Security alerts highlight Apache Web Server flaws

Two security alerts have been issued about vulnerabilities affecting the popular open source Apache Web Server.

Two security alerts have been issued about vulnerabilities affecting the popular open source Apache Web Server.

Almost two-thirds of Web sites run on an Apache Web server and the flaw is similar to a vulnerability in Microsoft's Internet Information Server (IIS) that the company warned of last week.

Cert, the Internet security centre operated by Carnegie Mellon University, said the vulnerability could be used by intruders to execute arbitrary code on Windows platforms and possibly on 64-bit UNIX systems. It also highlighted the need for users to apply patches from their vendor to correct the vulnerability.

According to the non-profit Apache HTTP Server Project a vulnerability can allow distributed denial-of-service attacks in Apache Versions 1.3, including 1.3.24, and Apache 2, including all versions up to 2.0.36.

Meanwhile, security vendor ISS has reported the discovery of an Apache vulnerability that contains a flawed mechanism meant to calculate the size of "chunked" encoding for Windows 32-bit users. Chunked encoding is part of the HTTP Protocol Specification used for accepting data from Web users, according to ISS.

When data is sent from the user, the Web server needs to allocate a memory buffer of a certain size to hold the submitted data. When the size of the data being submitted is unknown, the client or Web browser will communicate with the server by creating "chunks" of data of a negotiated size.

But the flaw, which affects Apache Versions 1.x, misinterprets the size of incoming data chunks, which could lead to a signal race, heap overflow and to exploitation of malicious code, according to ISS.

ISS said it had posted a fix for the problem on its Web site, however, the Apache Software Foundation has warned that the patch provided in the ISS advisory does not completely correct the vulnerability.

The Apache advisory can be found at:

The Internet Security Systems advisory is at:

The Cert warning is at:

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.