The recent situation regarding the Apache Chunk Encoding Vulnerability has caused plenty of controversy in the security industry. It initially began with the community dislike of the release of information.

Then it was debated as to weather or not this was really an exploitable vulnerability. And after listening to all the debates about the chunk encoding vulnerability, Gobbles "got fed up."

They released the vulnerability apache_scalp.c because, "We had read too much bullshit from `experts' concerning the bug, and their idiotic statements as to why it isn't exploitable, and how lucky the world is because it wasn't exploitable..." Gobbles Security released this exploit on Wednesday to prove that people, even those in the security world, can overlook the obvious.

According to Gobbles, there are exploits written for the other platforms (linux, solaris, etc) however there is no need to release them now. Now that everyone has a better understanding of the severity of this problem, it is more likely that the appropriate actions will be taken. They have not decided on a date as to when to release the rest of the exploits.

Taking a look at the initial comments in the apache_scalp.c source code, one can infer that with determination, any vulnerability can become an exploit. Just another reminder to security experts not to let your guard down.

EEYE has released a free tool to test your version of apache to see weather or not you need the patch. It is available here.

According to the apache_scalp.c source code, the following, at the very least, are exploitable:

Sun Solaris 6-8 (sparc/x86)

FreeBSD 4.3-4.5 (x86)

OpenBSD 2.6-3.1 (x86)

Linux (GNU) 2.4 (x86)