Exploit Code Released for Apache Flaw

Just two days after several advisories warned of a serious vulnerability in the popular Apache Web server, a file containing exploit code for the flaw was posted Wednesday to several mailing lists and security sites.

The message was posted Wednesday afternoon by a member of the volunteer security team known as Gobbles Security. The message was sent to the Bugtraq and Vuln-Dev security mailing lists as well as to the Packetstorm site, which archives exploits.

The exploit code is for version 1.3.x of the Apache HTTP server and only works on machines running OpenBSD, according to the Gobbles message. In the e-mail, the author takes a shot at big security vendors, saying that the exploit code “was written for the community, and not just a few companies with deep pockets full of the big dollar.”

The Apache Software Foundation on Monday released new versions of the HTTP server to address the vulnerability. Versions 2.0.39 and 1.3.26 both fix the “chunked encoding” flaw that was announced Monday. Both versions are available at www.apache.org.

The Gobbles message also says the exploit code may not be sent to any “advanced warning” systems such as ARIS, the threat-management system sold by SecurityFocus, which maintains the Bugtraq and Vuln-Dev lists.

The Gobbles post also says, rather dramatically, that the Apache_scalp.c exploit is “very friendly and all scriptkids/penetration testers should be able to run it without any trouble. [May] God have mercy on our souls.”

Related Stories:

• Apache Warning Fuels Security Feud
• Review: Apache 2.0 Beats IIS at Its Own Game
• More Security Coverage