Reply With QuoteI saw a story about that. It seems there is a bit of controversy as to how the vulnerability was revealed.
Got this in my email this morning...
Subject: CERT Advisory CA-2002-17 Apache Web Server Chunk Handling
Vulnerability
Date: Mon, 17 Jun 2002 22:05:33 -0400 (EDT)
From: CERT Advisory <cert-advisory@cert.org>
To: cert-advisory@cert.org
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability
Original release date: June 17, 2002
Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
* Web servers based on Apache code versions 1.3 through 1.3.24
* Web servers based on Apache code versions 2.0 through 2.0.36
Overview
There is a remotely exploitable vulnerability in the handling of large
chunks of data in web servers that are based on Apache source code.
This vulnerability is present by default in configurations of Apache
web servers versions 1.3 through 1.3.24 and versions 2.0 through
2.0.36. The impact of this vulnerability is dependent upon the
software version and the hardware platform the server is running on.
I saw a story about that. It seems there is a bit of controversy as to how the vulnerability was revealed.
[quote author=pam link=board=5;threadid=3833;start=0#38553 date=1024427917]
I saw a story about that. It seems there is a bit of controversy as to how the vulnerability was revealed.
[/quote]
I saw the same story at security focus. Got to love this ----->
On Monday, Internet Security Systems (ISS) posted their discovery to the BugTraq mailing list, without knowing the full extent of the flaw, and without giving Apache.org time to investigate and develop a patch or even propose a workaround. To sugar the pill ISS had developed its own patch, which Apache later said doesn't address all the issues. Another point in the ISS advisory which Apache disputes is a claim that only installations on Windows are
vulnerable
....
There was a posting at Slashdot suggesting that ISS was using the premature advisory as a publicity stunt; and while there's undoubtedly a lot to that, we have to wonder if there isn't something even creepier behind it. Here we see ISS publishing a vulnerability and a lame patch without so much as consulting the developer of an open-source product, but we've never seen them try to pull a stunt like that with Microsoft, say.
New versions of Apache were just released. ;D ;D ;D
If smells like a fish....
[quote author=tolstoy link=board=5;threadid=3833;start=0#38575 date=1024444471]
New versions of Apache were just released. ;D ;D ;D
[/quote]
no way!! tooo freaking fast ;D
Quoted from Symantec's website
Apache HTTP Server chunk encoding stack overflow
Risk
High
Date Discovered
06-17-2002
Description
Apache HTTP Server contains a vulnerability in the handling of certain chunk-encoded HTTP requests that may allow remote attackers to execute arbitrary code and a denial of service (DoS).
Chunked encoding permits the transfer of fragments of dynamically produced content of varying sizes by including a size indicator as well as information for the recipient to verify receipt of the complete message.
For Apache versions 1.2.2 through 1.3.24, this vulnerability may allow remote attackers to execute arbitrary code on Windows platforms. In addition, Apache has reported that a similar attack may allow the execution of arbitrary code on both 32-bit and 64-bit UNIX-based systems.
For Apache versions 2.0 through 2.0.36, the buffer overflow condition correctly detected however, an attempted exploit may cause the child process to exit depending on a variety of factors, including the threading model supported by the vulnerable system. If multi-threading is used, it may lead to a denial of service attack against the Apache Web server because all concurrent requests currently served by the affected child process will be lost.
Multi-threading is a technique that allows an independent program to perform more than one task at seemingly the same time. For example, a program that loads a data file while also reading user input is said to have two computational units and is therefore multi-threaded.
This vulnerability affects Apache Web server versions that run on many of the various Windows, BSD, Linux, and UNIX releases. Users are encouraged to contact their vendor to determine whether they are affected and acquire appropriate fixes.
Symantec Enterprise Solutions
NetRecon, Symantec's vulnerability assessment tool, has a check for vulnerable Apache HTTP Server versions included in Security Update 10, which will be available through LiveUpdate.
NetProwler, Symantec's network-based intrusion detection tool, includes detection for attempts to exploit this issue in Security Update 18, which is available for download through the NetProwler update capabilities. Click here for further information about NetProwler Security Update 18.
Platforms Affected
Multiple
Components Affected
Apache HTTP Server 1.3.24 and previous
Apache HTTP Server 2.0.36 and previous
Apple Macintosh OS 10.0, 10.0.1
BSDI BSD/OS 4.0
IBM AIX 4.3, 5.1L
Mandrake Soft Linux 7.1, 7.2
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Professional
Microsoft Windows NT Server 4.0
Microsoft Windows NT, Terminal Server Edition 4.0
OpenBSD BSD 2.8
Oracle Corporation 9i Enterprise Edition 9.0.1
Stronghold Secure Web Server 3.0
Red Hat Software, Inc. Stronghold Secure Web Server 4.0
S.U.S.E. GmbH Linux 7.0
Posting Permissions
Bookmarks