Tip

Apache Web server under attack

Microsoft's Internet Information Server is not the only Web server product that has vulnerabilities the vendor doesn't want to acknowledge. Apache 1.3.x for OpenBSD systems has an exploitable vulnerability that the Apache Software Foundation adamantly claimed was un-exploitable. Leave it up to the collective Internet intelligence to discover ways of doing the improbable and even some of the impossible.

The exploit, known as Apache-scalp.c enables remote crackers to access a command shell on any unpatched system running Apache 1.3.x on OpenBSD. The creator of the exploit, Gobbles Security, claims that this exploit could be easily ported against Apache versions for Sun Solaris, Linux and FreeBSD. Gobbles Security released the exploit only after repeatedly hearing that there was no exploitable vulnerability. A patch to correct this problem is available for just about every Apache platform. So, if you use Apache, it's time to patch a new hole.

What concerns me about this issue is just how difficult it is, even with the open source communities, to get developers and vendors to admit to security vulnerabilities, especially before an exploit is available in the wild. You would think that in today's security-conscious environment that any hint of a security vulnerability, especially on a popular and widely used product, would at least be taken seriously. With efforts to squelch or restrict public reporting of vulnerabilities for weeks or months, the lag between discovery and resolution can only become longer. If vendors are not motivated to resolve security problems until there are active media-hyped attacks occurring, then we as consumers will be getting an even shorter stick as the motivational element in this equation is silenced (i.e. prevention of public reporting of vulnerabilities).

Granting vendors a few weeks to create solutions to discovered problems and withholding public announcement of vulnerabilities until a patch is available sounds great, in an ideal world. Unfortunately, public disclosure seems to be the last remaining factor the consumer community can use to motivate vendors to resolve serious security issues in a timely manner. I think granting vendors a few days to verify and acknowledge vulnerabilities is a good thing. But I don't agree with the policy employed by many vendors: remaining completely silent or denying vulnerabilities for weeks, only then to reverse their stance once a patch is available.


James Michael Stewart is a researcher and writer for Lanwrights, Inc.


This was first published in July 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.