Reported June 17, 2002, by CERT.

VERSIONS AFFECTED

 

  • Apache 2, all versions up to 2.0.36

  • Apache 1.3, all versions including 1.3.24

  • Apache 1.2, all versions 1.2.2 and later

 

DESCRIPTION

A vulnerability exists in Apache Web servers that can lead to arbitrary code execution on the vulnerable system. This vulnerability stems from a flaw in the handling of certain chunk-encoded HTTP requests that lets a remote attacker execute arbitrary code or cause a Denial of Service (DoS) attack.

VENDOR RESPONSE

The vendor, Apache, has released a detailed advisory about this vulnerability and recommends that affected users either apply a patch supplied by an OEM or upgrade immediately to a newer version of Apache software available from Apache's Web site.

 

CREDIT
Discovered by Mark Litchfield of Next Generation Security Software.