Serious Vulnerability Uncovered in Apache 2.0
Download the authoritative guide: Data Center Guide: Optimizing Your Data Center Strategy
Download the authoritative guide: Cloud Computing: Using the Cloud for Competitive AdvantageRed Hat Director of Engineering and Editor of ApacheWeek Mark J. Cox Friday warned of an Apache 2.0 vulnerability which could allow an attacker to "inflict serious damage to a server, and reveal sensitive data."
The flaw, discovered by bug-hunter Auriemma Luigi, affects default installations of the Apache Web server in non-Unix platforms like Windows, OS2 and Netware. The flaw does not appear to affect Unix and other variant platforms, Cox said, though he noted that Cygwin users are likely to be affected. Luigi notified the Apache Software Foundation of the vulnerability on Wednesday. The flaw, which could allow an attacker to damage a server and reveal sensitive data, appears to affect all non-Unix platforms.
Additionally, Cox said a one-line workaround in the httpd.conf file will close the vulnerability. He said that prior to the first 'Alias' or 'Redirect' directive, simply add the following directive to the global server configuration:
- RedirectMatch 400 "\\\.\."
Cox noted that fixes for the vulnerability are included in Apache version 2.0.40, in addition to fixes for a number of less serious security flaws.
Both the Apache Software Foundation and Luigi plan to release more information in the coming weeks.
IT Solutions Builder TOP IT RESOURCES TO MOVE YOUR BUSINESS FORWARD
Which topic are you interested in?
What is your company size?
What is your job title?
What is your job function?
Searching our resource database to find your matches...