Patch Posted for Apache Hole

A flaw has been discovered in the newest version of the Apache Web server that could allow an attacker to take control of a user's system, prompting the release Friday of an upgrade to the software.

PivX Solutions, a network security consultancy in Newport Beach, California, disclosed the vulnerability Friday soon after an upgrade to Apache Version 2.0 that fixes the hole was posted. The hole could let an attacker remotely access all the files on an Apache 2.0 Web server, execute them, pass malicious code, and even shut down the system completely, said Geoff Shively, who goes by the title "chief hacking officer" at PivX Solutions.

"This is the same type of vulnerability that made Code Red, Code Blue, and Nimda possible," Shively said. "If someone wanted to make a worm for this it would take the same route."

PivX Solutions has released a basic workaround that will disable the problem, the company said. In addition, the Apache Software Foundation has made available a new version of the software that plugs the hole. Both the workaround and the upgrade are available from the Apache site.

Updates Urged

The vulnerability affects Apache systems running on all versions of Windows as well as OS/2 and NetWare, according to PivX. The Apache Software Foundation added that it affects all default installations of the Apache Web server. Unix and other variant platforms appear unaffected, according to Apache.

It is considered high risk, and users are urged to immediately install version 2.0.40 of the Apache Web server or implement the workaround.

"Some people have been using this attack," Shively said. "There have been some systems affected that we're somewhat aware of."

The firm discovered the flaw on August 3 and four days later began working with the Apache Software Foundation on a fix.

"We waited until today to release the advisory so Apache could make the fix," Shively said.

PivX Solutions also disclosed a second vulnerability in Apache 2.0 Friday, though it was deemed low risk. The second flaw can be used to gather information about an individual Apache Web server, such as who owns it, what operating system it is running on, names of files stored on the server, where it is physically located, as well as other info that would normally be held private, Shively said. The 2.0.40 upgrade also fixes this low-risk flaw, according to Apache.