Apache - CVE-2016-0736

Description

Cytrix has detected that the Version of Apache HTTP Server being used has a Cryptographic Issue (CWE-310).
Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently, these deal with the use of encoding techniques, encryption libraries, and hashing algorithms.

Also known as CVE-2016-0736.

Attackers abuse the fact that mod_session_crypto is encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default) and there’s no selectable or builtin authenticated encryption.

This would allow attacker to initiate padding oracle attacks, specifically with CBC.

Apache – CVE-2016-0736

Description

Recommendation

References

Lights, camera, where is the Script? – JavaScript in short

Cybersecurity – The thinnest security guards you will ever know

Quickly! – Incident Response – IR

To serve or not to serve – DoS vs. DDoS

Baby steps – getting into the PT industry

SQLI to RCE

Company

Resources

Docs

Latest posts

Possible Credit Card Number Disclosure

Backdoors – A Dangerous Back Entrance

Internal IP Disclosure