The Apache Group has issued a security alert for all non-Unix Apache HTTP Server platforms running versions 2.0 through 2.0.39. While this initial advisory is vague, it claims that the vulnerability can “allow an attacker to inflict serious damage to a server, and reveal sensitive data.” Fortunately, a workaround is simple.

Add the line:

RedirectMatch 400 "\.."

To the global server config, prior to the Alias or Redirect directives. Version 2.0.40, available at the Apache distribution site, has an integrated patch and fixes two path disclosure security holes as well.

(N-Stalker Security Force)