[users@httpd] question about recent ReWrite vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello all,

I've just subbed to the list, but have been an apache user for years.

I was asked this question recently, and I just wasn't sure so I wanted
to pass it along to the experts.

... begin question ...

I have some questions about the following Apache web server vulnerability for
mod_rewrite:

Exploit code publicly released for Apache mod_rewrite vulnerability
Update [August 21, 2006] - Exploit code has been publicly released for
the Apache vulnerability outlined below.
July 28, 2006 - An off-by-one overflow vulnerability has been discovered
in the way that the Apache webserver handles certain types of Rewrite
rules.  Depending on the configuration, a remote attacker could exploit
this to execute arbitrary code as the web server user.

My question is that the notes on the alert say that only certain
configurations are vulnerable, and those configurations are when there
is a substitution at the beginning of the replaced URL.

"The RewriteRule allows the attacker to control the initial part of the
rewritten URL (for example if the substitution URL starts with $1)
The RewriteRule flags do NOT include any of the following flags:
Forbidden (F), Gone (G), or NoEscape (NE)."

So my question is, the note states:

For example, rules with this format expose the vulnerability
      RewriteRule fred/(.*)  $1
While rules with this format do not expose the vulnerability:
      RewriteRule fred/(.*)  joe/$1

So my question is:

Is it the fact that there is not any other explicit path to be
re-written that makes the first case vulnerable?

For example, would this statement be vulnerable?
   RewriteRule fred/(.*) http://www.joe.com/$1

Again assuming that (F), (G), or (NE) are not options on the rule.

... end question ...

thanks,
jeremy

-- 
Jeremy Kelley <jeremy@xxxxxxxx>
gpg 1024D/EAB7CA38  6FF4 483B D7EA A09C A3E0 1CE1 F0A4 8C8E EAB7 CA38
The Christian ideal has not been tried and found wanting; it has been 
found difficult and left untried. - G.K. Chesterton

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux