» Topic:  Apache shot with security holes

» Added by:  Matthew Broersma

» Date:  10.1.2006

  Companies running Apache and a PostgreSQL database are at risk from serious Internet intrusion.

Red Hat warned of a flaw late last week in mod_auth_pgsql, an Apache module that allows authentication against information in popular open-source database PostgreSQL.

iDefense discovered several format string flaws in the way mod_auth_pgsql logs information, which could allow unauthenticated attackers to execute malicious code with the privileges of the "apache" user, according to Red Hat.

Red Hat issued patches for the versions of the module used in Red Hat Enterprise Linux versions 3 and 4, saying it doesn't affect earlier versions. As of Monday Ubuntu, Mandriva and other vendors have also issued patches.

Red Hat and other Linux vendors gave the flaw a "critical" rating, as did advisory database maintainer FrSIRT. Secunia, which publishes a separate vulnerabilities database, gave it a "highly critical" rating.

Apache is the most widely used server software on the Internet. It is open-source and is usually run on Linux, but also runs on other operating systems such as Windows.