http_server | Apache | 2.0.28 | 2.0.28 |
Http_server | Apache | 2.0.32 | 2.0.32 |
Http_server | Apache | 2.0.38 | 2.0.38 |
Http_server | Apache | 2.0.36 | 2.0.36 |
Http_server | Apache | 2.0.28 | 2.0.28 |
Http_server | Apache | 2.0 | 2.0 |