Several third-party developers have developed modules that can be added to Apache to add capabilities that are not part of the basic web server package. One such module is mod_ssl, which provides strong cryptography for the Apache web server using OpenSSL. Apache-SSL also uses OpenSSL to provide secure web services. mod_ntlm adds the capability to use Windows network authentication (NTLM) to control access to selected web pages.
Despite the difficulty in exploitation, it would be advisable to remedy this problem, since other, more feasible, exploitation methods could be discovered at any time. Versions of mod_ssl prior to 2.8.7 and Apache-SSL prior to 1.47 are affected by this vulnerability.
7/9/02
CVE 2002-0653
A second vulnerability in mod_ssl prior to 2.8.10 is
a one-byte buffer overflow in the processing of configuration
directives. Exploitation of this vulnerability would require
the attacker to create a long, specially-crafted directive in
the Apache configuration. Since Apache allows
per-directory configuration files (usually called
.htaccess), a local user could exploit this
vulnerability using an .htaccess file under
his or her own directory. The result would be a denial of
service or the ability to execute arbitrary commands with
the privileges of the web server.
4/30/03
mod_ntlm 0.4 and earlier for Apache 1.3 and
mod_ntlm 0.1 and earlier for Apache 2.0 are affected by two
vulnerabilities in the logging function. The first is
a buffer overflow condition. A remote attacker could run
commands on the server by sending a specially crafted
input string longer than 2048 bytes. The second vulnerability
is a format string problem. A missing format string in the
ap_log_rerror function could allow a remote
attacker to specify his or her own format string, which
could lead to arbitrary command execution.
To resolve the vulnerabilities in mod_ntlm, upgrade to version 0.5 or higher for Apache 1.3 or version 0.2 or higher for Apache 2.0. These versions will presumably contain a fix. If these versions are not yet available, it would be advisable to disable mod_ntlm in the Apache configuration file, and use Basic HTTP authentication instead of NTLM.
The vulnerabilities in mod_ntlm were posted to Bugtraq.