You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Saqib Ali <sa...@seagate.com> on 2003/10/29 19:37:29 UTC

Re: [users@httpd] apache vulnerability

The newer version of Apache fixes this vulnerability

Saqib Ali
---------
http://validate.sf.net <--- XHTML/HTML/DocBook Validator

On Wed, 29 Oct 2003, Asif Iqbal wrote:

>
> Hi All
>
> According to this url
>
> http://www.secunia.com/advisories/10096
>
> mod_alias and mod_rewrite have possible buffer overfolw vulnerabilities "if they
> are configured with a regular expression with more than 9 captures".
> Exploitation requires a specially crafted .htaccess file
>
> How would I know if I am using 9 captures or not ? Sorry for a newbie question
>
> Thanks a lot
>
> --
> Asif Iqbal
> http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x8B686E08
> There's no place like 127.0.0.1
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] apache vulnerability

Posted by Robert Andersson <ro...@profundis.nu>.

Asif Iqbal wrote:
> My websites are behind the firewall. Is there another way I can tell how
> many captures I am using ?

Probably none. As Joshua said, using 9 capturing subexpressions in a regular
expression, is *very* unusual (in Apache's config, at least). As you don't
seem very familiar with them, I doubt you have configured Apache with any,
and asuming you haven't cut'n'pasted 3rd party configuration directives,
you're fine.

Besides, this issue is resolved in Apache 1.3.29/2.0.48, as announced on
this list just a few hours before you posted about it. Upgrade.

Regards,
Robert Andersson

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] apache vulnerability

Posted by Asif Iqbal <iq...@qwestip.net>.

On Wed, 29 Oct 2003, Saqib Ali wrote:

> The newer version of Apache fixes this vulnerability
>
> Saqib Ali
> ---------
> http://validate.sf.net <--- XHTML/HTML/DocBook Validator

My websites are behind the firewall. Is there another way I can tell how many
captures I am using ?

>
> On Wed, 29 Oct 2003, Asif Iqbal wrote:
>
> >
> > Hi All
> >
> > According to this url
> >
> > http://www.secunia.com/advisories/10096
> >
> > mod_alias and mod_rewrite have possible buffer overfolw vulnerabilities "if they
> > are configured with a regular expression with more than 9 captures".
> > Exploitation requires a specially crafted .htaccess file
> >
> > How would I know if I am using 9 captures or not ? Sorry for a newbie question
> >
> > Thanks a lot
> >
> > --
> > Asif Iqbal
> > http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x8B686E08
> > There's no place like 127.0.0.1
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org