Two security alerts have been issued about vulnerabilities
affecting the popular open source Apache Web Server.
Almost two-thirds of Web sites run on an Apache Web server and the
flaw is similar to a vulnerability in Microsoft's Internet
Information Server (IIS) that the company warned of last
week.
Cert, the Internet security centre operated by Carnegie Mellon
University, said the vulnerability could be used by intruders to
execute arbitrary code on Windows platforms and possibly on 64-bit
UNIX systems. It also highlighted the need for users to apply
patches from their vendor to correct the vulnerability.
According to the non-profit Apache HTTP Server Project a
vulnerability can allow distributed denial-of-service attacks in
Apache Versions 1.3, including 1.3.24, and Apache 2, including all
versions up to 2.0.36.
Meanwhile, security vendor ISS has reported the discovery of an
Apache vulnerability that contains a flawed mechanism meant to
calculate the size of "chunked" encoding for Windows 32-bit users.
Chunked encoding is part of the HTTP Protocol Specification used
for accepting data from Web users, according to ISS.
When data is sent from the user, the Web server needs to allocate a
memory buffer of a certain size to hold the submitted data. When
the size of the data being submitted is unknown, the client or Web
browser will communicate with the server by creating "chunks" of
data of a negotiated size.
But the flaw, which affects Apache Versions 1.x, misinterprets the
size of incoming data chunks, which could lead to a signal race,
heap overflow and to exploitation of malicious code, according to
ISS.
ISS said it had posted a fix for the problem on its Web site,
however, the Apache Software Foundation has warned that the patch
provided in the ISS advisory does not completely correct the
vulnerability.
The Apache advisory can be found at:
http://httpd.apache.org
The Internet Security Systems advisory is at:
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20502
The Cert warning is at:
http://www.cert.org/advisories/CA-2002-17.html