Security Company-PivX, Adds Another World Class Security Researcher who has found a Major Vulnerability in Apache Server Software

Newport Beach, CA, August 13, 2002 : PivX Solutions, a leader in Network Security is pleased to announce the hiring of one of the worlds pre-eminent security researchers, Luigi Auriemma of Milano, Italy. Luigi has been personally responsible for the discovery of hundreds of software bugs and security vulnerabilities in operating systems and software the world over. As a part of Luigi’s agreement with PivX Solutions he will continue to research security vulnerabilities and he will release those finding’s through PivX and their exclusive security and media network. Luigi can be reached at aluigi@pivx.com.

Today Luigi and PivX have released their discovery of a new vulnerability in Apache 2.0 Server Software. This vulnerability has been classified as an extremely high risk. The vulnerability Luigi has found is a large hole in Windows 32bit Apache Server Software.

Red Hat Director of Engineering and Editor of ApacheWeek Mark J. Cox warned of an Apache 2.0 vulnerability which could allow an attacker to “inflict serious damage to a server, and reveal sensitive data.”

The flaw, discovered by Pivx bug-hunter Auriemma Luigi, affects default installations of the Apache Web server in non-Unix platforms like Windows OS2 and Netware. The flaw does not appear to affect UNIX and other variant platforms, Cox said, though he noted that Cygwin users are likely to be affected. Luigi notified the Apache Software Foundation of the vulnerability last Wednesday. PivX applauds the speedy response time of the Apache foundation regarding this vulnerability, a fixed version was produced within 24hours of finding the bug.

PivX has provided a simple fix to the insidious hole. Prior to the first ‘Alias’ or ‘Redirect’ directive, simply add the following directive to the global server configuration:

* RedirectMatch 400 “\\\.\.”

The fixes for the vulnerability are included in Apache version 2.0.40, in addition to fixes for a number of less serious security flaws.

Both the Apache Software Foundation and Luigi plan to release more information in the coming weeks. For more information on the workaround and the vulnerability please visit http://www.pivx.com.

About PivX Solutions
PivX Solutions, is a premier network security consultancy offering a myriad of network security services to our clients, the most notable being our proprietary Risk and Vulnerability Assessment (RAVA). Dedicated PivX founders have also developed the patented Invisiwallâ„? network security device which offers the most comprehensive and secure intrusion detection system available.




Share this