Apache Web Server Chunk Handling Vulnerability

Reported June 17, 2002, by CERT.



  • Apache 2, all versions up to 2.0.36

  • Apache 1.3, all versions including 1.3.24

  • Apache 1.2, all versions 1.2.2 and later



A vulnerability exists in Apache Web servers that can lead to arbitrary code execution on the vulnerable system. This vulnerability stems from a flaw in the handling of certain chunk-encoded HTTP requests that lets a remote attacker execute arbitrary code or cause a Denial of Service (DoS) attack.


The vendor, Apache, has released a detailed advisory about this vulnerability and recommends that affected users either apply a patch supplied by an OEM or upgrade immediately to a newer version of Apache software available from Apache's Web site.


Discovered by Mark Litchfield of Next Generation Security Software.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.