Apache 2.0 r00ted on NetWare, Windows, OS/2

An anonymous reader writes "A flaw in Apache 2.0's interpretation of the backslash delimiter allows for a remote r00ting on NetWare, Windows, and OS/2. InfoWorld has an overview; the attack was discoverd by PivX's Auriemma Luigi, and he describes it in this technical document. I don't know whether there is such a thing as an OS/2 shop anymore, and most Microsoft shops probably run IIS, but Apache now ships as the default web server for NetWare 6, so Novell shops: Take note. A patch is available from Apache, and Luigi describes a workaround in his article."

Not Important

[clifforch]

The bug only provides information about the target server, that's not a root exploit last time I checked. Also it's a repeat story

Move along. Nothing here

Re:This has been fixed for a month now

[babbage]

Won't admin's ever learn?

Learn what, how to use apostrophes? ;-)

Seriously though, keeping on the bleeding edge of updates isn't always feasible. A lot of companies might be running third party software that is explicitly not supported unless you're running a particular version of Apache, or a particular version of the Linux kernel, C libraries, etc. (And likewise for Windows software, etc.)

Please be generous and accept that negligence isn't the only explanation for failure to keep up with the latest patches of all the major & minor components of a modern computer system...