1) Apache Chunk Handling advisories
ISS Advisory "Remote Compromise Vulnerability in Apache HTTP Server"
Brief description: ISS X-Force has discovered a serious vulnerability in the default version of Apache HTTP Server. Apache is the most popular Web server and is used on over half of all Web servers on the Internet. It may be possible for remote attackers to exploit this vulnerability to compromise Apache Web servers. Successful exploitation may lead to modified Web content, denial of service, or further compromise.
Affected versions: Many commercial Web Application Servers such as Oracle 9ias and IBM Websphere use Apache HTTP Server to process HTTP requests. Additional products that bundle Apache HTTP Server for Windows may be affected.
Full advisory: http://www.net-security.org/vuln.php?id=1791
Apache Security Bulletin
Brief description: Versions of the Apache web server up to and including 1.3.24 and 2.0 up to and including 2.0.36 contain a bug in the routines which deal with invalid requests which are encoded using chunked encoding. This bug can be triggered remotely by sending a carefully crafted invalid request. This functionality is enabled by default. In most cases the outcome of the invalid request is that the child process dealing with the request will terminate. At the least, this could help a remote attacker launch a denial of service attack as the parent process will eventually have to replace the terminated child process and starting new children uses non-trivial amounts of resources.
We were also notified today by ISS that they had published the same issue which has forced the early release of this advisory. Please note that the patch provided by ISS does not correct this vulnerability.
Full advisory: http://www.net-security.org/vuln.php?id=1793
CERT Advisory CA-2002-17 - Apache Web Server Chunk Handling Vulnerability
Brief description: There is a remotely exploitable vulnerability in the handling of large chunks of data in web servers that are based on Apache source code. This vulnerability is present by default in configurations of Apache web servers versions 1.3 through 1.3.24 and versions 2.0 through 2.0.36. The impact of this vulnerability is dependent upon the software version and the hardware platform the server is running on.
Full advisory http://www.net-security.org/advisory.php?id=775
2) Problem discussion:
David Litchfield - david(a)ngssoftware.com on Bugtraq
Like ISS obviously did, one of the first things NGSSoftware did after the eEye ASP Chunk Transfer Encoding vulnerability came out, was check 'what else' is vulnerable to this kind of issue. Like ISS, NGSSoftware also noted that the Win32 distribution of Apache was vulnerable.
However, our approach to addressing this problem was/is completely different. We alerted Oracle, Apahce and CERT.
Our last response from Mark Fox of Apache was that they "have decided that we need to co-ordinate this issue with CERT so that we can get other vendors who ship Apache in their OS and projects aheads-up to this issue." NGSSoftware, of course agreed that this would be the best plan of action as most people who use the Win32 Apache version do not have a compiler and so can take steps to protect themselves. They're mostly relying on their apache 'supplier' to produce a patch.