Re: Apache vulnerability checking

From: Toni Heinonen (Toni.Heinonen@teleware.fi)
Date: 06/24/02


Date: Mon, 24 Jun 2002 22:17:02 +0300
From: "Toni Heinonen" <Toni.Heinonen@teleware.fi>
To: "Syzop" <syz@dds.nl>, <vuln-dev@securityfocus.com>


> Anyway, I thought that when I'm sure it's an apache server
> ("Server: Apache blabla") and it crashes then it must be
> vulnerable. Is this always the case? This morning I received
> a mail from some admin who I had mailed and he told me they
> had already upgraded. Full server version:
> "Server: Apache/1.3.24 (Unix) (Red-Hat/Linux) mod_ssl/2.8.8
> OpenSSL/0.9.6b mod_perl/1.26"
>
> So my question is: has redhat changed something in the bad-
> chunked-encoding-detected-behavior in their backport or did
> this guy just forget to restart apache?

Indeed, Red Hat 7.2 carries Apache 1.3.22 and 7.3 has 1.3.23, and
probably for compatibility reasons the upgraded RPM didn't upgrade
Apache to 1.3.26, but simply patches the old version's chunked encoding
-code. So in essence it's the old, vulnerable version of Apache with a
patch. For instance, eEye's tool reports my patched RH7.2 server as
"vulnerable", because it only checks the server string, it doesn't try
to exploit the vulnerability.

See Red Hat's advisory:
http://rhn.redhat.com/errata/RHSA-2002-103.html

Notice, on RH7.2, the upgrade from apache-1.3.22-2.i386.rpm (base
system, or perhaps left from earlier upgrade) to
apache-1.3.22-6.i386.rpm. The Apache version remains the same, but the
RPM'd package version is upgraded.

-- 
Toni Heinonen, Teleware Oy
  Wireless +358 (40) 836 1815
  Telephone +358 (9) 3434 9123
  toni.heinonen@teleware.fi
  www.teleware.fi