Security 10748 Published by

A significant vulnerability has been discovered in the Windows version of the Apache webserver.



This vulnerability has the potential to allow an attacker to inflict serious damage to a server, and reveal sensitive data. This vulnerability affects default installations of the Apache web server.

Unix and other variant platforms appear unaffected. Cygwin users are likely to be affected.

Solution:

A simple one line workaround in the httpd.conf file will close the vulnerability. Prior to the first 'Alias' or 'Redirect' directive, add the following directive to the global server configuration:

RedirectMatch 400 ..

Fixes for this vulnerability are also included in Apache HTTP server version 2.0.40. The 2.0.40 release also contains fixes for two minor path-revealing exposures. This release of Apache is available at http://www.apache.org/dist/httpd/
Read more