Bug 491365 - (CVE-2009-0788) CVE-2009-0788 rhn_satellite: Incorrect mod_rewrite rules (information disclosure, abuse as distributed DoS tool)
CVE-2009-0788 rhn_satellite: Incorrect mod_rewrite rules (information disclos...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jan Pazdziora
: Security
Depends On: 548442 548443 548444 647313 695494
Blocks: 622406
  Show dependency treegraph
Reported: 2009-03-20 12:36 EDT by Jan Lieskovsky
Modified: 2013-04-04 17:50 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-04-04 17:50:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2009-03-20 12:36:23 EDT
A flaw was found in the way RHN Satellite rewrote certain URLs.
An unauthenticated user could use a specially-crafted HTTP
request to obtain sensitive information about the host system
RHN Satellite was running on. They could also use RHN Satellite
as a distributed denial of service tool, forcing it to connect
to an arbitrary service at an arbitrary IP address via a
specially-crafted HTTP request.
Comment 25 Jan Lieskovsky 2011-03-25 06:52:27 EDT
The preliminary embargo date for this issue has been set up to
Monday, 9-th of May, 2011.
Comment 26 Jan Lieskovsky 2011-04-04 04:55:21 EDT
(In reply to comment #25)
The preliminary embargo date for this issue has been moved to
earlier date, Monday, 11-th of April, 2011.
Comment 29 errata-xmlrpc 2011-04-11 16:24:48 EDT
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.3
  Red Hat Network Satellite Server v 5.4

Via RHSA-2011:0434 https://rhn.redhat.com/errata/RHSA-2011-0434.html
Comment 30 Vincent Danen 2011-04-11 16:50:29 EDT
Created spacewalk-backend tracking bugs for this issue

Affects: fedora-all [bug 695494]

Note You need to log in before you can comment on or make changes to this bug.