Apache Web Server Can Be Crashed By Remote Users Via mod_dav Flaws and Also Via Basic Authentication
|
|
SecurityTracker Alert ID: 1006864
|
|
CVE Reference: CAN-2003-0189
, CAN-2003-0245
(Links to External Site)
|
Updated: Dec 7 2003
|
Original Entry Date: May 28 2003
|
Impact: Denial of service via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 2.0 - 2.0.45
|
Description: Two separate vulnerabilities were reported in the Apache web server. In one case, a remote user can cause the related Apache child process to crash. In the other case, a remote user can cause Basic Authentication to stop working.
According to the report, there is an unspecified flaw that can be triggered by a remote user via mod_dav and possibly other modules
and can cause an Apache child process to crash. No further details were available. Additional information is to be released on
30 May 2003. David Endler of iDEFENSE is credited with reporting this flaw.
It is also reported that a remote user can exploit
a bug on Unix-based platforms to cause denial of service conditions for the HTTP Basic Authentication method. The flaw is due to
a thread-safety issue in apr_password_validate(). A configuration script bug reportedly caused the apr_password_validate() function
to become thread-unsafe on platforms that use crypt_r(), including AIX and Linux. Versions of Apache 2.0 on platforms that have
neither crypt_r() nor thread-safe crypt() are also affected, such as the Mac OS X platform. If a threaded multi-processing module
(MPM) is used (which is not the default setting), a remote user can cause valid usernames and passwords supplied to the server for
Basic Authentication to fail until the server is reset. The vendor indicates that this bug is not believed to allow remote access.
John Hughes of Entegrity is credited with reporting this flaw.
|
Impact: A remote user can cause a child process to crash. A remote user can cause Basic Authentication to fail.
|
Solution: The vendor has released a fixed version (2.0.46), available at:
http://httpd.apache.org/download.cgi
The new release is reportedly compatible with modules compiled for 2.0.42 and later versions.
|
Vendor URL: www.apache.org/dist/httpd/Announcement2.html (Links to External Site)
|
Cause: Not specified, State error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 28 May 2003 13:00:07 -0400
Subject: Apache bugs
|
http://www.apache.org/dist/httpd/Announcement2.html
Apache announced the release of version 2.0.46, which includes some security fixes:
"SECURITY [CAN-2003-0245]: Fixed a bug that could be triggered remotely through mod_dav
and possibly other mechanisms, causing an Apache child process to crash. The crash was
first reported by David Endler <DEndler@iDefense.com> and was researched and fixed by Joe
Orton <jorton@redhat.com>. Details will be released on 30 May 2003.
SECURITY [CAN-2003-0189]: Fixed a denial-of-service vulnerability affecting basic
authentication on Unix platforms related to thread-safety in apr_password_validate(). The
problem was reported by John Hughes <john.hughes@entegrity.com>"
"A bug in the configuration scripts caused the apr_password_validate() function to be
thread-unsafe on platforms with crypt_r(), including AIX and Linux. All versions of Apache
2.0 have this thread-safety problem on platforms with no crypt_r() and no thread-safe
crypt(), such as Mac OS X and possibly others. When using a threaded MPM (which is not the
default on these platforms), this allows remote attackers to create a denial of service
which causes valid usernames and passwords for Basic Authentication to fail until Apache
is restarted. We do not believe this bug could allow unauthorized users to gain access to
protected resources."
The new release is reportedly compatible with modules compiled for 2.0.42 and later versions.
Apache 2.0.46 is available at:
http://httpd.apache.org/download.cgi
|
|
