Sounds like ISS rushed the release of this to beat you to it Litchfield. That is rather poor on their part.
If someone has an Apache module that strips chunked encoding that _should_ at least give people a work around for this vulnerability for now. Not sure if the module will process before Apache processes chunked encoding itself but if it does it should work. We are currently looking into it.
Robert G. Ferrell - rferrell(a)texas.net on ISN list
Mark Litchfield discovered a vulnerability in Apache, and followed proper channels by contacting the software maintainer and working with them to develop a fix before going public with potentially exploitable details.
ISS bypasses accepted channels completely and posts information about the vulnerability to a public list, providing at the same time a patch that doesn't seem to fix the vulnerability as stated, along with installation instructions that, while accurate, are not going to be of much use to most Win32 admins.
Apache is now in the position of having to scramble to release a patch before people start exploiting a vulnerability that would not have been widely known if ISS had shown a bit more restraint.
Robert Lemos - rob.lemos(a)cnet.com article on CNET
Chris Rouland, director of ISS's research and development team, known as X-Force, maintains that the company did the right thing when it released an advisory on the issue and included a patch as well. "We are competing with the 10 million hackers out there, who are trying to break in to Web servers," he said. "The hackers were the real ones that were ticked off that we released the advisory. That's one less exploit that they could use."
Read this article on CNET (http://www.cnet.com/investor/news/newsitem/0-9900-1028-20051547-0.html).
3) Solutions and patches
ISS X-Force has developed a patch for "Remote Compromise Vulnerability in Apache HTTP Serve" issue. The patch is available from the ISS advisory located on the top of this paper.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.