Apache patch patches poorly
According to a report from security specialist Prutha Parikh, a security vulnerability in the Apache web server that was patched in early October can still be exploited by remote attackers to access internal servers. The vulnerability is in the
mod_rewrite modules and arises when parsing rewrite rules.
Parikh discovered a scenario which is not dealt with by the patch and reported the problem to the Apache Foundation under a new CVE number (CVE-2011-3368). A patch is already being discussed on the Apache mailing list. Parikh describes an effective workaround in a post on the Qualys Security Labs blog.