IT Infrastructure - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  IT Infrastructure


Flaw Found in Apache HTTP Server



 By: Dennis Fisher
2002-06-17
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this IT Infrastructure story.


Rate This Article:
Poor Best
A buffer overrun vulnerability in the popular server enables an attacker to execute malicious code.

A buffer overrun vulnerability in the Apache HTTP server included with many popular Web servers enables an attacker to execute code on vulnerable machines.

The flaw lies in the way that the server handles data transmissions of unknown size. Typically, these transmissions are broken into "chunks" for easier handling. But Apaches HTTP server misinterprets the size of the chunks, which leads to an overrun of the heap memory, according to an advisory published Monday by Internet Security Systems Inc.s X-Force research team.

Resource Library:
The vulnerability can be exploited remotely by way of a carefully crafted invalid request to the server, and the flawed functionality is enabled by default. Exploiting the flaw could either lead to a denial of service on the machine or the execution of malicious code.

An attacker would only be able to execute code on 64-bit Unix systems and Windows machines, according to Apache. Exploiting the vulnerability on 32-bit Unix machines would crash the Apache HTTP server.

The Apache Software Foundations Apache Server Project, which maintains the open-source HTTP server, also issued a bulletin warning that all versions of Apache 1.3 are vulnerable, as are copies of version 2 up to 2.0.39.

However, versions 2.0 and later are not vulnerable to the remote execution of code, Apaches advisory said.

Apache is by far the most widely deployed Web server on the Internet, running on more than 50 percent of machines surveyed by Netcraft Ltd. Its HTTP server is included in products such as Oracle Corp.s 9i Application Server and IBM Corp.s WebSphere.

The Foundation said it was forced to release its advisory early—and without an available patch—because of ISS decision to publish its bulletin.

Related stories:

  • Apache Warning Fuels Security Feud
  • Review: Covalent Gets Apache Enterprise Ready
  • Review: Apache 2.0 Beats IIS at Its Own Game
  • IBM Apache Avoids Most Security Woes
  • Flaw Puts SQL Servers at Risk
  • More Security Coverage



      Reader Comments: Flaw Found in Apache HTTP Server
    >>> Be the FIRST to comment on this article!
     

     
     
    >>> More IT Infrastructure Articles          >>> More By Dennis Fisher
     


    • x}v6EW-ȶD<==Z$!)_:;/ξ>VMiɗNg-`U* w~vv ILȹk.lJvg9[D;;}.GP|gQP/2r=zR m)>M3i +4w5wGl&J{'AT{j" xL5 ΚM]ٚ7'x2 Xm$8d{=BeI-6 !%2?K;? ?*B=]2IXߦuɷ>S=2r3ݛXBT!|@J%h!1Qu ͟??|'fw^B(ƻF {iZvP;U{a5hw/@^cBȁY\nh=?T݉[m>){$-,w2M*-f;ȵ:9:k NZ]"Z3ˆ螥{ɧ55I `1l{`2I%$7 V.mqO$0/g`?Ķ|h9tq,r~^fz^u7]8YxiW%X愍EV6'>6O) |@ɤ:!Zdq}9e,f4öCٰo5RrXJyYrwwWӽmY[8~1_~wi޿]HQPwÑ;7@Qm+Iu]+i0^w: n.vtx/ȯ;YHM~c/DJ V,D>-ԁNֳP? uΑkQ2Z-_ Kj%٥~h$Ys)21,#uGҾ.:6ώ:Sdo̲1<ZMӀ Zvf#?Z׫ӓkION{Ws#+|r5M0\±:֪Vlxm~f[ dPp9Lwz/~8>]4.?u;Ǥ uXO'g.0domYn_H!)M|T|Y|ěE30 i2)=-8X@/@שS 74XliJuV!`F 0sa6 @kiFkPYT`k6R\ 9lb)6B̄H )&7R&,)|yBbrݠPPs>Χ+doF" 23~B(&pHqbNe1\a>pY<\OHwvz߆)WCKEhYf7-wIFꨦժ+YEe_U _p-~qj2B cLt/젨lA`:~gC|>5F$!|БdmxqZ.3+ЍEXn`΀hϰqp{ڭ.l=KpI}xX3mLP#AтMz>tT8]|2Z9ܹ L& z5I#ˋ0P6=xBe^~}¢1O[>ȁ=woouG &QsaPBx?ɜk) Dt=JIIL"D% T h4AGEENmbo$OHXVppT6ݞHwV*2ڹLX)QY,p[/ ͙JRd0u Q򍜈="`&Qea*0pRx5Q7mZ*lPP,`z?'+h5YQՙ9C:ׅ,G 3p#Eq"L)32,Xh&l:ʚ"T2u)Ln4Wl?}}Т‡qmzo![gShW(f ᠺ4S}52{B`a 32|dң%?p*JNC_jVzq}vMAV?Ry |;p‡9E#rUϚX 5<9.&B#57clBamhJ*:$,T4)špdzKwCݼ^`"é;hqNNRНB#@9zQ=/OUo-V<4Yo?JE[1TĿ+úZj'Hodko՜²93F]RYJKY$"6XRvӱϥ5ò =CM*&Io:Bn=آmT jrIjS#SOo^viz\N6`aPeQ@?R&a+Bڨ\NaOcwAsm0HwO\?618[xy4!%6$;~L cOѭ,h8)4jkzF of`׆ K ؈ÜҵfsKwʢ^]S4JZq>Om V!0\ |T30`-e?dϧ=)V}fAٰZQJ!I 6D ȸau-`byS]Wѹq@8|1B-g @mYT8F[/O#BMDd 38uTU˿\􆕟>:fc~A+p& >AkwYgȲJzxJrE}x.)J5w)` N 2׋|h :#X& ,#E .2 ʠ90 hȮ>\Rbr>+eT6)5*Ixm"Pˇ%Ŵ谢Xx}Sː 0gtWed-흧 IV/굘ЪZZs 8]et4? 9tc~y098g2-s'eH) gn-%s3/x 1{h'0c7\ +RUw5K)2)N<:`r]TՑn OQGA.C{a&:`JTndІ{egjڳt_KtwTI |qCW&{BdEzԲ':*5P6>*0nG-<֜H+?N#3hh 03-tpCUjʾ_ڋIWcg%h"QkF:FdDtΈ+6RNT:)f8՟oF*e-X[ў#WX tV ЛiQ~kV Նgy1/bIV`]r[|8.SoZ(18lv'< hr͵m7>Dv? sqOs~7pթTjVgHUWt[/ O6fQXyCG_TUeH4ỵVY0Ce 4v=.EZЋ i&!lئOl[e7M"3:p7n-*~2sřXy%V7$B|O<ݤ1p N,iۃ=$JS-RtqQR\JZVzϢ C.z'%-& veN6qaw?dB3[5^@M|CZOTK0u%hnzGSYqza\/#n/$h ހ1Mu0@lJm]d Tma?e$qjMn@uztS6ndUsVR$gI#&8=._EU2q{h7(۞jjfox< x4Hđ;wkʡnU b$U˚V*jȹe#gD)WjeeѓeO*'mWJ_0YHX9H(P+ YG۷BlpH75SXp| ^_HXXD>DQkf\{e"nxR*f#111u/x{~awoz}ՕݷS( -$P! WAhxa{I12$K~s28; %C.itL8q~_w8etzA;Qa^kq O4 }U\q@*V%}8:m~l1%z˾WMw$(XMp4q'^Y{{:9\; Y}:#4-dhD4|7΅qۻIsі zs=A n2HnBç]8S%j7 EW%'k; e{-&:}mF1џW`m %cAbakF+9eI'#$ubSPCO6.j?$i^3_{w jEpZISB9oթ-xOӆO|BAJ;DA2q?IkuYX[̘pIS:%ɹ$D=)jZ$jRSfj# $_2 I,v+2B:Tzs gaM6mn3jto6Dr0@u\e0 `q0D XY+oxta}XkI-jշUHN~'%6 XTz@0Hr倜b{~U߯Il{7s,#(s9c7<;NbG/syBO+f8YQ ,]:]7_!_zǜGoIM21B? Pݘ~zN`53 \cQ Suvp7߁؉ H*Ero5 W8J-sBܹXa*0q)~l?4ݙn9bEo@ZA.> @ 6̯> H-@V_ ޼=oQwp]9Qz AC~kM|3ry}l(=YhKxؕv{qOKn<]1hgvlLgI")Vz5w7}\8%/+Tx|11@7YU (f~\;pOʠcc}d<ݸw[f1viÉfwݷP/b{~cIU~(TR-.fO"J麇\v%(c]MT,^\RK>\ue OKt1ڬ/ۥ{HBĬhw2h\ٞo ?֘ '|ȞF8^jDC|Syg!,da}F0[)=)ΙdOB%7÷Fp7N Ϧf_ O%FJ-Q`mZ،9!/( ;a6 *|b \<U W_M7⎍zkQ$G |o(o&򽡎xk6) kNW&/6o).wi{\na'xQx7d\ڊ]aKn~ v/wilhx5daV،̳$tPKZ Lt4/tc4W, ]mKsQq-,IR)9[F@/56Cb4*WEv[-GҚƔj +~a hJ<PtسxΒ.>#Du{Aw/ VQ)]?|,+ubI-Dpv?|@E QbFu˨{py`fFaYYe"ԮC^f1PWG<0d(΁,lSCT+س8}%t({P6Δ1gavȃfAgVFM̍ w]m!6!i2Pq <&: ) \;M]1(doGqW{ζ.lX{$ENΨti/pR@괥~^Wr)j TGg leMu1K+Գ|.u_RUIS6e+h6&:s<& @40bu_)**9ny{>,m^&צAXnK֯lkjuS^j<՗tLx6A.06tm8.@=Hk~PdUmC^v)U_:R'0]`azL`EV*kJB8(LS@Vn۞*<9Ox55[&s-ϮxA":Kg t"%d"á vL9pE學K5sɲ;vʗ~dq$0spKKC%usEú鬙ci5oThh1:boK*}zJ< W}T1(D<cn%^Ω/0g|,70wF1I fq;}a6؇ops2/;)m~bi$ߩk4oyWVԊJKXLa*!"ܬކbDvt ~4qJ7.*`/L2bl> {I# A nn\uCN'$f:R۝cBr1uL ]{'H =|ఈE8,"`Nya-qϖTi>,?wIGg<}e}]LuчIw& x%/]#,mˤ H!^0@q5_߉<Ԋt f/0nK1?d3!^7&   " o|i_^LHxt3&7Zg3u]|&qWBxhEh/Z^)EH|Ҕ_p %Y3X8rj_jF臘onsJ3,CPB0-c tޢ(/ZGNJL9/t5<}>dU췵Gg-]I6 c5(rbl؆_ M&e։Ya+I錃ql J_NMgL4 kx*(Y03J7{Q rrpB'pM{XTsZdG|O_/Em/<{p}q˼ x-^Nړ5iİO` OX ъ#;Ћ]Tayj3"8 (C^PB^’+M=1Is9rMm @¸!~OZ O]c)I5+CAE!Lj<灠e3)t{0c2ΩTh,ZNx!Wȥ}L1zT%>%KZk^YJ+ȈznjtυƌGSj9椷 GTGB-JM`V~Ũ&@ mN_hCy<Vz^3s?e_n&,m'hzBRKo^@'ܬTMd- GܬG!x5<.ڢRqS| 7[+xt”᝜k]THp*Cף6:̽K$lMĀ,| Fs,2G *]{O~CyhEa>8>(9[˜ozpӸFT.jW ,b2 㽽WԘm$ "|pRlf 'B2 sF@Yj$DGP56:iYVK.n{0h_*K .P_[{mLw:K. `( MԘ:@ CO 2KE»"aK\vSf+Uֽ?#7,>Y \Zs4cד?/W}e_)aL$u"#:- Z KhdIED#ThbGF#& UϤ' 45aBx ld Dps=@HJ 1b10;a9`3bwښ)(X}|u.[? T6CĊ1gGiX$_@1R^H"qp) (bWU 7T,G,(ϏB5ij`SJTmn$|s ^I dF AuA"\dzwX<>)4oوxdf,EwN7`C'[5EY|ob{LgA~*Bb@Ԑ0(ˏIB uXRFB(s 2S'$ 323~> _F`p3W VjMOBӡRs]j%q"_]xCѠYU^*_ӄ^I+BI] / (HZ W{}K1u0 }a3brLufcٺ~"+"W68_u.9jw{x< Zӷptԭs;tܻtڹh_^u.L_ͮ,gHFYufvʂP{:ͅfUE MjV}Qv _AUvq 8Sރ^N9r hp)?Si}C(]~)4:坓BsS3r' _9埠Svywsi9s}s{9ϡ99y'EcN S~909{s#?0~9׃r?=/r qeW?W99~A .!>BǼrc~~sw y9{ _ wɹNr!(oYNoR8G9B(_*Uy@a uqS9@yJ*,c/s\- {);[?v.{'u CFWT=o /dmt4vkiAm {}yK/#ymoR@AQa! 3l?V\[[,Oнۺ{JJݓs+z`~H\]O%b}+r>VD=ןbMdG,E<mJ5faOd_<U=QǒGd .Ǒp۟=2\z[G4Q=P󯢻\pm⦠ϻL^W-akOW=M5.omG;yh#^][j7mOh1y}³2AC:*k6:5Q3[ ÈCs H00!|#ه^֪p3lc}x}u/[졳5J쓭? }ςo扄:I<w R+,^ ,)cع+jz"t=HåMH|3q 94l cG0_jYj ~ZV-~#\!a،`=bxsUUEVro VU+D`q9#Tx|Deiƫ9 C8b;hDŽ[ɖ(=^?&G'ް ^ŗ1S {7/Mu/*;KѯXʡ 1` HTROsgy=u] \XI 4;܅?]˱Mv7*m {{[d3MD 2Ehk䃿 tv85rh[Ìeނz<h-xqJ),#[ ot<\șPV=wnp.ވ'=o|8=;l؆"2 ]3EK~xR Hv25umo`x53v^b? T| 5{\6$DRg }J0~N:mv0A9DePީ!/[v2gR*4%NS xcEzV?ĵ \vH V&Lt>̂[OulÝgW (9|xw⢩ͽiצKu A]=_vs[=/'_vį-GyJ^St 7tlmb @J\} >mE73D*P} X^c 0У,:0%c8u vAѺ v7"aaNo0n,@~a ٝ뱊˶E=bYFEmhTѩYy˷TL\7gLTVc׶2 TLxI;s_@U =[?܋;}c\e Yf#ssuRdGB~Dda'Z/:?ʂg' Q aaɗvXY[D5R?g"Eӯ3={:n0~c^8q Q3|Jj ;ς ixUvXZ#`*F"ZvT"N$֊ I-9N*LX6^?rf *@˽ōm]Ng*a7<_h(E8yja."eW})IDy)///P>I*'\9ƕ)@Xqɩ8To>u+wbA; <] y逇T3uG<; Oo;{hT*ቋ۝g5ǽn*?#[7nxQW'RXFYzhI:v]NN:񞞝P7 rF˳`bhPl-jUz'1l5ɋmEgl3W'J^>۝wE^8%†mJHU&s)#KM_Z)M39Q/;&|Z2c{͵N_ l?D6*