Apache bug prompts update advice

Apache bug prompts update advice

Summary: IT security company Sense of Security has discovered a serious bug in Apache's HTTP web server, which could allow a remote attacker to gain complete control of a database.

SHARE:
TOPICS: Security
13

IT security company Sense of Security has discovered a serious bug in Apache's HTTP web server, which could allow a remote attacker to gain complete control of a database.

Apache website screenshot

Apache website
(Screenshot by Colin Ho/ZDNet.com.au)

Discovered by the company's security consultant Brett Gervasoni, the vulnerability exists in Apache's core "mod_isapi" module. By exploiting the module, an attacker could remotely gain system privileges that would compromise data security.

Users of Apache 2.2.14 and earlier are advised to upgrade to Apache 2.2.15, which fixes the exploit.

According to Sense of Security spokesperson Jason Edelstein, Apache is one of the most popular pieces of web server software used today and the vulnerability was one of the most significant bugs in Apache for years.

"The vulnerability means that you can take complete control of the web server remotely with system privileges — which is the highest privilege on Windows," Edelstein told ZDNet.com.au. "An attacker could gain access to, modify and take away data."

Edelstein advised users running Apache on Windows platforms to upgrade immediately as users have no way of knowing if their web servers have been compromised. The company's security advisory can be accessed here.

"Whilst in the past it was more overt and attackers would deface website pages, they're more likely now to conceal their access to maintain their foothold," said Edelstein, giving examples of attackers potentially exploiting the vulnerability by placing hidden pieces of code to capture credit card details from online transactions and install root kits on compromised websites.

"The latest version is not vulnerable," said Edelstein.

He added that an attacker would need a high degree of technical know-how to successfully exploit the vulnerability.

"You'd need to write a piece of code, a high level piece of code, which is quite difficult to create, and find a condition in the web server," said Edelstein.

"A proof of concept remote exploit has been written by Sense of Security, and it is feasible that others could write a similar exploit to completely compromise a Windows system," said Brett Gervasoni.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • Windows bug prompts Apache update advice

    Shouldn't that be a bug in the underlying Operating System, Microsoft Windows. And wouldn't this be a good time for an article on the defective memory management model on the Wintel PC ?
    anonymous
  • Apache bug prompts update advice

    mod_isapi is an Apache on Windows module. The story should be updated to state that Apache users running Windows should update. I would venture that most Apache installations are not running on Windows.
    anonymous
  • Er, no

    It's a problem with Apache, hence the need to update Apache.

    Any piece of software can potentially compromise any OS if it's not written correctly. By the sounds of it, this isn't exactly easy to exploit either.

    You must be an Apple fanboi, because Linux fanbois normally know what they're talking about.
    anonymous
  • very misleading

    I was halfway through the article, getting ready to go update apache on a couple of servers, before you happened to mention that this only affects Windows...

    Title change, please? Or at least in the first line?

    Thanks.
    anonymous
  • Apache exploit

    Great video and POC to go with this advisory. Makes it look all too simple.
    anonymous
  • Why cant people read for themselves?!?!

    To the post who was "ready to go update apache" on the basis of a headline and an opening paragraph ... how did you become a sysadmin???
    Do you normally start updating servers based on so little information - funny stuff honestly.
    anonymous
  • Media Hype

    Apache running on Windows Server with "mod_isapi" enabled.......

    I doubt you would find may hosts running Apache on Windows to support isapi modules.

    This issue might be worthy of a news story/SOS advertisement if the vulnerability was present in something that is actually used.
    anonymous
  • yes media hype although

    We run multiple Apache servers using mod_isapi for custom applications.
    anonymous
  • Code available on Metasploit

    The vulnerability is now available in Metasploit so it's now very easy to exploit. Thanks SOS ! ;-)
    anonymous
  • hmm...

    You obviously have no idea how apache works on Windows.. it is pretty common
    anonymous
  • Apache at fault? I think not.

    From the mod_isapi home page: http://httpd.apache.org/docs/2.0/mod/mod_isapi.html

    "ISAPI extension modules (.dll files) are written by third parties. The Apache Group does not author these modules, so we provide no support for them. Please contact the ISAPI's author directly if you are experiencing problems running their ISAPI extension. Please do not post such problems to Apache's lists or bug reporting pages."
    anonymous
  • RE: Apache at fault? I think yes

    Its not talking about ISAPI modules. Its talking about mod_isapi itself, a core module of Apache 2
    anonymous
  • Read the whole document.

    You should read the whole document first next time!
    anonymous