Apache 2.0.x vulnerability allows session hijacking etc.

Where we keep all the boring tidbits about the PHPDN site, the news, and what not.

Moderator: General Moderators

Post Reply
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Apache 2.0.x vulnerability allows session hijacking etc.

Post by patrikG »

Slashdot wrote:"Whitedust is reporting on a HTTP request smuggling vulnerability in Apache. The flaw apparently allows attackers to piggy back valid HTTP requests over the 'Content-Length:' header, which can result in cache poisoning, cross-site scripting, session hijacking and other various kinds of attack. This flaw affects most of the 2.0.x branch of Apache's HTTPD server."
Source: http://it.slashdot.org/article.pl?sid=05/07/08/0453212

For details: http://www.whitedust.net/speaks/825/Apa ... erability/

Apache 1.3.x is apparently safe
Apache 2.16 has the fix
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Post by onion2k »

The title should really say "Apache 2.0.x vulnerability allows session hijacking etc in *really* limited circumstances, and it's actually a problem with HTTP 1.1 so all web servers suffer it."

But that probably wouldn't fit.

Also note: 2.16 is ALPHA code. The stable branch of Apache 2.0 has NOT been patched (or rather, a patch hasn't been officially released, apparently theres one in the subversion tree).
Post Reply