Apache Request Smuggling Vulnerability Found
An anonymous reader writes "Whitedust is reporting on a HTTP request smuggling vulnerability in Apache. The flaw apparently allows attackers to piggy back valid HTTP requests over the 'Content-Length:' header, which can result in cache poisoning, cross-site scripting, session hijacking and other various kinds of attack. This flaw affects most of the 2.0.x branch of Apache's HTTPD server."
Well, 'Apache's have been defeated in the past. Millions of deaths. This project is here to keep the tradition. Kill the bug, John, kill the bug.
A Geek-Hunter job.
Why is this slashdot material?
/AC
It is old news, and if someone has an interest in security they should subscribe to the relevant lists.
I thought they renamed it Foghorn cuz its a giant cock-up
> 2.0.x is very stable and production ready
It's not production ready at all! It's multi-threaded so it's never going to be reliable enough to use for a real system. A problem with one Apache thread will crash the entire server. With 1.3, the process is killed off. IIRC, Apache source defaults to installing 18 different add-on modules. If there's a problem with a module, the entire server will die. With 2.0, the kernel has to kill-off the entire server. This is why Apache was multi-process in the first place. It's just that too many developers working on it now are too young to have learned from history. That and the kids like things that are whiz-bang. They don't give a damn about reliablity.
I have about 200 web servers we maintain, and Apache 2.0 requires more than sixty(!) times the amount of handholding that 1.3 requires. We charge our 2.0 customers close to three times as much since they're so much more trouble. For some reason, quite a few customers don't mind downtime just so they can brag that they're using 2.x.
Why the hell do you have 300 non-stock versions of apache on 3 or 4 different platforms? Apache is apache on whatever platform, pick one and use it. And apache supports modules you know, you don't need to compile a custom apache all the time, it just makes life difficult for no reason.