Apache mod_rewrite Security Flaw
By Reaper-X on Aug 23, 2006 in Apache, Computer Security, Journal, Network and Security, Web Servers
Yesterday i just read about the recent security flaw in mod_rewrite modules in Apache HTTP Server that can make the web server process crash or allow arbitrary code execution by a malicious user. And here’s the announcement from the Apache HTTP Security team :
CVE-2006-3747: An off-by-one flaw exists in the Rewrite module, mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0.
Depending on the manner in which Apache HTTP Server was compiled, this software defect may result in a vulnerability which, in combination with certain types of Rewrite rules in the web server configuration files, could be triggered remotely. For vulnerable builds, the nature of the vulnerability can be denial of service (crashing of web server processes) or potentially allow arbitrary code execution. This issue has been rated as having important security impact by the Apache HTTP Server Security Team.
This flaw does not affect a default installation of Apache HTTP Server. Users who do not use, or have not enabled, the Rewrite module mod_rewrite are not affected by this issue. This issue only affects installations using a Rewrite rule with the following characteristics:
- The RewriteRule allows the attacker to control the initial part of the rewritten URL (for example if the substitution URL starts with $1)
- The RewriteRule flags do NOT include any of the following flags: Forbidden (F), Gone (G), or NoEscape (NE).
Please note that ability to exploit this issue is dependent on the stack layout for a particular compiled version of mod_rewrite. If the compiler used to compile Apache HTTP Server has added padding to the stack immediately after the buffer being overwritten, it will not be possible to exploit this issue, and Apache HTTP Server will continue operating normally.
So in the other words, every users should update their Apache installation immediately, especially for those who’s already using a blogging platform like Wordpress, because if you want to use the Permalink feature, you’ll have to use mod_rewrite function and the Wordpress installation included that by default (except it doesn't have write access to the .htaccess file) but if you’re using your own computer as a server, then you should apply this update immediately
And here’s a link if you want to get more information about this issue :
Website RSS Feed
Stumble this post
Bookmark this post on Del.icio.us
Submit this post to Digg
Submit this post to Reddit
Print this
Trackback URL
Post a Comment
