Vulnerable Apache Server
Overview of security vulnerabilities in Apache httpd 1.3 (ApacheWeek and Fed
Circ)
Vulnerabilities exist in the 1.3.xx versions of Apache Web Server.
These vulnerabilities may effect the Unix version, the Win32 version
or both. NOTE: A few operating system vendors, notably RedHat, refuse to
upgrade the version number of Apache (as read from the HTTP 1.1 header)
when they patch the software. This has three negative impacts:
- Most network scanners will flag it as vulnerable
- Malicious users will be attracted to it as it appears vulnerable
- Configuration accounting becomes more complicated for administrator.
Consequently, we recommend that the upgrade be performed from the product's
site (www.apache.org)
Apache httpd 1.3.24
FedCirc reports that all versions of Apache 1.3 are vulnerable to an exploit
that can enable a malicious user to access the server machine as
the web server user.
(FA-2002-17)
Fixed in Apache httpd 1.3.24
Win32 Apache Remote command execution CAN-2002-0061
Apache for Win32 before 1.3.24 and 2.0.34-beta allows remote attackers to execute arbitrary commands via parameters passed to batch file CGI scripts.
Fixed in Apache httpd 1.3.22
Requests can cause directory listing to be displayed CAN-2001-0729
A vulnerability was found in the Win32 port of Apache 1.3.20. A client submitting a very long URI could cause a directory listing to be returned rather than the default index page.
split-logfile can cause arbitrary log files to be written CAN-2001-0730
A vulnerability was found in the split-logfile support program. A request with a specially crafted Host: header could allow any file with a .log extension on the system to be written to.
Multiviews can cause a directory listing to be displayed CAN-2001-0731
A vulnerability was found when Multiviews are used to negotiate the directory index. In some configurations, requesting a URI with a QUERY_STRING of M=D could return a directory listing rather than the expected index page.
Fixed in Apache httpd 1.3.20
Denial of service attack on Win32 and OS2
A vulnerability was found in the Win32 and OS2 ports of Apache 1.3. A client submitting a carefully constructed URI could cause a General Protection Fault in a child process, bringing up a message box which would have to be cleared by the operator to resume operation. This vulnerability introduced no identified means to compromise the server other than introducing a possible denial of service.
Fixed in Apache httpd 1.3.19
Requests can cause directory listing to be displayed CAN-2001-0925
The default installation can lead mod_negotiation and mod_dir or mod_autoindex to display a directory listing instead of the multiview index.html file if a very long path was created artificially by using many slashes.
Fixed in Apache httpd 1.3.14
Rewrite rules that include references allow access to any file CVE-2000-0913
The Rewrite module, mod_rewrite, can allow access to any file on the web server. The vulnerability occurs only with certain specific cases of using regular expression references in RewriteRule directives. If the destination of a RewriteRule contains regular expression references then an attacker will be able to access any file on the server.
Mass virtual hosting allows access to any file
A security problem exists in the handling of Host: headers in mass virtual hosting configurations. Under certain circumstances an attacker can access any file on the server.
Mass virtual hosting can display CGI source
A security problem for users of the mass virtual hosting module, mod_vhost_alias, causes the source to a CGI to be sent if the cgi-bin directory is under the document root. However, it is not normal to have your cgi-bin directory under a document root.
Requests can cause directory listing to be displayed on NT CVE-2000-0505
A security hole on NT allows a user to view the listing of a directory instead of the default HTML page by sending a carefully constructed request.
Fixed in Apache httpd 1.3.12
Cross-site scripting can reveal private session information
Apache was vulnerable to cross site scripting issues. It was shown that malicious HTML tags can be embedded in client web requests if the server or script handling the request does not carefully encode all information displayed to the user. Using these vulnerabilities attackers could, for example, obtain copies of your private cookies used to authenticate you to other sites.
Fixed in Apache httpd 1.3.11
Mass virtual hosting security issue
A security problem can occur for sites using mass name-based virtual hosting (using the new mod_vhost_alias module or with special mod_rewrite rules).
Fixed in Apache httpd 1.3.4
Denial of service attack on Win32
There have been a number of important security fixes to Apache on Windows. The most important is that there is much better protection against people trying to access special DOS device names (such as "nul").
Fixed in Apache httpd 1.3.2
Multiple header Denial of Service vulnerability CAN-1999-1199
A serious problem exists when a client sends a large number of headers with the same header name. Apache uses up memory faster than the amount of memory required to simply store the received data itself. That is, memory use increases faster and faster as more headers are received, rather than increasing at a constant rate. This makes a denial of service attack based on this method more effective than methods which cause Apache to use memory at a constant rate, since the attacker has to send less data.
Denial of service attacks
Apache 1.3.2 has better protection against denial of service attacks. These are when people make excessive requests to the server to try and prevent other people using it. In 1.3.2 there are several new directives which can limit the size of requests (these directives all start with the word Limit).