Apache update opens the door to a bigger threat

Printable View

October 23rd, 2004, 05:03 PM
moxnix

Apache update opens the door to a bigger threat

http://techrepublic.com.com/5100-626...tag=html.alert

Quote:

The Apache Software Foundation recently released a software update that fixed a number of problems but also introduced a dangerous new security threat.

There have been a number of recent Apache Web Server vulnerabilities that require the attention of administrators, security professionals, and Webmasters. The threats pose various levels of danger and some can be exploited remotely

The most recent vulnerability is a remotely exploitable threat that can allow an attacker to compromise access controls. This is being referred to as the �Satisfy� directory threat. You can see the original advisory here (scroll down to the description). The threat from this vulnerability is that some password-protected folders won�t be protected if you update to Apache version 2.0.51.

A locally exploitable buffer overrun vulnerability in the configuration file variable .htaccess (Bugtraq ID 11182, CAN-2004-0747) affects a large number of Apache 2.x versions and is found in most Linux versions, including Mandrake, SuSE, Red Hat, and others. This threat has caused a number of users to update to version 2.0.51, making a large number of systems vulnerable to the remotely exploitable Satisfy vulnerability described above.

To fix one problem, you have to potenually open yourself to another.
October 23rd, 2004, 05:05 PM
Spyder32

Quote:

To fix one problem, you have to potenually open yourself to another.

Point well taken, every single patch opens a gateway to a whole new slew of problems/vulnerabilities. Nice article, moxnix.
October 23rd, 2004, 05:28 PM
slarty

Just to make it clear to people:

- The "Satisfy" vulnerability only affects servers with specific complex authentication configurations, and even in the worst case scenario it only exposes private data, does not allow code execution or anything (unless combined with some other vuln)
- The Rewrite vulnerability only affects sites using the rewrite module - which is disabled by default and is used very rarely.
- The .htaccess code execution vulnerability is only an issue if users who are allowed to write .htaccess files are not allowed to execute arbritary code anyway. Most of them are, as they are allowed to create PHP or CGI programs or have shell access. It could of course potentially be used in an escalation exploit from some other vulnerability.

None of them is something I'd consider serious - although of course patching is a good idea. 2.0.52 has been released and is not vulnerable to any of them.

I have of course upgraded my server, even though I don't believe its configuration is affected by any of the above anyway.

Slarty