Apache Buffer Overflow Flaw Patched

by Ryan Naraine

A bug in the open source server puts some users at risk for arbitrary code execution.

The Apache Software Foundation Wednesday rolled out a patch for versions of its popular Apache HTTP Server to fix a potentially serious security flaw.

The buffer overflow flaw affects Apache httpd versions 1.3.26, 1.3.27, 1.3.28, 1.3.29 and 1.3.31, which were configured to act as proxy servers. Apache httpd 2.0 and other versions of Apache httpd 1.3 are unaffected.

An Apache Week advisory said the buffer overflow can be triggered by getting the mod_proxy feature to connect to a remote server and return an invalid content-length.

The vulnerability is rated "important," but the advisory warned of the possibility that it could be exploited to run arbitrary code.

"If you are running an Apache Web server, we'd recommend that you take a look at your configuration files and make sure that you have not inadvertently set up an open proxy. If you do not need your server to act as a proxy server, then make sure that the directive "ProxyRequests On" does not appear in your configuration file," Apache said.

The risk of code execution is high on older OpenBSD/FreeBSD distributions because of the internal implementation of memcpy, which re-reads the length value from the stack. On newer BSD distributions, it may be exploitable because the implementation of memcpy will write three arbitrary bytes to an attacker-controlled location, according to the alert.

Linux and Unix vendors, including Gentoo Linux, OpenBSD, Debian, and Red Hat, have all issued updates to protect against the Apache Server bug.

This article was originally published on internetnews.com.

This article was originally published on Thursday Jul 1st 2004
Mobile Site | Full Site