First published: 16th November 2001
Chunked encoding vulnerability
Requests to Apache 1.3 and Apache 2.0 can cause various effects
ranging from a relatively harmless increase in system resources
through to denial of service attacks and in some cases the ability
to be remotely exploited. (June 18th 2002).
- Security flaw found in mod_ssl and Apache-SSL
A buffer overflow has been found in mod_ssl in all versions prior to 2.8.7-1.3.23 (February 23rd 2002).
- Major vulnerabilities found in PHP
- Major flaws have been found in the popular PHP scripting language
commonly used with Apache web servers. These flaws have been found in
the way PHP handles multipart/form-data POST requests. Each of these
flaws could allow an attacker to execute arbitrary code on the remote
system. All versions of PHP from 3.10 to 3.18 as well as 4.0.1 to
4.0.6 are vulnerable.
- mod_rewrite canonicalisation
mod_rewrite is a powerful module for Apache used for rewriting URLs on the fly. However with such power comes associated risks; it is easy to make mistakes when configuring mod_rewrite which can turn into security issues.
- How to check apache.org distributions
Using PGP or GPG it is easy to check the validity of an Apache distribution
you are downloading.
Code Red requests for /default.ida
Don't panic if you see requests for the default.ida file in your
Apache access logs. These requests are from the Code Red Worm
designed to seek out vulnerable IIS servers.
Comments or criticisms? Please email us at firstname.lastname@example.org