24 June 2002 A patch released by the Apache Software Foundation – intended to fix an earlier flaw discovered in some Apache web servers – is also flawed.
To illustrate the flaws, a group called Gobbles Security has designed some tools to better exploit the weaknesses in the Apache servers and posted them up on the Security Focus Bugtraq bulletin board. “We had read too much bullshit from ‘experts’ concerning the bug, and their idiotic statements as to why it isn’t exploitable and how lucky the world is because it wasn’t exploitable,” a spokesman for Gobbles told SecurityFocus.
The hackers’ aim was to show that, despite the patch issued by the Apache Software Foundation, it is still perfectly possible to exploit the faults exposed on the Bugtraq web site last week. The flawed fix will have made matters worse by alerting hackers to the hole in the Apache servers, which was found in the 1.x and 2.x versions of Apache on both Microsoft WindowsNT/2000 and Unix operating systems.
The open source Apache web server is developed and distributed by the Apache Software Foundation, headquartered in Forest Hill, Maryland. Approximately 60% of web servers run Apache. The Apache Software Foundation itself has recognised the seriousness of the threat.
A statement on www.apache.org says: “Successful exploitation of this vulnerability can lead to the execution of arbitrary code on the server… This can facilitate the further exploitation of vulnerabilities unrelated to Apache on the local system, potentially allowing the intruder root access.”
The software developer, which urges users to take preventative action immediately, adds: “The risk is considered high.”