Guides
SHARE
Facebook X Pinterest WhatsApp

Apache HTTP Server Project Warns of Apache Flaws Being Exploited

Written By
thumbnail Ryan Naraine
Ryan Naraine
Nov 14, 2002
ServerWatch content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More



The Apache HTTP Server Project Thursday warned that several security holes in the Apache source code are being actively exploited on the Internet. It is urging IT managers to urgently upgrade to version 1.3.27 or 2.0.43 or higher.

The Apache HTTP Server Project warned Thursday that several security holes in the Apache source code are being actively exploited on the Internet. It is urging IT managers to urgently upgrade to version 1.3.27 or 2.0.43 or higher.

This is the second warning from the open-source project, which is used by more than 60
percent of Web servers on the Net. Because most of the vulnerable code is
shared between the Apache and Apache-Perl packages, the flaws are shared as
well, Apache warned.

The latest warning, posted on the BugTraq mailing list,
highlights a scoreboard memory segment overwriting vulnerability that could
lead to denial-of-service (DoS) attacks.

The vulnerability allows an attacker to execute code under the Apache UID
to exploit the Apache shared memory scoreboard format and send a signal to
any process as root or cause a local denial of service attack, Apache
warned.

Apache said the recent Linux/Apache/mod_ssl/OpenSSL slapper
worm continues to exploit a problem in the OpenSSLsource code and not a
problem specific to the Apache HTTP Server source code. Affected users are
urged to upgrade the OpenSSL library and not the HTTP Server.

“If you are running an SSL-enabled web server using OpenSSL, upgrade to at
least version 0.9.6e of OpenSSL and recompile all applications that use
OpenSSL,” the organization said.

Other vulnerabilities still being exploited on servers that haven’t been
upgraded include:

  • A cross-site scripting bug in the default 404 page of any Web server
    hosted on a domain that allows wildcard DNS lookups
  • Possible overflows in the utility ApacheBench (ab) which could be
    exploited by a malicious server
  • A race condition in the htpasswd and htdigest program that enables a
    malicious local user to read or even modify the contents of a password file
    or easily create and overwrite files as the user running the htpasswd (or
    htdigest respectively) program
  • htpasswd and htdigest in Apache 2.0a9, 1.3.14, and others allow local
    users to overwrite arbitrary files via a symlink attack
  • Several buffer overflows in the ApacheBench (ab) utility that could be
    exploited by a remote server returning very long strings
thumbnail Ryan Naraine

Ryan Naraine is a ServerWatch, eSecurity Planet, and eWEEK contributor.

Recommended for you...

thumbnail What Is a Container? Understanding Containerization
Guides
What Is a Container? Understanding Containerization
Allan Jay Monteclaro
Dec 14, 2023
thumbnail What Is a Print Server? | How It Works and What It Does
Guides
What Is a Print Server? | How It Works and What It Does
Nisar Ahmad
Dec 8, 2023
thumbnail 6 Best Linux Virtualization Software for 2024
Virtualization
6 Best Linux Virtualization Software for 2024
Allan Jay Monteclaro
Dec 7, 2023
thumbnail What Is a Network Policy Server (NPS)? | Essential Guide
Guides
What Is a Network Policy Server (NPS)? | Essential Guide
Allan Jay Monteclaro
Nov 29, 2023
ServerWatch Logo

ServerWatch is a top resource on servers. Explore the latest news, reviews and guides for server administrators now.

facebook
linkedin
rss
x

Company

About us Contact us Advertise with us

Categories

Servers Guides Hardware Virtualization OS Monitoring Storage

Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information