Concerning this vulnerability: is safe to assume that a patched
reverse proxy will protect a vulnerable back end server from such
malicious requests?
cu - Harry
>>>>> "jwoolley" == jwoolley <[EMAIL PROTECTED]> writes:
jwoolley> [[ Note: this issue affects both 32-bit and 64-bit
jwoolley> platforms; the subject of this message emphasizes 32-bit
jwoolley> platforms since that is the most important information
jwoolley> not announced in our previous advisory. ]]
jwoolley> SUPERSEDES:
jwoolley> http://httpd.apache.org/info/security_bulletin_20020617.txt
jwoolley> Date: June 20, 2002 Product: Apache Web Server Versions:
jwoolley> Apache 1.3 all versions including 1.3.24; Apache 2.0 all
jwoolley> versions up to 2.0.36; Apache 1.2 all versions.
jwoolley> CAN-2002-0392 (mitre.org) [CERT VU#944335]
jwoolley> ----------------------------------------------------------
jwoolley> ------------UPDATED ADVISORY------------
jwoolley> ----------------------------------------------------------
jwoolley> Introduction:
jwoolley> While testing for Oracle vulnerabilities, Mark
jwoolley> Litchfield discovered a denial of service attack for
jwoolley> Apache on Windows. Investigation by the Apache Software
jwoolley> Foundation showed that this issue has a wider scope,
jwoolley> which on some platforms results in a denial of service
jwoolley> vulnerability, while on some other platforms presents a
jwoolley> potential remote exploit vulnerability.
jwoolley> This follow-up to our earlier advisory is to warn of
jwoolley> known-exploitable conditions related to this
jwoolley> vulnerability on both 64-bit platforms and 32-bit
jwoolley> platforms alike. Though we previously reported that
jwoolley> 32-bit platforms were not remotely exploitable, it has
jwoolley> since been proven by Gobbles that certain conditions
jwoolley> allowing exploitation do exist.
jwoolley> Successful exploitation of this vulnerability can lead
jwoolley> to the execution of arbitrary code on the server with
jwoolley> the permissions of the web server child process. This
jwoolley> can facilitate the further exploitation of
jwoolley> vulnerabilities unrelated to Apache on the local system,
jwoolley> potentially allowing the intruder root access.
jwoolley> Note that early patches for this issue released by ISS
jwoolley> and others do not address its full scope.
jwoolley> Due to the existence of exploits circulating in the wild
jwoolley> for some platforms, the risk is considered high.
jwoolley> The Apache Software Foundation has released versions
jwoolley> 1.3.26 and 2.0.39 that address and fix this issue, and
jwoolley> all users are urged to upgrade immediately; updates can
jwoolley> be downloaded from http://httpd.apache.org/ .
jwoolley> As a reminder, we respectfully request that anyone who
jwoolley> finds a potential vulnerability in our software reports
jwoolley> it to [EMAIL PROTECTED]
jwoolley> ----------------------------------------------------------
jwoolley> The full text of this advisory including additional
jwoolley> details is available at
jwoolley> http://httpd.apache.org/info/security_bulletin_20020620.txt
jwoolley> .
