[NEWS] Apache 2.0 Vulnerability Affects non-UNIX Platforms

From: support@securiteam.com
Date: 08/10/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sat, 10 Aug 2002 22:04:09 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Apache 2.0 Vulnerability Affects non-UNIX Platforms
------------------------------------------------------------------------

SUMMARY

Apache is a powerful, full-featured, efficient, and freely available Web
server. On 7 August 2002, The Apache Software Foundation was notified of
the discovery of a significant vulnerability, identified by
<mailto:bugtest@sitoverde.com> Auriemma Luigi.

This vulnerability has the potential to allow an attacker to inflict
serious damage to a server, and reveal sensitive data. This vulnerability
affects default installations of the Apache web server.

UNIX and other variant platforms appear unaffected. Cygwin users are
likely to be affected.

DETAILS

Vulnerable systems:
 * Apache HTTP server 2.0 through 2.0.39 (UNIX, Windows, and Netware)

Solution:
A simple one-line workaround in the httpd.conf file will close the
vulnerability. Prior to the first 'Alias' or 'Redirect' directive, add the
following directive to the global server configuration:

   RedirectMatch 400 "\\\.\."

Fixes for this vulnerability are also included in Apache HTTP server
version 2.0.40. The 2.0.40 release also contains fixes for two minor
path-revealing exposures. This release of Apache is available at
<http://www.apache.org/dist/httpd/> http://www.apache.org/dist/httpd/

More information will be made available by the Apache Software Foundation
and <mailto:bugtest@sitoverde.com> Auriemma Luigi in the coming weeks.

ADDITIONAL INFORMATION

The information has been provided by <mailto:mjc@apache.org> Mark J Cox.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages