Apache Flaws Being Exploited

The Apache HTTP Server Project has warned that several security holes in the
Apache source are being actively exploited on the Internet, urging IT
managers to urgently upgrade to version 1.3.27 or 2.0.43 or higher.

It is the second
warning from the open-source project, which is used by more than 60
percent of Web servers on the Net. Because most of the vulnerable code is
shared between the Apache and Apache-Perl packages, the flaws are shared as
well, Apache warned.

The latest warning, posted on the BugTraq mailing list,
highlights a scoreboard memory segment overwriting vulnerability that could
lead to denial-of-service (DoS) attacks.

This vulnerability allows an attacker to execute code under the Apache UID
to exploit the Apache shared memory scoreboard format and send a signal to
any process as root or cause a local denial of service attack, Apache
warned.

Apache said the recent Linux/Apache/mod_ssl/OpenSSL slapper
worm continues to exploit a problem in the OpenSSLsource code and not a
problem specific to the Apache HTTP Server source code. Affected users are
urged to upgrade the OpenSSL library and not the HTTP Server.

“If you are running an SSL-enabled web server using OpenSSL, upgrade to at
least version 0.9.6e of OpenSSL and recompile all applications that use
OpenSSL,” the organization said.

Other vulnerabilities still being exploited on servers that haven’t been
upgraded include:

• A cross site scripting bug in the default 404 page of any web server
  hosted on a domain that allows wildcard DNS lookups
• Possible overflows in the utility ApacheBench (ab) which could be
  exploited by a malicious server
• A race condition in the htpasswd and htdigest program enables a
  malicious local user to read or even modify the contents of a password file
  or easily create and overwrite files as the user running the htpasswd (or
  htdigest respectively) program
• htpasswd and htdigest in Apache 2.0a9, 1.3.14, and others allows local
  users to overwrite arbitrary files via a symlink attack
• Several buffer overflows in the ApacheBench (ab) utility that could be
  exploited by a remote server returning very long strings