1
How to save your server from Apache 2.4.7 Vulnerability (mod_status)
Posted by zuhaircmr
If your server is running with an apache 2.4.7 , then the chance for being hacked is high . Listing two solutions to solve this issue .
Description:
An attacker able to access a public server status page on a server using a threaded MPM could send a carefully crafted request which could lead to a heap buffer overflow. Note that it is not a default or recommended configuration to have a public accessible server status page.
Proof:
Description:
An attacker able to access a public server status page on a server using a threaded MPM could send a carefully crafted request which could lead to a heap buffer overflow. Note that it is not a default or recommended configuration to have a public accessible server status page.
Proof:
- Running HTTP service
- Product HTTPD exists -- Apache HTTPD 2.4.7
- Vulnerable version of product HTTPD found -- Apache HTTPD 2.4.7
Vulnerability ID : apache-httpd-cve-2014-0226
Solution:
- Apache HTTPD >= 2.2 and < 2.2.29Upgrade to Apache HTTPD version 2.2.29Download and apply the upgrade from: http://archive.apache.or
g/dist/httpd/httpd-2.2.29.tar. gz - Apache HTTPD >= 2.4 and < 2.4.10Upgrade to Apache HTTPD version 2.4.10Download and apply the upgrade from: http://archive.apache.or
g/dist/httpd/httpd-2.4.10.tar. gz