You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jeremy Kelley <je...@33ad.org> on 2006/08/24 16:29:28 UTC
[users@httpd] question about recent ReWrite vulnerability
Hello all,
I've just subbed to the list, but have been an apache user for years.
I was asked this question recently, and I just wasn't sure so I wanted
to pass it along to the experts.
... begin question ...
I have some questions about the following Apache web server vulnerability for
mod_rewrite:
Exploit code publicly released for Apache mod_rewrite vulnerability
Update [August 21, 2006] - Exploit code has been publicly released for
the Apache vulnerability outlined below.
July 28, 2006 - An off-by-one overflow vulnerability has been discovered
in the way that the Apache webserver handles certain types of Rewrite
rules. Depending on the configuration, a remote attacker could exploit
this to execute arbitrary code as the web server user.
My question is that the notes on the alert say that only certain
configurations are vulnerable, and those configurations are when there
is a substitution at the beginning of the replaced URL.
"The RewriteRule allows the attacker to control the initial part of the
rewritten URL (for example if the substitution URL starts with $1)
The RewriteRule flags do NOT include any of the following flags:
Forbidden (F), Gone (G), or NoEscape (NE)."
So my question is, the note states:
For example, rules with this format expose the vulnerability
RewriteRule fred/(.*) $1
While rules with this format do not expose the vulnerability:
RewriteRule fred/(.*) joe/$1
So my question is:
Is it the fact that there is not any other explicit path to be
re-written that makes the first case vulnerable?
For example, would this statement be vulnerable?
RewriteRule fred/(.*) http://www.joe.com/$1
Again assuming that (F), (G), or (NE) are not options on the rule.
... end question ...
thanks,
jeremy
--
Jeremy Kelley <je...@33ad.org>
gpg 1024D/EAB7CA38 6FF4 483B D7EA A09C A3E0 1CE1 F0A4 8C8E EAB7 CA38
The Christian ideal has not been tried and found wanting; it has been
found difficult and left untried. - G.K. Chesterton
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] question about recent ReWrite vulnerability
Posted by Joshua Slive <jo...@slive.ca>.
On 8/24/06, Jeremy Kelley <je...@33ad.org> wrote:
> So my question is, the note states:
>
> For example, rules with this format expose the vulnerability
> RewriteRule fred/(.*) $1
> While rules with this format do not expose the vulnerability:
> RewriteRule fred/(.*) joe/$1
>
> So my question is:
>
> Is it the fact that there is not any other explicit path to be
> re-written that makes the first case vulnerable?
No. It is specifically the fact that you are able to control the very
first part of the target path, so as to insert the string ldap:// at
the very beginning.
>
> For example, would this statement be vulnerable?
> RewriteRule fred/(.*) http://www.joe.com/$1
That is not vulnerable.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org