Apache 2.0 vulnerability affects non-Unix platforms

Date: 9th August 2002
Version: 1
Product Name: Apache web server 2.0
OS/Platform: Windows, OS2, Netware
Permanent URL: http://httpd.apache.org/info/security_bulletin_20020908a.txt
Vendor Name: Apache Software Foundation Vendor URL: http://www.apache.org/
Affects: All Released versions of 2.0 through 2.0.39
Fixed in: 2.0.40
Identifiers: CAN-2002-0661

Apache is a powerful, full-featured, efficient, and freely-available Web server. On the 7th August 2002, The Apache Software Foundation was notified of the discovery of a significant vulnerability, identified by Auriemma Luigi .

This vulnerability has the potential to allow an attacker to inflict serious damage to a server, and reveal sensitive data. This vulnerability affects default installations of the Apache web server.

Unix and other variant platforms appear unaffected. Cygwin users are likely to be affected.

A simple one line workaround in the httpd.conf file will close the vulnerability. Prior to the first 'Alias' or 'Redirect' directive, add the following directive to the global server configuration:

RedirectMatch 400 "\.."

Fixes for this vulnerability are also included in Apache version 2.0.40. Apache 2.0.40 also contains some less serious security fixes.

More information will be made available by the Apache Software Foundation and Auriemma Luigi in the coming weeks.

=============== REFERENCES ================

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0661 to this issue.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0661