APACHE SECURITY ADVISORY
Release Date: Tuesday, January 6 1998
Topic: Possible security issues with Apache in some configurations
Summary of Issues
============================================================
This advisory is to inform all Apache users of several possible
security issues that have been discovered during an internal security
review of the Apache source code.
DO NOT BE ALARMED BY THIS ADVISORY. This is a pro-active step
designed to be certain that users of Apache are advised of the
issues and can take appropriate action to minimize their risk.
None of these holes allow for a root compromise (they only impact
the user Apache runs as, as set with the "User" directive; if you
have this user set to root, then fix your configuration now because
you probably have a gaping security hole) and they generally
require that a user already have access to the system before they
can exploit them, meaning that on a large number of systems they
are of little practical concern. Some of the issues that have been
addressed might not be exploitable in real-world conditions.
In some security environments, however, they may be of more concern.
The administrator of the system running Apache is the only one who
can make the judgment call as to how significant the below issues
are in their environment.
Resolution of Problems
======================
We very strongly recommend that anyone using versions of Apache
previous to 1.2 or earlier 1.2 versions upgrade to the newly released
1.2.5. It is now available at
http://www.apache.org/dist/
There are no plans for an immediate 1.3b4 release to correct these
problems in the 1.3 beta development tree, however we will make
patches for 1.3b3 to correct these issues available at
http://www.apache.org/dist/patches/apply_to_1.3b3/
in the near future.
Technical Description of Issues
===============================
Below is a step by step technical description of the potential
problems discovered. Read the below only if you wish to understand
the details of the problems to better judge how they impact your
server and if you have a solid grounding in how Apache works. If
in doubt, you are advised to simply upgrade to 1.2.5 as soon as
practical.
III. Inefficient removal of duplicate '/'s ("beck" exploit)
RISK: medium
The code in the no2slash() function used to collapse multiple
'/'s in a request for access checking purposes is very
inefficient. It is O(n^2) in the number of '/'s in the
input. What this means is that as the input size grows,
it very quickly requires vastly increased CPU time to
process the request. By sending many requests with a large
number of '/'s in to a server, it is possible to cause a
large amount of CPU time to be used in processing these
requests. Making multiple simultaneous requests of this
nature could result in a high load average, high CPU usage,
and possibly starving other processes for CPU resulting in
a denial of service attack. This does not allow for any
compromise of the server.
The fixed version of the no2slash() function is O(n) and
does not allow for this attack.
Thanks to Michal Zalewski for
discovering this bug and reporting it on the BUGTRAQ
mailing list along with the "beck" script that can be
used to exploit it.
Contact Information
===================
Full information about Apache and the 1.2.5 release which fixes
these issues is available at http://www.apache.org/
Normal bugs can be reported via http://www.apache.org/bug_report.html
If you believe you have discovered a security hole in Apache, please
be sure to contact us at security@apache.org so that we can verify
and resolve the problem. Support questions to this address will
not get a response. We fully support the concept of full disclosure,
however it is always preferable to try to work with the vendor
first before publicizing information about security holes.
--
Marc Slemko | Apache team member
marcs@znep.com | marc@apache.org
|