DoS, buffer overflow flaws found in Apache

By Edward Hurley, News Writer 18 Jun 2002 | SearchSecurity

Digg This!     StumbleUpon     Del.icio.us

A potentially dangerous vulnerability has been found in the Apache Web server, but some question whether the advisory was released too quickly.

FOR MORE INFORMATION: CERT's security advisory The Apache Software Foundation's security bulletin on the vulnerability ISS's advisory Feedback on this story? Send your comments to News Writer Edward Hurley

The flaw could allow attackers to launch denial-of-service against systems running certain versions of the open source Web server. Additionally, attackers could enact a stack buffer overflow allowing them to gain control of the servers themselves.

Yesterday, Internet Security Systems released an advisory and patch for the vulnerability. However, the Apache Software Foundation, which administers Apache, shot back with an advisory before creating a patch because ISS had released an alert.

"Please note that the patch provided by ISS does not correct this vulnerability," the Apache Found said in its advisory. The flaw can be corrected by upgrading to Apache version 1.3.25 or 2.0.39.

The vulnerability, which affects requests encoded using “hunked encoding,”is found in Apache versions up to 1.3.24 and 2.0.36. It can be exploited by sending an invalid request, Apache's advisory said. The functionality is enabled by default.

At the least, the invalid request will allow attackers to perpetrate a denial-of-service attack.

For systems running Apache 1.3, the flaw could allow a stack overflow on 32-bit Unix systems. On 64-bit Unix systems, the overflow could allow an attacker to run arbitrary code on the system. ISS has found the vulnerability could allow an attack to gain control of the systems running on Windows as well.

Attackers wouldn't be able to execute arbitrary code on servers running Apache 2.0.

Apache is one of the most popular Web servers and has a reputation for security. The software is actually included in commercial products from companies like Hewlett-Packard, IBM and Oracle. In fact, that is how Mark Litchfield, co-founder of Next Generation Security Software, discovered the flaw.

As part of his work, Litchfield routinely tests common software for security vulnerabilities. He originally found the denial-of-service flaw in the Oracle9i application server. "I downloaded Win32 Apache and found the vulnerability was there too," Litchfield said.

Litchfield notified the Apache Software Foundation. It was then that Mark Cox, a founding member of the Apache Software Foundation, found the vulnerability could allow an attacker to gain remote control of servers.

Coincidentally, ISS was also testing Apache and found the same vulnerability. ISS did notify the Apache Software Foundation but decided to release its own patch because of the seriousness of the vulnerability, said Dan Ingevaldson, team leader of Internet Security Systems' X-Force research and development. In the past, the company has had some trouble when dealing with flaws in open source products because a consortium or foundation is responsible for it, not a single vendor.

The debate over who can take bragging rights for the finding the vulnerability shouldn’ obscure the seriousness of the vulnerability. Both Ingevaldson and Litchfield say the flaw is one of most serious vulnerabilities they have seen in Apache for a while.

Tags: Web Server Threats and Countermeasures,  Web Application and Web 2.0 Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Server Threats and Countermeasures Increase in Gumblar backdoors poses FTP credential problems VeriSign extends DDoS attack protection service Microsoft issues IIS FTP advisory, exploit code circulates Panda reports fast-spreading rogueware antivirus fraud rakes in millions Oracle issues quarterly patches, fixes database flaws Latest DDoS attacks extremely unsophisticated, experts say Stolen FTP credentials likely in massive website attacks Microsoft warns of IIS zero-day vulnerability How to find and stop automated SQL injection attacks How to spot attacks through Apache Web server log analysis Web Application and Web 2.0 Threats New Facebook worm propagates using sexy model Web security firm ranks Firefox, Safari browsers as flaw prone Web application vulnerability assessment shows patching progress Layoffs prompt insider threat fears, cybersecurity survey finds Botnet masters turn to Google, social networks to avoid detection Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Kaspersky system analyzes malicious URLs on Twitter for malware Pushdo botnet uses Facebook to spread malicious email attachment Do Facebook URL security concerns justify blocking social networks?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cache cramming  (SearchSecurity.com) content filtering  (SearchSecurity.com) Web filter  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary