Webmasters using Apache are being encouraged to patch their servers immediately against a vulnerability inherent in recent versions of the popular Web server software.
Apache.org released updates (Apache 2.0.39 and Apache 1.3.26) to the Web server software, repairing the vulnerability, on June 19.
CERT (the Computer Emergency Response Team/Coordination Center) has reported that an exploit to attack the security hole recently identified in the popular Apache Web server bundled with Mac OS X Server is circulating on the Internet.
Notes on CERT’s Web site confirm that Apple has been informed of the existence of the vulnerability. More information should be available from that company for Webmasters subscribed to Apple’s security bulletins.
Apple has a policy of: “Not disclosing, discussing or confirming security issues until a full investigation has occurred, and any necessary patches or releases are available.” This is to protect its customers, the company says.
Worm A hacking tool makes attacking the vulnerability easier. Its existence makes the possibility of a worm that targets vulnerable systems more likely.
In theory, the weakness could allow an attacker to take control of an affected Web server. Because of a flaw in the way Apache handles uploads, an attacker could send a specially formed request to the server, and cause it to deny service to legitimate users – or take the system over.
Around 56 percent of Web servers on the Internet use Apache, according to data from Web server monitoring firm Netcraft (May 2002).
Despite the presence of a security hole, Internet security specialist, SecurityFocus “hasn’t seen increased attack activity” focused at Apache systems.
Though the information released on Wednesday relates only to Apache installations running on the OpenBSD operating system, “it isn’t a monumental task for someone to modify it to work with other operating systems,” a SecurityFocus representative confirmed.
Affected Apache versions include 1.3.23, the most up to date version about which information is easily available on Apple’s Web site. For this version, the vulnerability may allow the execution of arbitrary code by remote attackers.
Users should patch their systems immediately and check with vendors for more information. Macworld UK has contacted Apple to ascertain if more details are available specifically for its customers.