Possible security exposure for configurations using mod_proxy in IBM HTTP Server V1.3.26 and V1.3.28
 Flash (Alert)
 
Abstract
PQ89899 resolves a security exposure for configurations using mod_proxy in IBM® HTTP Server V1.3.26 and V1.3.28, as described in CAN-2004-0492.
 
Content
A security issue has been reported in mod_proxy that impacts IBM HTTP Server V1.3.26 and V1.3 28 when mod_proxy is enabled and configured.

IBM HTTP Server V2.0 and IBM HTTP Server V1.3.19.* are NOT affected.

The mod_proxy module is not enabled by default at IBM HTTP Server install time. To determine if you are using mod_proxy you can review your httpd.conf file.

The security issue is a buffer overflow which can be triggered by getting mod_proxy to connect to a remote server which returns an invalid (negative) Content-Length. This results in a memcpy to the heap with a large length value, which will in most cases cause the IBM HTTP Server child to crash. This does not represent a significant Denial of Service attack as requests will continue to be handled by other IBM HTTP Server child processes.

Configurations that load mod_proxy to proxy HTTP requests to arbitrary Web sites are at most risk. This attack relies on an origin server crafting a reply designed specifically to attack the proxy server. Under some circumstances it may be possible to exploit this issue to cause arbitrary code execution. Those that use mod_proxy in a 'reverse proxy' configuration have control over the origin servers to which mod_proxy is allowed to connect, so the risk of exposure in that configuration is significantly reduced.
 
Related information
Interim Fix for PQ89899
 
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > IBM HTTP Server > Modules
Operating system(s): Windows
Software version: 1.3.28
Software edition:
Reference #: 1173021
IBM Group: Software Group
Modified date: Jun 28, 2004