DoS Vulnerability - Apache 2.x
Results 1 to 5 of 5

Thread: DoS Vulnerability - Apache 2.x

  1. #1
    Top Gun Maverick811's Avatar
    Join Date
    Oct 2001
    Posts
    852

    DoS Vulnerability - Apache 2.x

    I did a quick search of the forums and I didn't see this posted so I wanted to share this with any Apache web server administrators out there. I apologize if this has already been posted.

    I recieved this email from Watchguard Technologies Live Security Service on April 3, 2003. It concerns a possible Denial of Service vulnerability affecting Apache versions 2.x. Since the details are not being released until next Tuesday, everyone is encouraged to install the newest version of Apache beforehand.


    SUMMARY:
    Yesterday, the Apache Software Foundation released the latest
    version of Apache to correct security flaws, including a
    "significant" Denial of Service (DoS) vulnerability. Apache has
    delayed releasing the details concerning this DoS flaw until April
    8. However, in most cases hackers exploit Web-based DoS
    vulnerabilities to either crash your Web server or disrupt your
    Website. There is no direct impact on WatchGuard products.
    Administrators using Apache 2.0 through 2.0.44 on any platform
    should download, test, and install 2.0.45 as soon as possible,
    before April 8, 2003.

    EXPOSURE:
    According to the Netcraft Web Server Survey
    <http://www.netcraft.com/survey/>,
    Apache is the most popular Web server used to host Web pages on the
    Internet today.

    In an announcement <http://www.apache.org/dist/httpd/Announcement2.html>
    on April 2, the Apache Software Foundation described their latest
    Apache version (2.0.45) as primarily a security and bug fix release.
    They warn that Apache versions 2.0 through 2.0.44, running on any
    platform, are vulnerable to a "significant" Denial of Service (DoS)
    <https://www3.watchguard.com/archive/...ossary.htm#dos>
    flaw, as well as various information leaks in Apache's CGI scripts.
    However, the full details concerning these vulnerabilities have not
    been made public. The Apache Software Foundation has promised that
    David Endler of iDEFENSE will disclose the details concerning the
    DoS flaw on April 8, 2003.

    The Apache Software Foundation acted similarly in August 2002,
    releasing a patch
    <https://www3.watchguard.com/archive/...sp?pack=135164>
    with strong encouragement to users to install it immediately to fix
    a "serious" vulnerability, but offering no details on the nature of
    the flaw that the patch fixed. When the vulnerability was revealed
    <https://www3.watchguard.com/archive/...sp?pack=135169>, it
    was not only a severe security problem, but it was also exploitable
    very easily, which was why Apache withheld details until
    administrators had opportunity to install the patch. If Apache's
    past performance is an indicator of present performance, we assume
    you should install the current patch now, before exploit details
    fall into the hands of the public (and malicious hackers).

    In most cases, hackers can exploit Web-based DoS flaws to either
    crash or disrupt your Web server. If you administer an e-commerce
    Website, this kind of disruption can affect your company's bottom
    line and should be taken very seriously. We will update you with the
    full scope of Apache's vulnerabilities on April 8, pending David
    Endler's advisory.

    SOLUTION PATH:
    Apache administrators running versions 2.0 through 2.0.44 on any
    platform should download, test, and install version 2.0.45
    <http://httpd.apache.org/download.cgi> as soon as possible before
    Tuesday, April 8, 2003.


  2. #2
    can some body pls tell me what is that apachi ???

  3. #3
    er0k
    Guest
    apache is a web server application like microsofts (IIS) but much better. It allows you to "serve" things on the internet via ip or domain name (or both) with many extensions etc such as virtual hosts. www.apache.org for more details.

  4. #4
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,884
    apache 2.0.46 was released Wednesday....

    http://httpd.apache.org/download.cgi

    The details of the DoS hae not been released by apache because they are not out in the public much yet.
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  5. #5
    Senior Member
    Join Date
    Jul 2001
    Posts
    343

    Talking Apache Upgrade Reminder

    It is always a good idea to keep Apache updated...
    I just did on my WinXP Game box
    I had 2.45 now I have 2.46

    Mama did not raise a dummy, so I do not use IIS!!

    Thanks for the reminder....
    Franklin Werren at www.bagpipes.net
    Yes I do play the Bagpipes!

    And learning to Play the Bugle

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •