PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sun Oct 22, 2017 3:48 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Fri Jul 08, 2005 4:47 am 
Offline
DevNet Master
User avatar

Joined: Thu Aug 15, 2002 5:53 am
Posts: 4235
Location: Sussex, UK
Slashdot wrote:
"Whitedust is reporting on a HTTP request smuggling vulnerability in Apache. The flaw apparently allows attackers to piggy back valid HTTP requests over the 'Content-Length:' header, which can result in cache poisoning, cross-site scripting, session hijacking and other various kinds of attack. This flaw affects most of the 2.0.x branch of Apache's HTTPD server."

Source: http://it.slashdot.org/article.pl?sid=05/07/08/0453212

For details: http://www.whitedust.net/speaks/825/Apa ... erability/

Apache 1.3.x is apparently safe
Apache 2.16 has the fix


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jul 08, 2005 8:34 am 
Offline
Jedi Mod
User avatar

Joined: Tue Dec 21, 2004 6:03 pm
Posts: 5263
Location: usrlab.com
The title should really say "Apache 2.0.x vulnerability allows session hijacking etc in *really* limited circumstances, and it's actually a problem with HTTP 1.1 so all web servers suffer it."

But that probably wouldn't fit.

Also note: 2.16 is ALPHA code. The stable branch of Apache 2.0 has NOT been patched (or rather, a patch hasn't been officially released, apparently theres one in the subversion tree).


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group