CVE-2005-2700
CVE-2005-2700
ssl_engine_kernel.c in mod_ssl before 2.8.24, when using "SSLVerifyClient optional" in the global virtual host configuration, does not properly enforce "SSLVerifyClient require" in a per-location context, which allows remote attackers to bypass intended access restrictions.
Affected products
n/a · n/aWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://lists.trustix.org/pipermail/tsl-announce/2005-October/000354.htmlhttp://marc.info/?l=apache-modssl&m=112569517603897&w=2http://marc.info/?l=bugtraq&m=112604765028607&w=2http://marc.info/?l=bugtraq&m=112870296926652&w=2http://people.apache.org/~jorton/CAN-2005-2700.diffhttps://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=167195http://secunia.com/advisories/16700http://secunia.com/advisories/16705http://secunia.com/advisories/16714http://secunia.com/advisories/16743http://secunia.com/advisories/16746http://secunia.com/advisories/16748