Search Web HostingResearchers Report Major Security Flaw in Apache Server Windows Version
- By David Hamilton, March 09, 2010
(WEB HOST INDUSTRY REVIEW) -- Some serious vulnerabilities have been reported in popular open source web server Apache HTTP Server (httpd.apache.org) that could let an intruder gain access to potentially sensitive information, cause a DoS (Denial of Service) and potentially compromise a vulnerable system.
The root of the problem is a core module of the Apache package, mod_isapi, which implements the Internet Server extension API that lets Apache serve Internet Server extensions (ISAPI .dll modules) for Microsoft Windows based hosts. According to research from Australian IT security and risk management firm Sense of Security (www.senseofsecurity.com.au), a malicious user can trigger a vulnerability in Apache mod_isapi that will unload the target Internet Server API .dll module from memory by sending a specially crafted request followed by a reset packet. Function pointers, however, still remain in memory and are called when published ISAPI functions are referenced, resulting in a dangling pointer vulnerability.
Sense of Security Labs' Brett Gervasoni has made proof of concept code available for this vulnerability, which writes a text file (sos.txt) to the Apache working directory to demonstrate that code execution is possible. The vulnerabilities seem to be effective in versions 2.2.0, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.8, 2.2.9, 2.2.11, 2.2.12, 2.2.13, and 2.2.14. To correct for this problem, administrators need to upgrade to the latest version of Apache HTTP Server -- currently 2.2.15.
According to UK-based Internet services firm Netcraft (www.netcraft.com), Apache (in its various forms) is the most popular web server by far, accounting for 54.46 percent of hostnames.
 |
PREVIOUS: Fusepoint Names VP of Data Center Facilities | | | NEXT: HITT Wins $62M GSA Data Center Contract |  |
Start a New Discussion
Comment anonymously or log into your WHIR account
Most Recent Posts
- News: Hurricane Electric Establishes PoP at Pittock Internet Exchange
- News: Web Host DreamHost Offers Platform-Independent Support for WordPress
- News: Data Center Resources, Cannon Offer Modular Data Center Solution
- News: Consumers Quickly Abandon Slow Websites: Gomez Survey
- News: Modius Integrates OpenData Facilities Monitoring with Nimsoft Monitoring
Technically, there's nothing new about us posing the question, "what are the next steps hosting providers must take to capitalize on the opportunities available in the business?" From the 10,000-foot view, that's the basic premise that underlies just... Read More
Europe cuts an interesting figure in our coverage of the web hosting industry. From a purely news standpoint, it is very possible to treat Europe in more or less the same way that we treat North America - that is, report the facts, ask the right ques... Read More
In 2008, in our inaugural Hottest Hosts guide, I wrote that we were exploring a new format with the first in-print directory of web hosting services. And last year, I discussed the project in the context of an ongoing project, and a growing tradition... Read More
Log in for enhanced commenting features (i.e. external linking) in news, features, blogs and more.