May 28th, 2003, 07:16 PM
Apache DoS Vulnerability
I don't know for sure if this is different than what was posted here a month ago (see thread ), but the Secunia Advisory was just released today so I assume it is new.
Here are some details:
Here is the full advisory: Secunia Advisory
Two vulnerabilities have been reported in Apache, which can be exploited by malicious people to cause a DoS (Denial of Service) on a vulnerable system or potentially compromise it.
1) The vulnerability can be exploited through "mod_dav" and potentially also other mechanisms. Successful exploitation can result in a DoS and may also allow execution of arbitrary code with the privileges of the web service according to a Red Hat advisory (see "Other References").
Versions 2.0.37 through 2.0.45 have been reported as vulnerable.
Apache Software Foundation states that further information regarding this vulnerability will be released on 30th May.
2) The vulnerability is caused due to an error in the basic authentication module and has been reported to affect versions 2.0.40 through 2.0.45 on Unix platforms. This can be exploited to cause a DoS, which makes Basic Authentication fail until the web service is restarted.
Successful exploitation requires that a threaded MPM (Multi-Processing Modules) is used.
May 28th, 2003, 08:47 PM
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
May 28th, 2003, 11:25 PM
i heared abou that Dos and dDos attaks but i dont know anything about it ... i wondered if some body can help me .....
May 28th, 2003, 11:43 PM
DoS (denial of service) and DDoS (distributed denial of service) are attacks used by malcious *******s to "take down your net connection" or various other things, for instance in this case make apache quit running. They can be used for further exploitation. I wont tell you how to dos or ddos someone but you can find out more about it here > www.whatis.com <- type in DoS or Denial of Service
Note that the explanation was simple rather than going into confusing details.
yes thats a patch for redhat users (ie rpms) etc. do you know of a patch that isnt in some sort of package manager? ie just the source?
May 30th, 2003, 03:14 AM
apache 2.0.46 was released Wednesday....
The details of the DoS hae not been released by apache because they are not out in the public much yet.
\"Ignorance is bliss....
but only for your enemy\"