Buffer overflow in 'mod_proxy' with Apache 1.3.31: Urchin 5 unaffected

Overview

Urchin 5 ships with an embedded Apache webserver that provides access to the web-based Urchin administration and reporting functions. As reported in the following security advisory:

Apache HTTP Server versions 1.3.31 and earlier contain a vulnerability due to a boundary error within the Apache mod_proxy module. This can be exploited to cause a heap-based buffer overflow by passing a "Content-Length:" header containing a large negative value, potentially causing a Denial of Service condition or system compromise.

Impact on Urchin Customers

After examination the threat, Urchin Software Corporation's position on this issue is that the Apache server shipped with Urchin is not vulnerable to this exploit, and no action is necessary. Additional notes:

  1. Exploitation of the vulnerability requires the Apache server to be configured as a proxy. Urchin does not provide any means for configuring the embedded Apache server to be a proxy.
  2. The Apache server shipped with Urchin is not built with the mod_proxy module