The Apache Foundation has issued a warning that exploits to its chunk handling vulnerability are circulating on the Internet, putting users of its open-source server at high risk.

The vulnerability, which Apache now says affects both 64-bit platforms and 32-bit platforms alike, could cause denial-of-service attacks or allow a attacker to take remote control of a server.

"Though we previously reported that 32-bit platforms were not remotely exploitable, it has since been proven (that certain conditions allowing exploitation do exist)," Apache warned, urging users upgrade to versions 1.3.26 and 2.0.39 to apply a comprehensive fix.

"Due to the existence of exploits circulating in the wild for some platforms, the risk is considered high...All users are urged to upgrade immediately," the Foundation said.

Apache updated its security bulletin to warn that exploitation of the chunk handling bug could lead to the further exploitation of vulnerabilities unrelated to Apache on the local system, potentially allowing the intruder root access.

"Note that early patches for this issue released by ISS and others do not address its full scope," Apache said, referring to a patch that was issued by the Internet Security Systems (IIS) that did not offer a comprehensive fix.

The existence of the Apache exploit made the rounds on the popular Bugtraq security e-mail list. Posts to the list include this warning that the Apache exploit tool was "./friendly," meaning anyone with basic scripting capabilities "should be able to run it without any trouble."

The release of the source code for the Apache exploit adds new fuel to the controversy over how the bug announcement was handled. The original warning was first reported by the ISS, causing friction between the security outfit and the Apache Foundation.

Apache officials were upset they weren't first notified before the ISS issued its advisory and patch, a normal procedure when bugs are detected.

The Apache Foundation said the bug affected versions of its Web server up to and including 1.3.24 and 2.0 up to and including 2.0.36 and 2.0.36-dev, warning that it could be triggered remotely by sending a carefully crafted invalid request, which is enabled by default.

"In most cases the outcome of the invalid request is that the child process dealing with the request will terminate. At the least, this could help a remote attacker launch a denial of service attack as the parent process will eventually have to replace the terminated child process and starting new children uses non-trivial amounts of resources," Apache said.

Because Apache servers on the Windows and Netware platforms runs one multithreaded child process to service requests, the Foundation said the teardown and subsequent setup time to replace the lost child process presents a significant interruption of service. "As the Windows and Netware ports create a new process and reread the configuration, rather than fork a child process, this delay is much more pronounced than on other platforms," it explained.

In the Apache 2.0 version, it said the error condition is correctly detected and would not allow an attacker to execute code on the server. In Apache 1.3, it said the issue causes a stack overflow.

The Foundation again warned that vendor patches should be used to correct the vulnerability as a matter of urgency.