Study: Admins slow in patching Apache-SSL servers

Many Web servers running Apache-SSL remain vulnerable to attacks, although a June security alert prompted administrators to patch standard Apache Web installations, according to a survey released Tuesday.

About 75% of Web sites hosted on Apache-SSL servers are vulnerable, as the software has not been upgraded to fix a serious flaw uncovered in June, according to a survey by Web server information firm Netcraft, of Bath, England.

Administrators seem to have given priority to patching regular Apache installations, as about half of the 22 million Web sites that rely on Apache are protected through an Apache software upgrade, Netcraft said.

Apache-SSL is a combination of the Apache Web server and OpenSSL security software meant to offer secure Web site connections. Apache-SSL is used for electronic commerce Web sites, for example. Both Apache and OpenSSL are open-source products developed by volunteers.

The Apache Software Foundation, which supports the Apache open-source project, in June advised administrators to upgrade their Apache installations because of a flaw in the way the Web server parses uploaded data, a so-called chunked encoding vulnerability.

The flaw affects all versions of Apache 1.2, versions of Apache 1.3 up to 1.3.24 and versions of Apache 2 up to 2.0.36, according to a statement from the Foundation released on June 20.

Apache is the most used Web server software in the world, with 66% of active sites running Apache, according to Netcraft.

The IDG News Service is a Network World affiliate.

RELATED LINKS