Source Threat Post

A bug in the way that the hugely popular Apache Web server handles some types of HTTP "range" header requests can enable a remote attacker to cause a denial-of-service condition on a vulnerable server. The flaw, which affects all versions of Apache 1.3 and Apache 2, reportedly already is being exploited in the wild and Apache Software Foundation officials are working on a fix for the bug, which is expected to be released within a few days.

The vulnerability in Apache actually has been a known issue for more than four years, since researcher Michal Zalewski pointed it out in a Bugtraq post. Zalewski said at the time of his 2007 post that the attack was fairly simplistic and not especially innovative.

"Combined with the functionality of window scaling (as per RFC 1323), it is my impression that a lone, short request can be used to trick the server into firing gigabytes of bogus data into the void, regardless of the server file size, connection count, or keep-alive request number limits implemented by the administrator. Whoops?" he wrote.

But the bug apparently never was fixed by Apache and resurfaced late last week when another researcher, known as Kingcope, posted a message to Full Disclosure about it. He also released a Perl script that executed the attack, exhausting the memory of the remote Apache server. That message sparked a long discussion on the mailing list about the severity and nature of the vulnerability, and a separate discussion on the Apache list about wasy to mitigate the problem.

Read the full story

(TSB) The Spam Busters