Windows Apache security bug revealed

Serious hole, easy fix

Default installations of Apache on Windows are susceptible to a bug discovered by Italian researcher Luigi Auriemma, Apache.org reports.

According to a PivX advisory, non-Unix platforms like Windows OS2 and Netware are vulnerable, but Unix versions are not.

Details are sketchy to discourage immediate exploitation, but the organization says it will post additional details 'in the coming weeks'.

Meanwhile, the fix is simple. Add the following line to the httpd.conf file before the first 'Alias' or 'Redirect' directive:
RedirectMatch 400 "\\\.\."

The fix is included in version 2.0.40, along with fixes for "two minor path-revealing exposures," Apache says. Apache fixed the binaries within 24 hours of initial notification, PivX notes. ®

Sponsored: The Joy and Pain of Buying IT - Have Your Say


Biting the hand that feeds IT © 1998–2017