Apache is by far today's most widely used web server, hence the one which mostly catches the eyes of hackers.
A bug in the way that Apache handles some types of HTTP "range" header requests can enable a remote attacker to cause a denial-of-service condition on a vulnerable server. The flaw, which affects all versions of Apache 1.3 and Apache 2, reportedly already is being exploited in the wild and Apache Software Foundation officials are working on a fix for the bug, which is expected to be released within a few days.
The vulnerability in Apache actually has been a known issue for more than four years, since researcher Michal Zalewski pointed it out in a Bugtraq post. On his post, Zalewski said that the attack was fairly simplistic and not especially innovative.
"Combined with the functionality of window scaling (as per RFC 1323), it is my impression that a lone, short request can be used to trick the server into firing gigabytes of bogus data into the void, regardless of the server file size, connection count, or keep-alive request number limits implemented by the administrator. Whoops?" he wrote.
But the bug apparently never was fixed by Apache and resurfaced late last week when another researcher, known as Kingcope, posted a message to Full Disclosure about it. He also released a Perl script that executed the attack, exhausting the memory of the remote Apache server. That message sparked a long discussion on the mailing list about the severity and nature of the vulnerability, and a separate discussion on the Apache list about wasy to mitigate the problem.
"At least apache 2.2.17 has a remotely exploitable dos vulnerability which allows to consume all memory on a target system. A request for triggering the memory consumption includes a large "Range" header which requests as many different bytes as possible from a file served by httpd. Combining this with a gzip "Accept-Encoding" header the httpd is assumed to compress each of the bytes requested in the Range header seperately consuming large memory regions. The behaviour when compressing the streams is devastating and can end up in rendering the underlying operating system unusable when the requests are sent parallely. Symptoms are swapping to disk and killing of processes including but not solely httpd processes," Kingcope wrote in an Apache Bugzilla bug report.
Apache now is developing a patch for the bug, but it apparently won't be ready for a few more days. Apache is by far the most widely deployed Web server, with hundreds of millions of installations around the world. Apache servers accounted for more than 65 percent of all Web servers in July, according to statistics gathered by Netcraft.
I will be waiting for Apache foundation to release the bug fix for this vulnerability, as it has been taking them so long to make a resolution to this major issue. You can visit this site as well. Found out a bug in Apache server? File a bug report.