Network Security News – Tuesday, September 06, 2005 Events
Apache mod_ssl SSLVerifyClient Per-location Context Restriction Bypass
mod_ssl contains a flaw that may allow a malicious user to bypass certain security restrictions. The issue is due to an error in enforcing client-based certificate authentication ("SSLVerifyClient require") in per-location context, if "SSLVerifyClient optional" was configured in the global virtual host configuration. It is possible that the flaw may allow an attacker to bypass client-based certificate authentication, resulting in a loss of confidentiality or integrity.. Read more at osvdb.org/19188