A security flaw in the popular Apache Web server could allow a malicious hacker to launch a denial of service attack or even take over a system on which the software is running, the Apache Software Foundation warned in an advisory Monday.
The flaw relates to the way the Web server parses uploaded data, and can cause the software to misinterpret the size of incoming chunks of data. It can be exploited by sending a carefully crafted request to the server, said the Foundation, which manages development of the open-source Apache products.
Affected are all versions of Apache 1.3 and versions of Apache 2 up to 2.0.36, the group said.
Advertisement: |
Exploiting the flaw successfully could help an attacker to stage a denial of service attack, making the server unreachable. In some cases an attacker could run code of his choice on a server, the Foundation warned.
One particularly vulnerable group are users running Apache 1.x on Microsoft Windows 2000 or Windows 2000 Server, according to security software vendor Internet Security Systems (ISS) of Atlanta, which issued a separate advisory Monday. An attacker targeting such a setup would likely be able to take control of the server, ISS said. In an e-mail, it characterized the hole as a "major" vulnerability.
The Apache Software Foundation said it is working on new software releases that will fix the flaw.
More than 63% of all Web sites run on an Apache Web server, according to Netcraft of England, which compiles such information. The flaw is similar to a vulnerability in Internet Information Server (IIS) that Microsoft warned of last week, ISS said.
The IDG News Service is a Network World affiliate.
RELATED LINKS
Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.
Request a reprint or permission to use this article.
