There have been a number of recent Apache Web Server
vulnerabilities that require the attention of administrators, security
professionals, and Webmasters. The threats pose various levels of danger and
some can be exploited remotely.
The most recent vulnerability is a remotely exploitable
threat that can allow an attacker to compromise access controls. This is being
referred to as the “Satisfy” directory threat. You can see the original
(scroll down to the description). The threat from this vulnerability is that
some password-protected folders won’t be protected if you update to Apache
A locally exploitable buffer overrun vulnerability in the
configuration file variable .htaccess (Bugtraq ID 11182, CAN-2004-0747)
affects a large number of Apache 2.x versions and is found in most Linux
versions, including Mandrake, SuSE, Red Hat, and others. This threat has caused
a number of users to update to version 2.0.51, making a large number of systems
vulnerable to the remotely exploitable Satisfy vulnerability described above.
A vulnerability in the apr-util library (apache 2.0.50 and
earlier), specifically the IPv6 URI parsing routine (CAN-2004-0786)
can trigger a denial of service event, or worse.
You can find a list of all recent Apache vulnerabilities here on Secunia.com.
The Satisfy directive vulnerability (CAN-2004-0811)
is only found in Apache version 2.0.51.
The .htaccess buffer overrun vulnerability affects all
Apache 2.0.50 and earlier versions.
The IPv6 URI parsing vulnerability is found on Apache
versions 2.0.35 through 2.0.50.
The Satisfy directive is rated moderately critical. When
you update to the affected version (Apache 2.0.51), some of the previously password-protected
directories will no longer be protected and can be accessed remotely by
The .htaccess buffer overrun is a moderate threat and is
mostly of interest because it caused so many managers to update to the 2.0.51
version that led to the more serious Satisfy vulnerability.
The IPv6 URI parsing vulnerability is a moderate to
moderately critical vulnerability because there are some unconfirmed reports
that, in addition to the DoS threat, it may also allow remote attackers to run
random code on BSD systems. This threat also led managers to upgrade to Apache
version 2.0.51, which turned out to contain the more serious Satisfy vulnerability.
directive—this threat only applies if you have updated to version 2.0.51.
buffer overrun—this can only be exploited locally.
URI parsing vulnerability—this is probably only a moderate or low-level
threat to most Linux and UNIX systems, but there is a significant
possibility that it can allow remote code execution on BSD systems.
is a patch
available for the Satisfy merging vulnerability. Apache.org has also
recently released a new version, 2.0.52, and updating to that version will
eliminate the Satisfy threat.
buffer overrun—skip version 2.0.51 and update to
URI parsing vulnerability—there are patches available from Apache.org or
you can skip version 2.0.51 and update to version 2.0.52.
It’s interesting that this recent series of Apache threats
included two relatively low-level vulnerabilities, both so widespread that they
caused a number of managers to upgrade to the then latest Apache version
2.0.51, which turned out to have a considerably more dangerous vulnerability,
causing another round of patches or updates.
I’m not specifically picking on Apache because the same
thing happens all the time with Microsoft updates that must be quickly patched,
but it should remind open source adopters that they are vulnerable to the same
sort of patch, update, and patch again problem that famously plagues Microsoft software.
Also watch for…
are three recently reported vulnerabilities found on most versions of
RealPlayer and Helix player, the popular multimedia content utilities. The
threat can allow remote attackers to access, modify, and delete local
files on vulnerable systems. The list of affected versions is extensive
and includes the Enterprise edition, so any users or managers responsible
for systems with RealPlayer installed should check out the vendor
report and update where necessary.
is a new threat mitigation
guide for managers upgrading systems to Windows Server 2003 but who
must continue to support some NT and Windows 98 systems connected to the
wish you could easily obtain new Microsoft programs to test for possible
compatibility or other problems? Take a look at the Microsoft Trial Software
Center, which lets you download or order copies of demo versions of lots
of Microsoft software. Server trial versions are good for 120 days or
longer and you can upgrade a trial installation to a licensed version. For
those who prefer not to download gigantic files, the cost on CD ($8 for
most discs) is quite modest. (Sorry, the trial of Age of Empires II is only
available as a download.)
Beagle/Bagle worm is rearing its ugly little head again and TechRepublic
has a newly available chart to
download to help you deal with it.
number of mergers have recently taken place in the security vendor
industry, narrowing your choice of products. TruSecure and Betrusted, for
example, are now Cybertrust, a merged company. Symantec has purchased
@Stake. For an independent look at recent security news you can continue
to rely on this column as well as our new site for breaking security news,