From: jwoolley@apache.org
To: announce@apache.org,
Subject: [SECURITY] Remote exploit for 32-bit Apache HTTP Server known
Date: Fri, 21 Jun 2002 00:54:53 -0400 (EDT)
Cc:: bugtraq@securityfocus.com
[[ Note: this issue affects both 32-bit and 64-bit platforms; the
subject of this message emphasizes 32-bit platforms since that
is the most important information not announced in our previous
advisory. ]]
SUPERSEDES: http://httpd.apache.org/info/security_bulletin_20020617.txt
Date: June 20, 2002
Product: Apache Web Server
Versions: Apache 1.3 all versions including 1.3.24; Apache 2.0 all versions
up to 2.0.36; Apache 1.2 all versions.
CAN-2002-0392 (mitre.org) [CERT VU#944335]
----------------------------------------------------------
------------UPDATED ADVISORY------------
----------------------------------------------------------
Introduction:
While testing for Oracle vulnerabilities, Mark Litchfield discovered a
denial of service attack for Apache on Windows. Investigation by the
Apache Software Foundation showed that this issue has a wider scope, which
on some platforms results in a denial of service vulnerability, while on
some other platforms presents a potential remote exploit vulnerability.
This follow-up to our earlier advisory is to warn of known-exploitable
conditions related to this vulnerability on both 64-bit platforms and
32-bit platforms alike. Though we previously reported that 32-bit
platforms were not remotely exploitable, it has since been proven by
Gobbles that certain conditions allowing exploitation do exist.
Successful exploitation of this vulnerability can lead to the execution of
arbitrary code on the server with the permissions of the web server child
process. This can facilitate the further exploitation of vulnerabilities
unrelated to Apache on the local system, potentially allowing the intruder
root access.
Note that early patches for this issue released by ISS and others do not
address its full scope.
Due to the existence of exploits circulating in the wild for some platforms,
the risk is considered high.
The Apache Software Foundation has released versions 1.3.26 and 2.0.39
that address and fix this issue, and all users are urged to upgrade
immediately; updates can be downloaded from http://httpd.apache.org/.
As a reminder, we respectfully request that anyone who finds a potential
vulnerability in our software reports it to security@apache.org.
----------------------------------------------------------
The full text of this advisory including additional details is available
at http://httpd.apache.org/info/security_bulletin_20020620.txt.
Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.
LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.