The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly handle Options=IncludesNOEXEC in the AllowOverride directive, which allows local users to gain privileges by configuring (1) Options Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a .htaccess file, and then inserting an exec element in a .shtml file.

The Security Manager in razorCMS before 0.4 does not verify the permissions of every file owned by the apache user account, which is inconsistent with the documentation and allows local users to have an unspecified impact.

ZoneMinder 1.23.3 on Fedora 10 sets the ownership of /etc/zm.conf to the apache user account, and sets the permissions to 0600, which makes it easier for remote attackers to modify this file by accessing it through a (1) PHP or (2) CGI script.

mod_proxy_ajp.c in the mod_proxy_ajp module in the Apache HTTP Server 2.2.11 allows remote attackers to obtain sensitive response data, intended for a client that sent an earlier POST request with no request body, via an HTTP request.

Multiple cross-site request forgery (CSRF) vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 allow remote attackers to hijack the authentication of administrators for requests that (1) change the web administration password, (2) upload applications, and perform unspecified other administrative actions, as demonstrated by (3) a Shutdown request to console/portal//Server/Shutdown.

Multiple cross-site scripting (XSS) vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) ip, (3) username, or (4) description parameter to console/portal/Server/Monitoring; or (5) the PATH_INFO to the default URI under console/portal/.

Multiple directory traversal vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 on Windows allow remote attackers to upload files to arbitrary directories via directory traversal sequences in the (1) group, (2) artifact, (3) version, or (4) fileType parameter to console/portal//Services/Repository (aka the Services/Repository portlet); the (5) createDB parameter to console/portal/Embedded DB/DB Manager (aka the Embedded DB/DB Manager portlet); or the (6) filename parameter to the createKeystore script in the Security/Keystores portlet.

Unspecified vulnerability in the plug-ins for Apache and IIS web servers in Oracle BEA WebLogic Server 7.0 Gold through SP7, 8.1 Gold through SP6, 9.0, 9.1, 9.2 Gold through MP3, 10.0 Gold through MP1, and 10.3 allows remote attackers to affect confidentiality, integrity, and availability. NOTE: the previous information was obtained from the April 2009 CPU. Oracle has not commented on claims from a reliable researcher that this is an integer overflow in an unspecified plug-in that parses HTTP requests, which leads to a heap-based buffer overflow.

Novell Access Manager 3 SP4 does not properly expire X.509 certificate sessions, which allows physically proximate attackers to obtain a logged-in session by using a victim's web-browser process that continues to send the original and valid SSL sessionID, related to inability of Apache Tomcat to clear entries from its SSL cache.

Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other products, evaluates Expression Language (EL) expressions twice in certain circumstances, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via unspecified vectors, related to the (1) tiles:putAttribute and (2) tiles:insertTemplate JSP tags.

Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.x before 2.0.11.1 and 2.1.x before 2.1.1 allow remote attackers to inject arbitrary web script or HTML via vectors associated with improper handling of (1) " (double quote) characters in the href attribute of an s:a tag and (2) parameters in the action attribute of an s:url tag.

The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remote attackers to obtain sensitive information via an arbitrary request from an HTTP client, in opportunistic circumstances involving (1) a request from a different client that included a Content-Length header but no POST data or (2) a rapid series of requests, related to noncompliance with the AJP protocol's requirements for requests containing Content-Length headers.

Cross-site scripting (XSS) vulnerability in Apache Struts before 1.2.9-162.31.1 on SUSE Linux Enterprise (SLE) 11, before 1.2.9-108.2 on SUSE openSUSE 10.3, before 1.2.9-198.2 on SUSE openSUSE 11.0, and before 1.2.9-162.163.2 on SUSE openSUSE 11.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "insufficient quoting of parameters."

Multiple cross-site scripting (XSS) vulnerabilities in Dojo 0.4.1 and 0.4.2, as used in Apache Struts and other products, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving (1) xip_client.html and (2) xip_server.html in src/io/.

Cross-site scripting (XSS) vulnerability in Status.pm in Apache::Status and Apache2::Status in mod_perl1 and mod_perl2 for the Apache HTTP Server, when /perl-status is accessible, allows remote attackers to inject arbitrary web script or HTML via the URI.

Multiple directory traversal vulnerabilities in Apache Struts 2.0.x before 2.0.12 and 2.1.x before 2.1.3 allow remote attackers to read arbitrary files via a ..%252f (encoded dot dot slash) in a URI with a /struts/ path, related to (1) FilterDispatcher in 2.0.x and (2) DefaultStaticContentLoader in 2.1.x.

ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.

Multiple unspecified vulnerabilities in DFLabs PTK 1.0.0 through 1.0.4 allow remote attackers to execute arbitrary commands in processes launched by PTK's Apache HTTP Server via (1) "external tools" or (2) a crafted forensic image.

Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML."

PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server.