Apache flaw opens systems up to attack

IT security company Sense of Security has discovered a serious bug in Apache's HTTP web server, which could allow a remote attacker to gain complete control of a database.

The vulnerability, discovered by the company's security consultant Brett Gervasoni, exists in Apache's core "mod_isapi" module. By exploiting the module, an attacker could remotely gain system privileges that would compromise data security, Sense of Security said in an advisory on Friday.

Users of Apache 2.2.14 and earlier are advised to upgrade to Apache 2.2.15, which fixes the exploit.

"The vulnerability means that you can take complete control of the web server remotely with system privileges — which is the highest privilege on Windows," Sense of Security spokesman Jason Edelstein told ZDNet UK's sister site ZDNet Australia. "An attacker could gain access to, modify and take away data."

For more on this story, see Apache bug prompts update advice on ZDNet Australia.