Browse archive

Latest news

Oracle releases critical security updates for Java

Failed backups endanger revenue and productivity

The security of WordPress plugins

How to detect hidden administrator apps on Android

Key obstacles to effective IT security strategies

CyanogenMod founder aims to thwart data-grabbing apps

Businesses not fully implementing infosec programs

Is accessing work apps on the move destructive?

Microsoft releases Enhanced Mitigation Experience Toolkit 4.0

New regulation for ENISA, the EU cybersecurity agency

Hacking charge stations for electric cars

Apache Chunk Handling Roundup

by Berislav Kucan - revised on 20 June 2002

Internet Security Systems and NGSSoftware found a security issue with chunk encoding in the popular Apache web server. The problems may lead to a remote compromise and denial of service.

1) Apache Chunk Handling advisories

ISS Advisory "Remote Compromise Vulnerability in Apache HTTP Server"

Brief description: ISS X-Force has discovered a serious vulnerability in the default version of Apache HTTP Server. Apache is the most popular Web server and is used on over half of all Web servers on the Internet. It may be possible for remote attackers to exploit this vulnerability to compromise Apache Web servers. Successful exploitation may lead to modified Web content, denial of service, or further compromise.

Affected versions: Many commercial Web Application Servers such as Oracle 9ias and IBM Websphere use Apache HTTP Server to process HTTP requests. Additional products that bundle Apache HTTP Server for Windows may be affected.

Full advisory: http://www.net-security.org/vuln.php?id=1791

Apache Security Bulletin

Brief description: Versions of the Apache web server up to and including 1.3.24 and 2.0 up to and including 2.0.36 contain a bug in the routines which deal with invalid requests which are encoded using chunked encoding. This bug can be triggered remotely by sending a carefully crafted invalid request. This functionality is enabled by default. In most cases the outcome of the invalid request is that the child process dealing with the request will terminate. At the least, this could help a remote attacker launch a denial of service attack as the parent process will eventually have to replace the terminated child process and starting new children uses non-trivial amounts of resources.

We were also notified today by ISS that they had published the same issue which has forced the early release of this advisory. Please note that the patch provided by ISS does not correct this vulnerability.

Full advisory: http://www.net-security.org/vuln.php?id=1793

CERT Advisory CA-2002-17 - Apache Web Server Chunk Handling Vulnerability

Brief description: There is a remotely exploitable vulnerability in the handling of large chunks of data in web servers that are based on Apache source code. This vulnerability is present by default in configurations of Apache web servers versions 1.3 through 1.3.24 and versions 2.0 through 2.0.36. The impact of this vulnerability is dependent upon the software version and the hardware platform the server is running on.

Full advisory http://www.net-security.org/advisory.php?id=775

2) Problem discussion: