Apache hole puts millions at risk

Millions of websites are at risk from a potentially devastating security vulnerability in Apache that could allow malicious crackers to remotely execute arbitrary code on compromised servers.

According to the Computer Emergency Response Team's (Cert's) Co-ordination Centre the flaw, which centres on Apache's support for handling HTTP 1.1 chunk-encoded data, affects web servers running Apache code versions 1.3 through 1.3.24 and versions 2.0 through 2.0.36 on both Unix and Win 32 platforms.

In its latest security advisory, posted late on Monday, Cert warned: "For Apache versions 1.3 through 1.3.24 inclusive, this vulnerability may allow the execution of arbitrary code by remote attackers.

"Several sources have reported that this vulnerability can be used by intruders to execute arbitrary code on Windows platforms.

"Additionally, the Apache Software Foundation has reported that a similar attack may allow the execution of arbitrary code on 64-bit UNIX systems."

However, the advisory added that, for Apache versions 2.0 and later, the vulnerability is correctly detected and the malicious child process is terminated.

But Cert issued the following caveat: "Depending on a variety of factors, including the threading model supported by the vulnerable system, this may lead to a denial-of-service attack against the Apache web server."

Cert warned that a patch, currently circulating with the ISS advisory to fix this vulnerability, does not work.

Marc Maiffret, chief hacking officer at eEye Digital Security, warned that the implications of the Apache vulnerability are not confined to web servers.

"Barely anyone in the Windows world is going to sit and re-compile their Apache versions, especially with software like Oracle that also uses Apache," he said.

"ISS has left all these people in a very bad position. It is worse than that though. According to Apache the ISS source code patch does not even work."

Cert researcher Florian Weimer, from the University of Stuttgart, posted the following comment on BugTraq: "The patch that mentioned casting bufsiz from an int to an unsigned int failed to do a few things.

"There are two instances of the same code in http_protocol.c that need to be fixed, as both suffer from the same problem. And the cast to unsigned int was only done in comparison, and was not done in assignment, which could possibly lead to problems down the road with the int value."

The latest versions of Apache servers can be found at Apache's website.