Apache HTTP server beck exploit (HTTP_URL_Many_Slashes)

About this signature or vulnerability

Proventia Network IDS, Proventia Network IPS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor, IBM Security Network Protection, IBM Security Host Protection for Servers (Unix), IBM Security Host Protection for Desktops, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:

This signature detects an HTTP request containing greater than 200 slashes "/", which could indicate an attacker's attempt to increase the load on an Apache httpd server.


False positives

Proventia Network IDS, Proventia Network IPS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor, IBM Security Network Protection, IBM Security Host Protection for Servers (Unix), IBM Security Host Protection for Desktops, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: Legitimate URLs with more than 200 slashes will cause a false positive.

Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

Proventia Network IDS: A Series, Proventia Network IPS: 2.0, Proventia-G 1.1 and earlier: G Series, Proventia Network MFS: 1.0, IBM Security Host Protection for Servers (Windows): 2.1.14.2400, IBM Security Host Protection for Servers (Windows): 1.0.914.0, RealSecure Server Sensor: 7.0, IBM Security Network Protection: 5.1, IBM Security Host Protection for Servers (Unix): 2.2.2, IBM Security Host Protection for Desktops: 8.0.614.1, Proventia Server IPS for Linux technology: 1.0, Virtual Server Protection for Vmware: 1.0

Systems affected

Apache HTTP Server: 1.0, Apache HTTP Server: 1.2.5, Apache HTTP Server: 0.8.11, Apache HTTP Server: 0.8.14, Apache HTTP Server: 1.0.2, Apache HTTP Server: 1.0.3, Apache HTTP Server: 1.0.5, Apache HTTP Server: 1.1, Apache HTTP Server: 1.1.1

Type

Denial of Service

Vulnerability description

Apache HTTP servers could allow an attacker to increase the load average on the server, possibly causing a denial of service. An attacker could submit an HTTP request containing thousands of slashes ("/") to cause the system running the server to become very slow or inaccessible. This problem has sometimes been referred to as the beck exploit.

How to remove this vulnerability

Upgrade to the latest version of Apache HTTP Server, available from The Apache Software Foundation Web site. See References.

References

National Chi Nan University
Apache Security Advisory, Tuesday, January 6 1998
http://ftp.ncnu.edu.tw/Documentation/documents/cert/cert_bulletins/VB-98.02.apache

BugTraq Mailing List, Tue, 30 Dec 1997 11:07:04 +0100
Apache DoS attack?
http://archives.neohapsis.com/archives/bugtraq/1997_4/0563.html

CERT Vendor-Initiated Bulletin VB-98.02
Apache Security Advisory
http://ftp.cerias.purdue.edu/pub/advisories/cert/cert_bulletins/VB-98.02.apache

The Apache Software Foundation Web site
Welcome! - The Apache HTTP Server Project
http://httpd.apache.org/

ISS X-Force
Apache HTTP server beck exploit
http://www.iss.net/security_center/static/697.php

CVE
CVE-1999-0107
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0107