Apache Web Server Flaw Found

A security flaw in the popular Apache Web server could allow a malicious hacker to launch a denial-of-service attack, or even take over a system on which the software is running, the Apache Software Foundation has warned.

The flaw relates to the way the Web server parses uploaded data, and can cause the software to misinterpret the size of incoming chunks of data, the organization reported in an advisory released on Monday.

Hackers could exploit the vulnerability by sending a carefully crafted request to a flawed Apache server, according to the foundation. The organization manages development of open-source Apache products.

Wide Effect

Affected are all versions of Apache 1.3 and versions of Apache 2 up to 2.0.36, the group said. The Apache Software Foundation said it is working on new software releases that will fix the flaw.

Exploiting the flaw successfully could help an attacker to stage a denial-of-service attack, making the server unreachable. In some cases attackers could run their choice of code on a server, the Foundation warned.

In a denial-of-service attack, a hacker places code on a number of vulnerable Web servers, then activates them simultaneously with the order to submit repeated requests for information from a single, separate Web site. The intention is to overload the targeted site and cause it to crash. Often, managers of the participating sites are unaware the sites are assisting in an attack.

Wicked With Windows

One particularly vulnerable group are users running Apache 1.x on Microsoft Windows 2000 or Windows 2000 Server, according to security software vendor Internet Security Systems (ISS) of Atlanta, which also issued its own advisory on Monday. An attacker targeting such a setup would likely be able to take control of the server, ISS said. In an e-mail alert, the organization characterized the hole as a "major" vulnerability.

More than 63 percent of all Web sites run on an Apache Web server, according to the British firm Netcraft, which compiles such information. The flaw is similar to a vulnerability in Internet Information Server (IIS) that Microsoft warned of last week, ISS said.