The Apache Software Foundation has
rolled out a patch for versions of its popular Apache HTTP Server to fix a
potentially serious security flaw.
The buffer overflow flaw affects Apache httpd versions 1.3.26, 1.3.27,
1.3.28, 1.3.29 and 1.3.31, which were configured to act as proxy servers.
Apache httpd 2.0 and other versions of Apache httpd 1.3 are unaffected.
An Apache Week advisory said the buffer overflow can be triggered by
getting the mod_proxy feature to connect to a remote server and
return an invalid content-length.
The vulnerability is rated “important,” but the advisory warned that there
is the possibility that it could be exploited to run arbitrary code.
“If you are running an Apache Web server, we’d recommend that you take a look at
your configuration files and make sure that you have not inadvertently set
up an open proxy. If you do not need your server to act as a proxy server,
then make sure that the directive “ProxyRequests On” does not appear in your
configuration file,” Apache said.
The risk of code execution is high on older OpenBSD/FreeBSD distributions
because of the internal implementation of memcpy, which re-reads the
length value from the stack. On newer BSD distributions, it may be
exploitable because the implementation of memcpy will write three
arbitrary bytes to an attacker-controlled location, according to the
alert.
Linux and UNIX vendors, including Gentoo Linux, OpenBSD, Debian and Red
Hat, have all issued updates to protect against the Apache Server bug.