Related Articles •Serious BIND Server Flaws Detected •Dealing With Massive Attack: DNS Protection •Massive DDoS Attack Hit DNS Root Servers •CERT: Sendmail Hacked •Apache Fixes Bugs in Server Upgrade •Fifth Release of Apache 2.0 Available for Download

eSecurity Glossary biometrics encryption keylogger malware phishing RFID security spyware virus worm Search for more eSecurity terms ...

FREE Tech Newsletters Instant Messaging Planet HTML CIO Update CodeGuru Update Enterprise Networking Planet Practically Networked HTML Enterprise Storage Forum HTML Optically Networked HTML Intranet Journal Update Datamation IT Management Careers Datamation IT Management Update Developer.com Update Gamelan Java Update Goodies to Go Javascript Weekly HTML JARS Java Update OpenSource Update SysOpt Tech Notes Grid Computing Planet HTML E-Security Planet HTML Virtual Dr. Text

Apache Flaws Being Exploited
November 14, 2002
By Ryan Naraine

The Apache HTTP Server Project has warned that several security holes in the Apache source are being actively exploited on the Internet, urging IT managers to urgently upgrade to version 1.3.27 or 2.0.43 or higher.

It is the second warning from the open-source project, which is used by more than 60 percent of Web servers on the Net. Because most of the vulnerable code is shared between the Apache and Apache-Perl packages, the flaws are shared as well, Apache warned.

The latest warning, posted on the BugTraq mailing list, highlights a scoreboard memory segment overwriting vulnerability that could lead to denial-of-service (DoS) attacks.

This vulnerability allows an attacker to execute code under the Apache UID to exploit the Apache shared memory scoreboard format and send a signal to any process as root or cause a local denial of service attack, Apache warned.

Apache said the recent Linux/Apache/mod_ssl/OpenSSL slapper worm continues to exploit a problem in the OpenSSLsource code and not a problem specific to the Apache HTTP Server source code. Affected users are urged to upgrade the OpenSSL library and not the HTTP Server.

"If you are running an SSL-enabled web server using OpenSSL, upgrade to at least version 0.9.6e of OpenSSL and recompile all applications that use OpenSSL," the organization said.

Other vulnerabilities still being exploited on servers that haven't been upgraded include:

• A cross site scripting bug in the default 404 page of any web server hosted on a domain that allows wildcard DNS lookups
• Possible overflows in the utility ApacheBench (ab) which could be exploited by a malicious server
• A race condition in the htpasswd and htdigest program enables a malicious local user to read or even modify the contents of a password file or easily create and overwrite files as the user running the htpasswd (or htdigest respectively) program
• htpasswd and htdigest in Apache 2.0a9, 1.3.14, and others allows local users to overwrite arbitrary files via a symlink attack
• Several buffer overflows in the ApacheBench (ab) utility that could be exploited by a remote server returning very long strings

   

  Tools:

  Add www.esecurityplanet.com to your favorites Add www.esecurityplanet.com to your browser search box IE 7 | Firefox 2.0 | Firefox 1.5.x Receive news via our XML/RSS feed

  Information Security Trends Archives