Apache 2.0 Cross-site Scripting Vulnerability 15
jimmy writes ""A vulnerability exists in the SSI error pages of Apache 2.0 that involves incorrect filtering of server signature data. The vulnerability could enable an attacker to hijack web sessions, allowing a range of potential compromises on the targeted host." This Cross site scripting (or XSS) hole has been found in all versions of apache prior to 2.0.43.
The advisory can be found here and users are urged to upgrade
to address this problem."
Lets clarify... (Score:5, Informative)
For those of us still running the 1.3 branch, we're good.
Re:Lets clarify... (Score:1)
This is CAN-2002-0840
Prevent a cross-site scripting vulnerability in the default error page. The issue could only be exploited if the directive UseCanonicalName is set to Off and a server is being run at a domain that allows wildcard DNS. (which are not that common)
The default setting has been Off in 2.0 since 2.0.33; 1.3 has always had it On, so is not vulnerable by default, but is vulnerable if you set UseCanonicalName to Off.
Affects Apache 2.0 all versions including 2.0.42 and 1.3 all versions up to 1.3.26
Expect fixes shortly, but this isn't a very critical vulnerability.
Re:Lets clarify... (Score:3, Informative)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN
Apache release notes here: http://www.apache.org/dist/httpd/Announcement.htm
This is why I am holding off on upgrading to 2.0 (Score:1)
Not trying to insult the Apache folks. 2.0 looks to be a great product, and I'm experimenting with it at home. But 2.0 lacks sufficient maturity (in some areas) for me to use it on our production environment right now. I'll probably wait until 2.1.x
Yes, all software has bugs, even the mature Apache 1.3 branch. But 2.0 has potentially more bugs...
Re:This is why I am holding off on upgrading to 2. (Score:5, Insightful)
It's partially the modules (We use ATG Dynamo, and they have not yet updated their connection module to work with 2.0).
It also has alot to do with my belief that the numbering system is a representation of maturity, and mature products have better performance, stability then the younger branches. Recent releases have more bugs then mature releases.
Our production system needs to be rock solid, we don't want to use these systems to test some newfangled Apache feature. Our Apache 1.3.26 servers never, ever crash.
It's my belief that the Apache 2.0 branch will have more bugs and performance issues then the 1.3.x branch. I don't have alot of hard data to support this belief,
Apache 1.3.26 is way more stable then Apache 1.0.
Remember how unstable Gnome 1.0 or linux-kernel 2.0 was? Over time, the bugs present in 1.0 or kernel 2.0 have been resolved, and as a result, we have Gnome 1.4 and kernel 2.4, two very good products.
For instance, look at Gnome 1.0 vs Gnome 1.2+ ; or linux-kernel 2.0 vs 2.4.
Likewise, Apache 2.1.0 will be faster, more stable and will have more useful features then the 2.0 branch.
As a side effect of the new features, 2.1.0 will introduce some bugs which were not present in the 2.0.43 series. Most of those bugs will be resolved once the developers, users and bug stompers have had sufficient time to find and patch bugs, around 2.1.5 or so.
Re:This is why I am holding off on upgrading to 2. (Score:1)
http://www.sophos.com/virusinfo/analyses/w32bug
Re:This is why I am holding off on upgrading to 2. (Score:2)
"The worm may also attempt to determine the presence of an Apache 1.3.26 web server and relay this information to an external email address."
I would be very concerned if I had any worms on my system. However, a worm that reports presence of an Apache 1.3.26 web server does not make that worm more of a problem.
Why not?
My webserver and webserver version are public information. That information is available to any person who uses a webbrowser, or any person who uses a spidering tool like 'wget'. Simply use the tool on a zillion sites, parse the host string, and you have a list of webservers that use Apache 1.3.26
As an added security step, I suppose I could change the host string to return something more obscure, like "Apache" instead of "Apache 1.3.26", but I'm not a big believer in security through obscurity...
Where's 2.0.43? (Score:1)
But going to http://www.apache.org/dist/httpd/ [apache.org]
, I read:
Apache 2.0.42 is the best available version.
So, where's 2.0.43? Or is someone reporting this too early?
Re:Where's 2.0.43? (Score:1)
Dot zero is NOT for everyone!! (Score:5, Insightful)
I don't understand why people are whining [slashdot.org] about Apache 2.0 being shunned by the masses. Running a DOT ZERO version means LOTS OF PATCHES. If you can't easily recompile and move on (like your site depends on changing interfaces/features/bugs) then dot zero is not for you.
This isn't a chink in Apache's gleaming armor. Its free software. The process is just plain old programming and software evolution. Dot zero is for people of the bleeding edge. Not all websites qualify. The Apache way is a superior way to the IIS way. Other ways may be just dandy also. Problems with Apache 2.0 are no indication on that issue as long as they are.
more bugs in apache 2.0 than 1.3 (Score:1)