ANALYSIS
Although this problem doesn't affect UNIX and Linux variants, it does apply to more than just Microsoft Windows platforms. You should check it out even if you are running NetWare or OS/2 (both of which are definitely vulnerable) or any other non-UNIX platform. The original Bugtraq announcement states that the flaw affects any systems that support backslash paths. The versions of Apache that are vulnerable include all releases of 2.0 through version 2.00.39. Linux/UNIX administrators are also being urged to update their Apache software even though this particular threat doesn't appear to apply to their systems. Risk level -- critical
This vulnerability can open up a server to serious damage. According to an online report from PC World, this is exactly the sort of flaw that made the Code Red and Nimda worms possible. Fix -- patch and update
There are two fixes. First, you can apply a quick-and-dirty patch as follows, according to the report published by The Register: Add the following line to the httpd.conf file before the first "Alias" or "Redirect" directive: RedirectMatch 400 "\\\.\." That quick fix is echoed at the Apache.org site and apparently came from the researcher who discovered and reported the flaw to Apache.org, since it's in his Bugtraq announcement. Be sure to double-check the code reproduced here before applying it. A permanent fix is to upgrade your Apache installation to version 2.0.40 or later. See the Apache site for the upgrade links.
