Update: A pair of newly discovered vulnerabilities in older versions of the Apache Software Foundation's HTTP Server and likely other HTTP Server-based software distributions could expose users to cross-site scripting attacks or security policy bypasses.
According to an advisory released Tuesday by the French Security Incident Response Team (FrSIRT), the first issue involves an HTTP request processing error containing both a "Transfer-Encoding: chunked" header and a "Content-Length" header. FrSIRT said it could bypass the Web application firewall protection or lead to cross-site scripting attacks.
The second flaw, according to FrSIRT, "is due to an error in the 'TraceEnable' directive, which could cause the proxy server to accept a TRACE request body although the RFC 2616 prohibited it."
They have been deemed a "moderate risk" by FrSIRT because the problems cannot be exploited by remote attackers to compromise a vulnerable system, but can be exploited to bypass certain security policies and restrictions.The issues affect HTTP Server 1.3.33 and prior, butusers can eliminate the vulnerabilities by upgrading to version 1.3.34 or newer.
Michael Goulde, senior analyst with Cambridge, Mass.-based Forrester Research, said that since the current Apache release is 2.0.55, it's likely that the only Apache users who would be affected are those that haven't upgraded in some time.
"Clearly the problem was fixed some time ago," Goulde said, "so anyone who had already installed a later version than [1.3.33] would not have a concern."
However, in an e-mail to SearchSecurity.com, FrSIRT said it's likely that Web server distributions from a number of third-party vendors based on Apache 1.3.x and 2.0.x are affected, and users should contact their vendor for a fix. Goulde said many vendors make use of unaltered Apache code, as allowed under the Apache License program and the General Public License.
"People don't generally rebrand it, or even publish derivative works. It's generally just used," Goulde said. "If you have made modifications to the source code, then you have essentially forked the tree if you will, and you now have a version you are responsible for maintaining."
Though Goulde emphasized that the impact of the flaws should be relatively small, he added that it's an ideal time for users of older versions of Apache HTTP Server to upgrade.
Separately, IBM today also released a fix for IBM HTTP Server versions 2.0.47 and 2.0.42, addressing numerous vulnerabilities as part of a roll-up patch. The cumulative fix, however, does not address the issues covered in the FrSIRT advisory.
Neither Apache nor IBM spokesmen were available for comment on the vulnerabilities.