Skip to main content

Apache HTTP Server Multiple Vulnerabilities

Last Update Date: 28 Jan 2011 Release Date: 5 Mar 2010 5630 Views

RISK: Medium Risk

Multiple vulnerabilities have been identified in Apache HTTP Server, which can be exploited by malicious people to gain access to potentially sensitive information, cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

1. Due to the "ap_proxy_ajp_request()" function in modules/proxy/mod_proxy_ajp.c of the mod_proxy_ajp module returns the "HTTP_INTERNAL_SERVER_ERROR" error code when processing certain malformed requests. This can be exploited to put the backend server into an error state until the retry timeout expired by sending specially crafted requests.

2. Due to the mod_isapi module unloads ISAPI modules before the request processing is complete, potentially leaving orphaned callback pointers behind. This can be exploited by sending a specially crafted request followed by a reset packet.Successful exploitation may allow the execution of arbitrary code with SYSTEM privileges on Windows systems.

3. Due to an error exists within the header handling when processing subrequests, which can lead to sensitive information from a request being handled by the wrong thread if a multi-threaded Multi-Processing Module (MPM) is used.


Impact

  • Denial of Service
  • Remote Code Execution
  • Information Disclosure

System / Technologies affected

  • Apache 2.2.x

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.


Vulnerability Identifier


Source


Related Link