TITLE: Apache Denial of Service and Potential System Compromise Vulnerabilities
READ ONLINE: http://www.secunia.com/advisories/8881/
CRITICAL: Highly critical
IMPACT: DoS, System access
WHERE:
From remote
SOFTWARE: Apache 2.0.x
DESCRIPTION: Two vulnerabilities have been reported in Apache, which can be exploited by malicious people to cause a DoS (Denial of Service) on a vulnerable system or potentially compromise it.
1) The vulnerability can be exploited through "mod_dav" and potentially also other mechanisms. Successful exploitation can result in a DoS and may also allow execution of arbitrary code with the privileges of the web service according to a Red Hat advisory (see "Other References").
Versions 2.0.37 through 2.0.45 have been reported as vulnerable.
Apache Software Foundation states that further information regarding this vulnerability will be released on 30th May.
2) The vulnerability is caused due to an error in the basic authentication module and has been reported to affect versions 2.0.40 through 2.0.45 on Unix platforms. This can be exploited to cause a DoS, which makes Basic Authentication fail until the web service is restarted.
Successful exploitation requires that a threaded MPM (Multi-Processing Modules) is used.
SOLUTION: Upgrade to version 2.0.46: http://httpd.apache.org/download.cgi
REPORTED BY / CREDITS: 1) David Endler 2) John Hughes
ORIGINAL ADVISORY: http://www.apache.org/dist/httpd/Announcement2.html
OTHER REFERENCES: https://rhn.redhat.com/errata/RHSA-2003-186.html
----------------------------------------------------------------------
Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Contact details: Web : http://www.secunia.com/ E-mail : [EMAIL PROTECTED] Tel : +44 (0) 20 7016 2693 Fax : +44 (0) 20 7637 0419
------------------------------------------------------------------------ ------
David Duhamel
http://home.nordnet.fr/~dduhamel/
AIM/iChat : dduhamel2001
Ou cet homme est mort, ou ma montre est arr�t�e !
(Groucho Marx)
Les minijupes, c'est comme les sondages : �a donne des id�es mais �a
cache l'essentiel.-- PHOTO HALL Multimedia, leader en Telecom, Informatique, Photo, Video, TV, Hifi. Surfez sur http://www.photohall.be CyberCafe 2.0 <http://www.cybercafe.tv> Chaque Mardi 19h15 sur La 2! Desabonnement par email : <mailto:[EMAIL PROTECTED]>
