You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by ha...@deppeler.org on 2002/06/21 11:51:42 UTC
Re: [SECURITY] Remote exploit for 32-bit Apache HTTP Server known
Concerning this vulnerability: is safe to assume that a patched
reverse proxy will protect a vulnerable back end server from such
malicious requests?
cu - Harry
>>>>> "jwoolley" == jwoolley <jw...@apache.org> writes:
jwoolley> [[ Note: this issue affects both 32-bit and 64-bit
jwoolley> platforms; the subject of this message emphasizes 32-bit
jwoolley> platforms since that is the most important information
jwoolley> not announced in our previous advisory. ]]
jwoolley> SUPERSEDES:
jwoolley> http://httpd.apache.org/info/security_bulletin_20020617.txt
jwoolley> Date: June 20, 2002 Product: Apache Web Server Versions:
jwoolley> Apache 1.3 all versions including 1.3.24; Apache 2.0 all
jwoolley> versions up to 2.0.36; Apache 1.2 all versions.
jwoolley> CAN-2002-0392 (mitre.org) [CERT VU#944335]
jwoolley> ----------------------------------------------------------
jwoolley> ------------UPDATED ADVISORY------------
jwoolley> ----------------------------------------------------------
jwoolley> Introduction:
jwoolley> While testing for Oracle vulnerabilities, Mark
jwoolley> Litchfield discovered a denial of service attack for
jwoolley> Apache on Windows. Investigation by the Apache Software
jwoolley> Foundation showed that this issue has a wider scope,
jwoolley> which on some platforms results in a denial of service
jwoolley> vulnerability, while on some other platforms presents a
jwoolley> potential remote exploit vulnerability.
jwoolley> This follow-up to our earlier advisory is to warn of
jwoolley> known-exploitable conditions related to this
jwoolley> vulnerability on both 64-bit platforms and 32-bit
jwoolley> platforms alike. Though we previously reported that
jwoolley> 32-bit platforms were not remotely exploitable, it has
jwoolley> since been proven by Gobbles that certain conditions
jwoolley> allowing exploitation do exist.
jwoolley> Successful exploitation of this vulnerability can lead
jwoolley> to the execution of arbitrary code on the server with
jwoolley> the permissions of the web server child process. This
jwoolley> can facilitate the further exploitation of
jwoolley> vulnerabilities unrelated to Apache on the local system,
jwoolley> potentially allowing the intruder root access.
jwoolley> Note that early patches for this issue released by ISS
jwoolley> and others do not address its full scope.
jwoolley> Due to the existence of exploits circulating in the wild
jwoolley> for some platforms, the risk is considered high.
jwoolley> The Apache Software Foundation has released versions
jwoolley> 1.3.26 and 2.0.39 that address and fix this issue, and
jwoolley> all users are urged to upgrade immediately; updates can
jwoolley> be downloaded from http://httpd.apache.org/ .
jwoolley> As a reminder, we respectfully request that anyone who
jwoolley> finds a potential vulnerability in our software reports
jwoolley> it to security@apache.org.
jwoolley> ----------------------------------------------------------
jwoolley> The full text of this advisory including additional
jwoolley> details is available at
jwoolley> http://httpd.apache.org/info/security_bulletin_20020620.txt
jwoolley> .
Re: [SECURITY] Remote exploit for 32-bit Apache HTTP Server known
Posted by Graham Leggett <mi...@sharp.fm>.
harald@deppeler.org wrote:
> Concerning this vulnerability: is safe to assume that a patched
> reverse proxy will protect a vulnerable back end server from such
> malicious requests?
I would imagine so, yes.
Regards,
Graham
--
-----------------------------------------
minfrin@sharp.fm
"There's a moon
over Bourbon Street
tonight..."
Re: [SECURITY] Remote exploit for 32-bit Apache HTTP Server known
Posted by Igor Sysoev <is...@rambler-co.ru>.
On Fri, 21 Jun 2002 harald@deppeler.org wrote:
> Concerning this vulnerability: is safe to assume that a patched
> reverse proxy will protect a vulnerable back end server from such
> malicious requests?
I think that even unpatched Apache will protect backend - as all modules
that have deal with clients body mod_proxy does not support client's
chunked request. Of course, unpatched frontend is still vulnerable.
Igor Sysoev
http://sysoev.ru