You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Saqib Ali <sa...@seagate.com> on 2003/10/29 19:37:29 UTC
Re: [users@httpd] apache vulnerability
The newer version of Apache fixes this vulnerability
Saqib Ali
---------
http://validate.sf.net <--- XHTML/HTML/DocBook Validator
On Wed, 29 Oct 2003, Asif Iqbal wrote:
>
> Hi All
>
> According to this url
>
> http://www.secunia.com/advisories/10096
>
> mod_alias and mod_rewrite have possible buffer overfolw vulnerabilities "if they
> are configured with a regular expression with more than 9 captures".
> Exploitation requires a specially crafted .htaccess file
>
> How would I know if I am using 9 captures or not ? Sorry for a newbie question
>
> Thanks a lot
>
> --
> Asif Iqbal
> http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x8B686E08
> There's no place like 127.0.0.1
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache vulnerability
Posted by Robert Andersson <ro...@profundis.nu>.
Asif Iqbal wrote:
> My websites are behind the firewall. Is there another way I can tell how
> many captures I am using ?
Probably none. As Joshua said, using 9 capturing subexpressions in a regular
expression, is *very* unusual (in Apache's config, at least). As you don't
seem very familiar with them, I doubt you have configured Apache with any,
and asuming you haven't cut'n'pasted 3rd party configuration directives,
you're fine.
Besides, this issue is resolved in Apache 1.3.29/2.0.48, as announced on
this list just a few hours before you posted about it. Upgrade.
Regards,
Robert Andersson
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache vulnerability
Posted by Asif Iqbal <iq...@qwestip.net>.
On Wed, 29 Oct 2003, Saqib Ali wrote:
> The newer version of Apache fixes this vulnerability
>
> Saqib Ali
> ---------
> http://validate.sf.net <--- XHTML/HTML/DocBook Validator
My websites are behind the firewall. Is there another way I can tell how many
captures I am using ?
>
> On Wed, 29 Oct 2003, Asif Iqbal wrote:
>
> >
> > Hi All
> >
> > According to this url
> >
> > http://www.secunia.com/advisories/10096
> >
> > mod_alias and mod_rewrite have possible buffer overfolw vulnerabilities "if they
> > are configured with a regular expression with more than 9 captures".
> > Exploitation requires a specially crafted .htaccess file
> >
> > How would I know if I am using 9 captures or not ? Sorry for a newbie question
> >
> > Thanks a lot
> >
> > --
> > Asif Iqbal
> > http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x8B686E08
> > There's no place like 127.0.0.1
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org