Vulnerabilities

Apache Web Server Bug threatens security of shared hosting environments

0

Apache Software Foundation has patched a severe vulnerability in the Apache (httpd) web server project that might permit a rogue server script to execute code with root access and gain control of the underlying server.

The vulnerability which has been dubbed as CVE-2019-0211, affects only the Apache web server for Unix systems from versions 2.4.17 to 2.4.38. This was fixed with the version 2.4.39. that was released this week.

Apache team claims that less-privileged Apache child processes (such as CGI scripts) can execute malicious code with the privileges of the parent process.

On most Unix systems Apache httpd runs under the root user, so an attacker who has inserted a malicious CGI script on an Apache server can use CVE-2019-0211 to take over the underlying system running the Apache httpd process, and intuitively control the entire machine.

Big issue for shared-hosting firms

The vulnerability might not be an immediate and noticeable threat to developers and companies that have their own server infrastructure. But in the case of a shared web hosting environment, this becomes a critical vulnerability.

This vulnerability was discovered by the security researcher, Charles Fol and he said that this vulnerability is local which indicates that you should have some kind of access to the server.  For this an attacker need to either have to register accounts with shared hosting providers or compromise existing accounts.

Once this is done, the attacker has to just upload a malicious CGI script through their compromised server’s control panel by which they can take control of the hosting provider’s server to plant malware or steal data. The web hoster has complete access to the server through the ‘root’ account and is possible to read/write/delete any file/database of the other clients.

According to Fol the vulnerability can automatically augment any other server security issue, even for Apache web servers not part of shared-hosting environments.

So, it is necessary to patch this flaw for shared hosting provider, and also for companies running Apache on private, non-shared servers.

Priyanka R
Cyber Security Enthusiast, Security Blogger, Technical Editor, Author at Cyber Safe News

    Google’s April 2019 Android Security updates

    Previous article

    Facebook asks some Users for their Email Passwords

    Next article

    You may also like

    Comments

    Leave a reply

    Your email address will not be published. Required fields are marked *