Concerning this vulnerability: is safe to assume that a patched reverse proxy will protect a vulnerable back end server from such malicious requests?
cu - Harry >>>>> "jwoolley" == jwoolley <[EMAIL PROTECTED]> writes: jwoolley> [[ Note: this issue affects both 32-bit and 64-bit jwoolley> platforms; the subject of this message emphasizes 32-bit jwoolley> platforms since that is the most important information jwoolley> not announced in our previous advisory. ]] jwoolley> SUPERSEDES: jwoolley> http://httpd.apache.org/info/security_bulletin_20020617.txt jwoolley> Date: June 20, 2002 Product: Apache Web Server Versions: jwoolley> Apache 1.3 all versions including 1.3.24; Apache 2.0 all jwoolley> versions up to 2.0.36; Apache 1.2 all versions. jwoolley> CAN-2002-0392 (mitre.org) [CERT VU#944335] jwoolley> ---------------------------------------------------------- jwoolley> ------------UPDATED ADVISORY------------ jwoolley> ---------------------------------------------------------- jwoolley> Introduction: jwoolley> While testing for Oracle vulnerabilities, Mark jwoolley> Litchfield discovered a denial of service attack for jwoolley> Apache on Windows. Investigation by the Apache Software jwoolley> Foundation showed that this issue has a wider scope, jwoolley> which on some platforms results in a denial of service jwoolley> vulnerability, while on some other platforms presents a jwoolley> potential remote exploit vulnerability. jwoolley> This follow-up to our earlier advisory is to warn of jwoolley> known-exploitable conditions related to this jwoolley> vulnerability on both 64-bit platforms and 32-bit jwoolley> platforms alike. Though we previously reported that jwoolley> 32-bit platforms were not remotely exploitable, it has jwoolley> since been proven by Gobbles that certain conditions jwoolley> allowing exploitation do exist. jwoolley> Successful exploitation of this vulnerability can lead jwoolley> to the execution of arbitrary code on the server with jwoolley> the permissions of the web server child process. This jwoolley> can facilitate the further exploitation of jwoolley> vulnerabilities unrelated to Apache on the local system, jwoolley> potentially allowing the intruder root access. jwoolley> Note that early patches for this issue released by ISS jwoolley> and others do not address its full scope. jwoolley> Due to the existence of exploits circulating in the wild jwoolley> for some platforms, the risk is considered high. jwoolley> The Apache Software Foundation has released versions jwoolley> 1.3.26 and 2.0.39 that address and fix this issue, and jwoolley> all users are urged to upgrade immediately; updates can jwoolley> be downloaded from http://httpd.apache.org/ . jwoolley> As a reminder, we respectfully request that anyone who jwoolley> finds a potential vulnerability in our software reports jwoolley> it to [EMAIL PROTECTED] jwoolley> ---------------------------------------------------------- jwoolley> The full text of this advisory including additional jwoolley> details is available at jwoolley> http://httpd.apache.org/info/security_bulletin_20020620.txt jwoolley> .