All Products
Document Center

[Vulnerability notice] HttpOnly cookie leak vulnerability in Apache

Last Updated: May 07, 2018


The Apache HTTP server has a cookie information disclosure vulnerability in the implementation of the default error response to the status code 400. The vulnerability allows the attacker to gain access to sensitive information.


Note: To avoid loss from operation failure, we recommend that you create the server snapshot before you try the following solutions.

Upgrade to Apache HTTPD 2.2.22 or a later version.

Solution 2

  1. Open the HTTPD configuration file (the httpd.ini file by default), locate ErrorDocument400, and add a section of custom content after it. For example, ErrorDocument400 "error page!".
  2. Save the file and restart the HTTPD service.