Apache flaw opens networks to malicious code

By Matthew Broersma

Web servers and corporate PCs are at risk from newly discovered vulnerabilities in the popular Apache server software and in a component of Microsoft's Windows 2000.

The Apache flaw could allow an attacker to discover sensitive information or execute malicious code, while the Windows bug makes it possible for users to gain privileges high enough to alter files and user accounts.

The Apache flaw affects versions 2.0.39 and earlier, but only affects non-Unix platforms such as Windows, OS2 and Netware. The software can be made to reveal the absolute path to a script whenever the server attempts, and fails, to execute the script. Such path information would give valuable information to a potential attacker. An attacker could also use the flaw to execute programs on the server.

An advisory issued on Monday from the US Department of Energy's Computer Incident Advisory Capability, has warned that although Apache is not usually run on non-Unix platforms, the exploit is likely to be carried out because it is "easy and remote".

Users can apply a simple workaround or a patch to fix the problem. Both are included in Apache's warning, available on its website (http://httpd.apache.org/info/security_bulletin_20020809a.txt )

The new Apache flaw comes shortly after researchers publicised several security holes in OpenSSL, a security protocol, which could open the door to attacks on Apache servers. These flaws, along with other recent vulnerabilities in Apache and Microsoft servers, led one expert to comment on Tuesday that "a great many ecommerce sites are presently vulnerable to direct attack over the internet."

The Windows 2000 flaw affects a component called Network Connection Manager (NCM), which controls many network connections. Microsoft warned that a malicious user could, through a complex process, cause the NCM to execute the attacker's code with full system privileges.

The attack would require the user to already have low-privilege, interactive access to the system, but many companies offer this type of access to users through workstations or a Terminal Services server. The risk for Internet servers is, however, low.

Microsoft has released a patch to fix the problem on its website (http://www.microsoft.com/windows2000/downloads ).