More critical fixes for software formerly known as patchy server
The Apache HTTP Server project was forced to release new fixes for a critical bug that originally only affected version 2.4.49 and was fixed last Thursday.
The directory path traversal flaw was fixed in a new point release, 2.4.50, only so that another patch is required in a new release, 2.5.51.
In a new opinion, the project noted: “The fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was found to be insufficient. An attacker could use a path traversal attack to map URLs to files outside of directories configured by directives of type Alias.
“If files outside of these directories are not protected by the usual ‘request all denied’ default configuration, these requests may be successful.
“If CGI scripts are also enabled for these alias paths, it could allow remote code execution.
“This problem only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.”
Sophos researcher Paul Duckling the summary this way: “If the first patch comes in too quickly, it may not have been reviewed or tested as much as you would like.”
“So it’s not so much that the next patch in the queue catches up because the first one is too slow, but that the next one has to be finished in a rush to keep pace…
“… and, if you’re not careful, then this second patch could itself spawn a third patch, needed to patch the patch that patched the first patch.”
Juan Escobar of Dreamlab Technologies, Fernando Muñoz of the NULL Life CTF team, and independent researchers Shungo Kumasaka and Nattapon Jongcharoen have been credited with finding the bug in 2.4.50.
Apache once held around 80% of the web server software market, but in February of this year a investigation by Netcraft found that its share had fallen to 26.3% of sites, 26.4% of domains and 32.7% of web computers.
nginx leads the web server software market with 34.5% of sites, 30.4% of domains, and 35% of web computers. But when it comes to the top million sites, Apache has 25.5% active sites, compared to 19.8% for nginx.
BIG OPENING OF THE ITWIRE BOUTIQUE
The highly anticipated iTWire Shop is now open to our readers.
Visit the iTWire Store, a premier destination for stylish accessories, gear and gadgets, lifestyle products and everyday portable office essentials, drones, smartphone zooms, software and training in line.
PLUS major brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.
Products available for all countries.
We hope you enjoy and find value in the highly anticipated iTWire store.
ENTER THE STORE NOW!
INTRODUCING ITWIRE TV
iTWire TV offers unique value to the tech industry by providing a range of video interviews, news, views and reviews, and also provides the ability for vendors to promote your business and marketing messages.
We work with you to develop the message and conduct the product interview or review in a safe and collaborative manner. Unlike other YouTube Tech channels, we create a story around your post and post it on the ITWire homepage, linked to your post.
Additionally, your interview post message can be displayed in up to 7 different post views on our iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant lead generation opportunity for your business.
We also provide 3 videos in one recording / session if you need them so that you have a series of videos to promote to your clients. Your sales team can add your emails to the sales materials and footer of their sales and marketing emails.
Get the latest tech news, views, interviews, reviews, product promotions and events. Plus fun videos from our readers and customers.