Mark J Cox [mjc@apache.org] egy levelet küldött a vuln-dev@ securityfocus levelezési listára, miszerint az Apache HTTP szerver 2.0-ás verzióiban egy jelentős hibát találtak, amelyet nem-Unix platformon lehet kihasználni. A hibát kihasználva a támadó károkat okozhat a szerver tartalmában, és érzékeny információkhoz juthat. A hiba az Apache szerver alap (default) telepítésekor jelentkezik.
Bejelentés:From: Mark J Cox [mjc@apache.org]
To: bugtraq@securityfocus.com, Full Disclosure [full-disclosure@lists.netsys.com], Vuln-Dev [vuln-dev@securityfocus.com]
Subject: Apache 2.0 vulnerability affects non-Unix platforms
Date: 09 Aug 2002 22:07:52 +0100
For Immediate Disclosure
=============== SUMMARY ================
Title: Apache 2.0 vulnerability affects non-Unix platforms
Date: 9th August 2002
Revision: 2
Product Name: Apache HTTP server 2.0
OS/Platform: Windows, OS2, Netware
Permanent URL: http://httpd.apache.org/info/security_bulletin_20020809a.txt
Vendor Name: Apache Software Foundation
Vendor URL: http://httpd.apache.org/
Affects: All Released versions of 2.0 through 2.0.39
Fixed in: 2.0.40
Identifiers: CAN-2002-0661
=============== DESCRIPTION ===============
Apache is a powerful, full-featured, efficient, and freely-available Web server. On the 7th August 2002, The Apache Software Foundation was notified of the discovery of a significant vulnerability, identified by
Auriemma Luigi [bugtest@sitoverde.com].
This vulnerability has the potential to allow an attacker to inflict serious damage to a server, and reveal sensitive data. This vulnerability affects default installations of the Apache web server.
Unix and other variant platforms appear unaffected. Cygwin users are likely to be affected.
=============== SOLUTION ================
A simple one line workaround in the httpd.conf file will close the vulnerability. Prior to the first 'Alias' or 'Redirect' directive, add the following directive to the global server configuration:
RedirectMatch 400 ".."
Fixes for this vulnerability are also included in Apache HTTP server version 2.0.40. The 2.0.40 release also contains fixes for two minor path-revealing exposures. This release of Apache is available at
http://www.apache.org/dist/httpd/
More information will be made available by the Apache Software Foundation and Auriemma Luigi [bugtest@sitoverde.com] in the coming weeks.
=============== REFERENCES ================
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0661 to this issue.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0661