SGI warns of Web server vulnerability

Silicon Graphics (SGI) machines running the Apache Web server on SGI's IRIX operating system are vulnerable to attack by hackers, who may be able to gain administrator-level access, the company has warned.

The company makes machines used for everything from scientific research to movie special effects, and many are used by government and defence organisations. The two new flaws, originally announced on Friday, affect IRIX versions 6.5.12, 6.5.13 and 6.5.14 running Apache versions prior to 1.3.22. IRIX is SGI's proprietary version of the Unix operating system, while Apache is an widely used open-source Web server, which is installed and enabled by default on IRIX.

One vulenerability was found in Apache's split-logfile program, a tool used to manage system files called logfiles. SGI said that if the feature is turned on, a specially crafted request could allow any file with a .log extension on the system to be written to, which could be used to give an attacker full access to the system. Split-logfile is not turned on by default.

The second bug was found in Apache's Multiviews facility, which is used for customising the way content is presented to Web browsers. In some configurations, it is possible to enter a specially formed query to return a directory listing, which could allow an attacker to discover the locations of sensitive files on the system.

SGI hasn't released a patch for the flaws, but instead recommends that users upgrade to an operating system newer than 6.5.14, which includes a newer version of Apache in which the problems have been resolved. If the software can't be upgraded immediately, the company recommends disabling Apache.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.