Flaw found in Apache Web Server


A new flaw has been discovered in Apache Web Server that could allow cyber criminals to take control of system privileges, according to a security research firm.

Sense of Security (SoS) released an advisory claiming the core mod_isapi module in the most popular open source HTTP server could be targeted to induce the vulnerability.

The report said: "By sending a specially crafted request followed by a reset packet it is possible to trigger a vulnerability in Apache mod_isapi that will unload the target ISAPI module from memory."

It continued to claim that although this would be unloaded, function pointers would still remain, allowing attackers to take control - what SoS calls "a dangling pointer vulnerability."

The vulnerability was given a high severity rating by the researchers who said it definitely affected version 2.2.14 on the Windows platform but could also affect others.

The simple solution and advice for users is to upgrade to version 2.2.15. Users can also download the proof of concept from SoS from here.

IT PRO contacted Apache for comment on the new flaw but it had not responded to our request at the time of publication.

Jennifer Scott

Jennifer Scott is a former freelance journalist and currently political reporter for Sky News. She has a varied writing history, having started her career at Dennis Publishing, working in various roles across its business technology titles, including ITPro. Jennifer has specialised in a number of areas over the years and has produced a wealth of content for ITPro, focusing largely on data storage, networking, cloud computing, and telecommunications.

Most recently Jennifer has turned her skills to the political sphere and broadcast journalism, where she has worked for the BBC as a political reporter, before moving to Sky News.