Saturday, April 3, 2010

Apache Vulnerability


Apache Vulnerability


  • The Apache Week tracks the vulnerabilities in Apache Server. Even Apache has its share of bugs and fixes.

  • For instance, consider the vulnerability which was found in the Win32 port of Apache 1.3.20.

    • Long URLs passing through the mod_negative, mod_dir and mode_autoindex modules could cause Apache to list directory contents.

    • The concept is simple but requires a few trial runs.

    • A URL with a large number of trailing slashes:

      • /cgi-bin /////////////////////////// / could produce directory listing of the original directory.

The purpose of discussing the various vulnerabilities of the web server here is to highlight how ingenious attackers can be in exploring the functionality of the various components that they are able to elicit an unexpected and previously unknown behavior of a piece of code. No matter how insignificant it is, a security breach can have far reaching implications if left unattended.
This is not the only issue in focus. The possibility of eliminating flawed coding practices and incorporating proper testing must not be ignored as security measures.
The Apache Week tracks the vulnerabilities in Apache Server. For instance, consider the vulnerability which was found in the Win32 port of Apache 1.3.20. Because of this, a client submitting a very long URI could cause a directory listing to be returned rather than the default index page. This was subsequently fixed in Apache httpd 1.3.22

Threat
Some of the other vulnerabilities have been:
Remote DoS via IPv6: When a client requests that proxy ftp connect to an ftp server with IPv6 address, and the proxy is unable to create an IPv6 socket, an infinite loop occurs causing a remote Denial of Service. This has been fixed in Apache httpd 2.0.47
Remote DoS with multiple Listen directives: In a server with multiple listening sockets a certain error returned by accept () on a rarely access port can cause a temporary denial of service, due to a bug in the prefork MPM. This has been fixed in Apache httpd 2.0.47
APR remote crash: A vulnerability in the apr_psprintf function in the Apache Portable Runtime (APR) library allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long strings, as demonstrated using XML objects to mod_dav, and possibly other vectors. This has been fixed in Apache httpd 2.0.46
Basic Authentication DoS: A build system problem in Apache 2.0.40 through 2.0.45 allows remote attackers to cause a denial of access to authenticated content when a threaded server is used. This has been fixed in Apache httpd 2.0.46
Line feed memory leak DoS: Apache 2.0 versions before Apache 2.0.45 have a significant Denial of Service vulnerability. Remote attackers can cause a denial of service (memory consumption) via large chunks of linefeed characters, which causes Apache to allocate 80 bytes for each linefeed. This has been fixed in Apache httpd 2.0.45
MSDOS device names cause DoS: Apache versions before 2.0.44 on Windows do not correctly filter MS-DOS device names which can lead to denial of service attacks and remote code execution. This has been fixed in Apache httpd 2.0.44
Apache can serve unexpected files: On Windows platforms Apache could be forced to serve unexpected files by appending illegal characters such as '<' to the request URL. This has been fixed in Apache httpd 2.0.44
Rewrite rules that include references allow access to any file: The Rewrite module, mod_rewrite, can allow access to any file on the web server. The vulnerability occurs only with certain specific cases of using regular expression references in Rewrite Rule directives: If the destination of a Rewrite Rule contains regular expression references then an attacker will be able to access any file on the server. This has been fixed in Apache httpd 1.3.14

0 comments:

Post a Comment