Description

ssl_engine_kernel.c in mod_ssl before 2.8.24, when using "SSLVerifyClient optional" in the global virtual host configuration, does not properly enforce "SSLVerifyClient require" in a per-location context, which allows remote attackers to bypass intended access restrictions.

Remediation

References

Related Vulnerabilities

Severity

Critical

Classification

CVE-2005-2700

Tags

Missing Update Known Vulnerabilities