Serious Apache Exploit Discovered 160
bennyboy64 writes "An IT security company has discovered a serious exploit in Apache's HTTP web server, which could allow a remote attacker to gain complete control of a database. ZDNet reports the vulnerability exists in Apache's core mod_isapi module. By exploiting the module, an attacker could remotely gain system privileges that would compromise data security. Users of Apache 2.2.14 and earlier are advised to upgrade to Apache 2.2.15, which fixes the exploit."
Note: according to the advisory, this exploit is exclusive to Windows.
Windows? (Score:2, Insightful)
What percentage of Apache hosts run on Windows? I'd guess maybe 10%, a generous estimate. This isn't something that's going to bring the entire web down. Also, wouldn't you have to enable mod_isapi manually?
Windows only exploit (Score:1, Insightful)
Only affects Windows, though.
I wonder how many big deployments of Apache+Windows are out there.
Re:Note: Apache ON WINDOWS (Score:5, Insightful)
> The same bug in a module that ran on Linux would result in a remote root exploit.
Really?
ps -aef | grep apach
root 3029 1 0 08:10 ? 00:00:00 /usr/sbin/apache2 -k start /usr/sbin/apache2 -k start /usr/sbin/apache2 -k start
www-data 3072 3029 0 08:10 ? 00:00:00
www-data 3073 3029 0 08:10 ? 00:00:00
Re:Note: Apache ON WINDOWS (Score:3, Insightful)
You can still have undesirable security issues on dedicate web hosting servers, for three reasons. One: a remote root exploit allows the intruder to replace all of the data on your site with whatever malware/adware they feel like, or even post content to slander you. Two: they can still turn your web server into a spambot, something which is undesirable (or use it as a starting point for whatever other malicious attacks they feel like.)
Re:Note: Apache ON WINDOWS (Score:5, Insightful)
It doesn't matter if "its just as bad". It isn't a "root exploit". It's highly inaccurate to call it one.
Muddling terms is how you end up with nonsense like not being able to tell programs from data.
Distinctions are important for just this reason.
Yes it still sucks.
Re:Note: Apache ON WINDOWS (Score:3, Insightful)
99% huh? Bullshit.
I would be skeptical of any claim that even a "majority" of such websites were based on Windows. For a hosting provider, the extra hardware cost AND still lower performance of Windows just isn't worth it. Toss in higher licensing fees and a "pray to the black box" method of support, and you have yourself a losing business.
Now it's true that a SLIGHT majority of *parked/empty domains* might resolve to Windows webservers. I think that's what you meant, but spinning it the way you have done is... well, incredibly dishonest of you.
Re:Note: Apache ON WINDOWS (Score:3, Insightful)
Dedicated webservers are actually far more attractive targets to attackers, they are likely to have a lot more upstream bandwidth available to them than a typical end user making them ideal for spam, ddos, and scanning for other machines to infect, or they could merely reuse the existing webserver as a delivery mechanism for malware or phishing sites.
Re:Note: Apache ON WINDOWS (Score:1, Insightful)
Re:Note: Apache ON WINDOWS (Score:2, Insightful)
although I have no idea why you would run Apache on a Windows server.
Because sometimes you're forced to use a Windows server platform yet at the same time are under budget constraints and can't afford Microsoft's licensing models.
Re:Note: Apache ON WINDOWS (Score:4, Insightful)
Apache does not run as Administrator on Windows. I'm afraid it is worse than that, it runs as LocalSystem, which is more analogous to root than Administrator is. Even if you configure the service to run as a different account, it requires the "Log on as a service" and "Act as part of the operating system" privileges. Might as well use LocalSystem.