A serious flaw in the popular Apache Web server can lead to loss of data, crashed servers, and the revelation of confidential data, according to a vulnerability note published by Apache.org.

The problem is apparently found only in the new Apache version 2.0, so if you haven’t upgraded, you may not be affected. However, that may not be a completely safe assumption, and you should probably consider updating to the repaired version, which is already available.

Making use of this vulnerability, an attacker could view and download any file on the affected server as well as run any arbitrary code, which, of course, makes this about as serious as any flaw can get.

Applicability—all non-UNIX platforms using Apache 2.0
Although this problem doesn’t affect UNIX and Linux variants, it does apply to more than just Microsoft Windows platforms. You should check it out even if you are running NetWare or OS/2 (both of which are definitely vulnerable) or any other non-UNIX platform. The original Bugtraq announcement states that the flaw affects any systems that support backslash paths.

The versions of Apache that are vulnerable include all releases of 2.0 through version 2.00.39.

Linux/UNIX administrators are also being urged to update their Apache software even though this particular threat doesn’t appear to apply to their systems.

Risk level—critical
This vulnerability can open up a server to serious damage. According to an online report from PC World, this is exactly the sort of flaw that made the Code Red and Nimda worms possible.

Fix—patch and update
There are two fixes. First, you can apply a quick-and-dirty patch as follows, according to the report published by The Register:

Add the following line to the httpd.conf file before the first “Alias” or “Redirect” directive:
RedirectMatch 400 “\\\.\.”

That quick fix is echoed at the Apache.org site and apparently came from the researcher who discovered and reported the flaw to Apache.org, since it’s in his Bugtraq announcement. Be sure to double-check the code reproduced here before applying it.

A permanent fix is to upgrade your Apache installation to version 2.0.40 or later. See the Apache site for the upgrade links.

Not much information is available about this threat yet, but Apache.org promises more details later. Here is Apache’s official disclosure of this threat.

The most detailed information has been provided by the discoverer, Auriemma Luigi, a researcher who works for PivX Solutions.

The Mitre vulnerability designation is CAN-2002-0661, and it is described there as a “directory transversal vulnerability.” The Mitre CVE List provides a standard way of designating and naming vulnerabilities so everyone knows which threat is being discussed.

Mitre lists the following references for the threat:

Final word
This is a serious flaw, but Apache.org was right on top of the problem. The people who discovered this vulnerability, Newport Beach, CA-based PivX Solutions, reported it to Apache.org and began working with Apache on Aug. 7, according to the PC World story. The actual upgrade was made available on Aug. 16 in conjunction with the announcement of the discovery.

Apache.org acted quickly, but no one can fix such problems instantly. All it can do is work with responsible companies that uncover such threats and attempt to coordinate the announcement with the release of the patch or update. Apache.org reacted quickly and PivX Solutions acted responsibly in delaying its announcement until a new version of Apache was available.

PivX also discovered another minor flaw, one that could lead to the disclosure of some relatively unimportant server owner information, but this is also fixed in the latest Apache release.

One word of caution: Whenever people see that Windows systems are vulnerable to some flaw and Linux/UNIX isn’t, they tend to skip over the details if they run Linux and/or UNIX. In this case, the problem has nothing directly to do with Windows code, and this vulnerability is not limited to Windows-based systems but also applies to NetWare and OS/2 platforms. It isn’t a threat due to a fault in Windows code; rather, the problem lies in the fact that the backslash character isn’t properly checked as a bad char in the Windows version of Apache.

And while Apache.org says that it believes the UNIX versions aren’t affected, you should still keep an eye on this threat for a week or two for any updates, and perhaps even consider updating Linux/UNIX systems to the latest Apache release.