Some vulnerabilities have been reported in Apache HTTP Server, which can be exploited by malicious people to gain access to potentially sensitive information, cause a DoS (Denial of Service) and potentially compromise a vulnerable system.
1) The "ap_proxy_ajp_request()" function in modules/proxy/mod_proxy_ajp.c of the mod_proxy_ajp module returns the "HTTP_INTERNAL_SERVER_ERROR" error code when processing certain malformed requests. This can be exploited to put the backend server into an error state until the retry timeout expired by sending specially crafted requests.
2) The mod_isapi module unloads ISAPI modules before the request processing is complete, potentially leaving orphaned callback pointers behind. This can be exploited by sending a specially crafted request followed by a reset packet.
Successful exploitation may allow the execution of arbitrary code with SYSTEM privileges on Windows systems.
3) An error exists within the header handling when processing subrequests, which can lead to sensitive information from a request being handled by the wrong thread if a multi-threaded Multi-Processing Module (MPM) is used.
Vulnerabilities #1 and #3 are reported in version 2.2.0, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.8, 2.2.9, 2.2.11, 2.2.12, 2.2.13, and 2.2.14.
Solution: Update to version 2.2.15.
Provided and/or discovered by: 1) The vendor credits Niku Toivola of Sulake Corporation.
2) Brett Gervasoni, SOS Labs.
3) Reported in a bug report by Philip Pickett
Original Advisory: Apache:
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to email@example.com
Subject: Apache HTTP Server Multiple Vulnerabilities
No posts yet
You must be logged in to post a comment.
Secunia Customer Login
Not a customer already?
Learn more about how our market leading Vulnerability Management solutions can help you manage risk and ensure compliance.