Andr0m3da
Power Member
According to a security bulletin released by The
Apache Software Foundation (at
-http://httpd.apache.org/info/security_bulletin_20020617.txt vulnerability
has been discovered in Apache, the most widely-used HTTP server on the
Internet. The problem lies in a buffer overflow in the server that could
allow a malicious user to run arbitrary code.
When a user wants to send information to a web server, this server needs to
reserve buffer space to store the transmitted data. If the length of the
data is unknown, the browser and the server 'agree' to divide the
information into segments of a given size. This is known as chunked
encoding.
The vulnerability stems from the fact that Apache can fail on establishing
the parameters in the "chunked encoding" negotiation, which would enable an
attacker to send more data than the buffer could handle. It is therefore
possible to cause the web server to block or to remotely run random code.
Until now, it has been possible to exploit the vulnerability in version
1.3.24 for Windows(Win32) platforms, although other versions may also be
affected. However, thanks to the fact that Apache is an Open Source project,
corrections have already been supplied by third parties. In any event, The
Apache Software Foundation has published versions 1.3.26 and 2.0.39, which
solve the problem and can be downloaded from the official website at
http://httpd.apache.org/.
According to Netcraft statistics (http://www.netcraft.com/survey/) 63
percent of web servers on the Internet use Apache, way ahead of any
Microsoft, Zeus or iPlanet solutions. For this reason, this could be a
critical Internet vulnerability.
Apache Software Foundation (at
-http://httpd.apache.org/info/security_bulletin_20020617.txt vulnerability
has been discovered in Apache, the most widely-used HTTP server on the
Internet. The problem lies in a buffer overflow in the server that could
allow a malicious user to run arbitrary code.
When a user wants to send information to a web server, this server needs to
reserve buffer space to store the transmitted data. If the length of the
data is unknown, the browser and the server 'agree' to divide the
information into segments of a given size. This is known as chunked
encoding.
The vulnerability stems from the fact that Apache can fail on establishing
the parameters in the "chunked encoding" negotiation, which would enable an
attacker to send more data than the buffer could handle. It is therefore
possible to cause the web server to block or to remotely run random code.
Until now, it has been possible to exploit the vulnerability in version
1.3.24 for Windows(Win32) platforms, although other versions may also be
affected. However, thanks to the fact that Apache is an Open Source project,
corrections have already been supplied by third parties. In any event, The
Apache Software Foundation has published versions 1.3.26 and 2.0.39, which
solve the problem and can be downloaded from the official website at
http://httpd.apache.org/.
According to Netcraft statistics (http://www.netcraft.com/survey/) 63
percent of web servers on the Internet use Apache, way ahead of any
Microsoft, Zeus or iPlanet solutions. For this reason, this could be a
critical Internet vulnerability.
