Slashdot Mirror

← Back to Stories (view on slashdot.org)

Serious Apache Exploit Discovered

Posted by Soulskill on from the time-to-update dept.

bennyboy64 writes "An IT security company has discovered a serious exploit in Apache's HTTP web server, which could allow a remote attacker to gain complete control of a database. ZDNet reports the vulnerability exists in Apache's core mod_isapi module. By exploiting the module, an attacker could remotely gain system privileges that would compromise data security. Users of Apache 2.2.14 and earlier are advised to upgrade to Apache 2.2.15, which fixes the exploit." Note: according to the advisory, this exploit is exclusive to Windows.

6 of 160 comments (clear)

  1. I was slightly worried, until I read this: by ipquickly · · Score: 2, Interesting

    Platform. Microsoft Windows

    But is this the final nail in the Apache 1.3 coffin?
    Now the boss is going to be upset even when you tell them your version is not vulnerable.

  2. Re:Note: Apache ON WINDOWS by Vectormatic · · Score: 2, Interesting

    PFew... for a second i was worried wether my centos VPS with tomcat (apache based, you never know), would be vulnerable to this Thanks for putting my mind at ease :)

    --
    People, what a bunch of bastards
  3. Always worried about reporting. by dannydawg5 · · Score: 3, Interesting

    At a place I used to work, one of my coworkers reported a simple potential security problem: the username for the admin account on all our machines is the same as the computer's name. This just eliminates one less thing for a hacker to figure out. He was accused of "snooping", whatever that means, and almost lost his job. The only thing that saved him is a higher-up with a brain.

    Whenever I hear a story about a person\firm reporting security risks, I am reminded of the story of my coworker, and I have heard too many similiar stories. It has trained to me keep my mouth shut about these problems.

  4. Re:Note: Apache ON WINDOWS by Malc · · Score: 2, Interesting

    Why would Apache run as an Administrator on Windows? Even IIS doesn't do that these days.

  5. Re:Note: Apache ON WINDOWS by Culture20 · · Score: 2, Interesting

    I bought a netbook last week and tried to get on the internet with it at my favorite bar; the bar's router had something wrong with it and Windows couldn't find the DNS server. There seemed to be no way to tell Windows networking what the server address was. Meanwhile, a woman with an iPhone had no trouble using the wifi there. With earlier versions of Windows I had no trouble specifying a DNS server, and the help system is no help at all.

    I'm more familiar with XP (which I know you can easily specify DNS with). Was this a Windows 7 Reduced Functionality for Netbooks (TM) version? I've noticed annoying things like that on my parents' computers. The worst is that "Users and Groups" is gone in the Computer Management MMC, so those tasks have to be done via command line. Windows 7 Enterprise is better than XP (wow, remote _and_ local IP settings and outgoing/incoming rules for Firewall? finally.), but the "home" versions are crippled in ways that make security difficult.

  6. Re:Note: Apache ON WINDOWS by nobodylocalhost · · Score: 2, Interesting

    Apache has to run as root at some point or else it can't bind to port 80. What you see from ps is after apache had setuid and forked. You can do the same thing in windows, but don't you agree it falls upon apache to do spawn processes as an unprivileged user? If you remember back in Apache 1 days, it was the same way in Linux, you had to run as root or load it as a plugin for inetd if you wanted to run it on port 80. I remember back in the days when we were using ipfwadm to forward all packets with server port 80 dest to port 8080 just so we could run Apache as a regular user. And even then it didn't work right all the time. In this specific case, I really don't see any reason to blame the OS.

    --
    Where is the "Ignorant" mod tag?