Description
Cytrix has detected that the Version of Apache HTTP Server being used is vulnerable to Failure to Sanitize Data into a Different Plane (‘Injection’) (CWE-74).
A CRLF injection vulnerability exists in the mod_negotiation module in your version of Apache HTTP Server. Also known as CVE-2008-0456.
That will allow remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension.
Which will lead to injection within a (1) “406 Not Acceptable” or (2) “300 Multiple Choices” HTTP response when the extension is omitted in a request for the file.
There’s a chance that this vulnerability will allow attackers to modify system files and information.
Recommendation
To fix CVE-2008-0456, upgrade the version of Apache HTTP Server being used to 2.3.2 or higher.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0456
https://cwe.mitre.org/data/definitions/74.html