Apache hole is an open door to hackers

US Internet security institute Cert has warned of a serious flaw in the open source Apache web server software which is used to run more than half the world's websites.

According to Cert there is a vulnerability in the processing of large chunks of data in Apache versions 1.3 to 1.3.24 and 2.0 to 2.0.36. Depending on the version of Apache the security hole can either allow a hacker to run arbitrary code or cause a denial of service (DoS) attack.

However, Cert warns that patches for the hole will depend on what vendor you have bought your Apache web server software from. Some vendors have not yet patched the hole.

Cert has not made it clear at this time exactly who needs to be worried about the problem, although IBM has admitted its version of the software is affected.

In an advisory on its site Cert said: "Several sources have reported that this vulnerability can be used by intruders to execute arbitrary code on Windows platforms. Additionally, the Apache Software Foundation has reported that a similar attack may allow the execution of arbitrary code on 64-bit UNIX systems."

It said the advisory will be updated as soon as vendor-specific information becomes available: "Because the publication of this advisory was unexpectedly accelerated, statements from all of the affected vendors were not available at publication time."

Apache runs around two thirds of the world's websites, and is available to download free under an Open Source software licence. However, many commercial vendors bundle it in with other products - such as application servers - because of its popularity.

Microsoft's IIS web server, in which vulnerabilities were famously exploited last year by the Code Red and Nimda viruses, runs just 25 per cent of websites.

More help can be found here:
http://www.cert.org/advisories/CA-2002-17.html