Serious Apache Exploit Discovered 160
bennyboy64 writes "An IT security company has discovered a serious exploit in Apache's HTTP web server, which could allow a remote attacker to gain complete control of a database. ZDNet reports the vulnerability exists in Apache's core mod_isapi module. By exploiting the module, an attacker could remotely gain system privileges that would compromise data security. Users of Apache 2.2.14 and earlier are advised to upgrade to Apache 2.2.15, which fixes the exploit."
Note: according to the advisory, this exploit is exclusive to Windows.
I was slightly worried, until I read this: (Score:2, Interesting)
Platform. Microsoft Windows
But is this the final nail in the Apache 1.3 coffin?
Now the boss is going to be upset even when you tell them your version is not vulnerable.
Re:Note: Apache ON WINDOWS (Score:2, Interesting)
Always worried about reporting. (Score:3, Interesting)
At a place I used to work, one of my coworkers reported a simple potential security problem: the username for the admin account on all our machines is the same as the computer's name. This just eliminates one less thing for a hacker to figure out. He was accused of "snooping", whatever that means, and almost lost his job. The only thing that saved him is a higher-up with a brain.
Whenever I hear a story about a person\firm reporting security risks, I am reminded of the story of my coworker, and I have heard too many similiar stories. It has trained to me keep my mouth shut about these problems.
Re:Note: Apache ON WINDOWS (Score:3, Interesting)
Why would Apache run as an Administrator on Windows? Even IIS doesn't do that these days.
Re:Note: Apache ON WINDOWS (Score:1, Interesting)
You can do the same sort of thing in windows. THAT the *DEFAULT* install of Apache is a admin user...
You can set who the launching user is of any service to be that of a lower user. *NOW* is the application capable of running like that? In this case probably. Many are not.
You can really really really really slice and dice how applications run on windows. In many ways it is better than the unix world. The downside is it is super super super complex. So no one uses it and just maxes out everything. In many ways the security model in windows is more interesting one (with nearly 18 different ways to control just files vs the 3 in linux).
The truth is no one really uses it and the underpinnings can be yanked out from the application because of other bad design decisions. The reason for this is that it is complex. 18 different flavors of file security vs 3. 3 is easier to remember. Even the cacls program (from xp) does not present the whole security model available. You can get at more thru the gui. The icacls program from vista and up can do more. This makes the system way more vulnerable to things as everyone just maxes it out so they do not have to fiddle with it. I cant really blame them as I do it too.
Now I did not read the article. But can you root the box if it is not running as a 'admin' type user?
But this really comes down to are you running the application as some sort of super user? Then your attack surface is at least equal to whatever that super user can do. Even in linux they know this. Hence your post of how the app trampolines itself into a lower class user. That this is not done in the windows version says something about the windows port now doesnt it?
Re:Note: Apache ON WINDOWS (Score:3, Interesting)
I bought a netbook last week and tried to get on the internet with it at my favorite bar; the bar's router had something wrong with it and Windows couldn't find the DNS server. There seemed to be no way to tell Windows networking what the server address was. Meanwhile, a woman with an iPhone had no trouble using the wifi there. With earlier versions of Windows I had no trouble specifying a DNS server, and the help system is no help at all.
I'm more familiar with XP (which I know you can easily specify DNS with). Was this a Windows 7 Reduced Functionality for Netbooks (TM) version? I've noticed annoying things like that on my parents' computers. The worst is that "Users and Groups" is gone in the Computer Management MMC, so those tasks have to be done via command line. Windows 7 Enterprise is better than XP (wow, remote _and_ local IP settings and outgoing/incoming rules for Firewall? finally.), but the "home" versions are crippled in ways that make security difficult.
Re:Note: Apache ON WINDOWS (Score:3, Interesting)
Apache has to run as root at some point or else it can't bind to port 80. What you see from ps is after apache had setuid and forked. You can do the same thing in windows, but don't you agree it falls upon apache to do spawn processes as an unprivileged user? If you remember back in Apache 1 days, it was the same way in Linux, you had to run as root or load it as a plugin for inetd if you wanted to run it on port 80. I remember back in the days when we were using ipfwadm to forward all packets with server port 80 dest to port 8080 just so we could run Apache as a regular user. And even then it didn't work right all the time. In this specific case, I really don't see any reason to blame the OS.