The company makes machines used for everything from scientific research to movie special effects, and many are used by government and defense organizations. The two new flaws, originally announced on Friday, affect IRIX versions 6.5.12, 6.5.13 and 6.5.14 running Apache versions prior to 1.3.22. IRIX is SGI's proprietary version of the Unix operating system, while Apache is a widely used open-source Web server, which is installed and enabled by default on IRIX.
One vulnerability was found in Apache's split-logfile program, a tool used to manage system files called logfiles. SGI said that if the feature is turned on, a specially crafted request could allow any file with a .log extension on the system to be written to, which could be used to give an attacker full access to the system. Split-logfile is not turned on by default.
The second bug was found in Apache's Multiviews facility, which is used for customizing the way content is presented to Web browsers. In some configurations, it is possible to enter a specially formed query to return a directory listing, which could allow an attacker to discover the locations of sensitive files on the system.
SGI hasn't released a patch for the flaws, but instead recommends that users upgrade to an operating system newer than 6.5.14, which includes a newer version of Apache in which the problems have been resolved. If the software can't be upgraded immediately, the company recommends disabling Apache.
