Serious Apache Exploit Discovered

bennyboy64 writes "An IT security company has discovered a serious exploit in Apache's HTTP web server, which could allow a remote attacker to gain complete control of a database. ZDNet reports the vulnerability exists in Apache's core mod_isapi module. By exploiting the module, an attacker could remotely gain system privileges that would compromise data security. Users of Apache 2.2.14 and earlier are advised to upgrade to Apache 2.2.15, which fixes the exploit." Note: according to the advisory, this exploit is exclusive to Windows.

Re:Note: Apache ON WINDOWS

[jedidiah]

> The same bug in a module that ran on Linux would result in a remote root exploit.

Really?

      ps -aef | grep apach

      root 3029 1 0 08:10 ? 00:00:00 /usr/sbin/apache2 -k start
      www-data 3072 3029 0 08:10 ? 00:00:00 /usr/sbin/apache2 -k start
      www-data 3073 3029 0 08:10 ? 00:00:00 /usr/sbin/apache2 -k start

Re:Note: Apache ON WINDOWS

[jedidiah]

It doesn't matter if "its just as bad". It isn't a "root exploit". It's highly inaccurate to call it one.

Muddling terms is how you end up with nonsense like not being able to tell programs from data.

Distinctions are important for just this reason.

Yes it still sucks.

Re:Note: Apache ON WINDOWS

[wastedlife]

Apache does not run as Administrator on Windows. I'm afraid it is worse than that, it runs as LocalSystem, which is more analogous to root than Administrator is. Even if you configure the service to run as a different account, it requires the "Log on as a service" and "Act as part of the operating system" privileges. Might as well use LocalSystem.