CGISecurity Logo

Apache Pre 1.3.24 on win32 allows command execution

Ory Segal from sanctuminc.com has found a
hole in apache versions prior to 1.3.24 which allows
an attacker to execute commands on win 32 versions
of apache. This is considered a serious threat and you
should upgrade immediately. On another note a minor
hole in every version was fixed. I have included that
change log snippet below.

--- Snippet from change log ---

*) [Security] Prevent invalid client hostnames from appearing in
the log file. If a double-reverse lookup was performed (e.g.,
for an "Allow from .my.domain" directive) but failed, then
a spoofed dns-reverse-address could appear in the logs. Now
the numeric address is logged instead. Note that
reverse-address-spoofing did NOT actually allow access
to any protected resource! [Martin Kraemer]

--- end snippet from change log ---

Further information is provided in the links below.

Upgrade to 1.3.24