Bugtraq mailing list archives
Re: Security vulnerability in Apache mod_rewrite
From: Tony Finch <dot () DOTAT AT>
Date: Fri, 6 Oct 2000 15:40:24 +0000
A few poeple have asked me for more details of the problem, and I have been made aware of an error in ApacheWeek's description:
Here are some example RewriteRule directives. The first is vulnerable, but the others are not RewriteRule /test/(.*) /usr/local/data/test-stuff/$1 RewriteRule /more-icons/(.*) /icons/$1 RewriteRule /go/(.*) http://www.apacheweek.com/$1
*Both* of the first two configurations are vulnerable. To check if you are vulnerable, make a request for http://www.example.com/%25{TIME} (changing the hostname as appropriate) and look for a line like: [Fri Oct 6 15:33:20 2000] [error] [client 127.0.0.1] File does not exist: /usr/local/apache/docs/20001006153320 in your error log. A patched server reports the error as: [Fri Oct 6 15:36:14 2000] [error] [client 127.0.0.1] File does not exist: /usr/local/apache/docs/%{TIME} (I have wrapped the error log lines.) Details of the problem, for those that couldn't work it out from the patch: The unpatched mod_rewrite expands the RewriteRule substitution string in four phases: RewriteRule regexp match backreferences $N; RewriteCond regexp match backreferences %N; environment variables %{VAR}; and RewriteMap lookups ${mapspec}. The output of one phase may contain expansion specifiers (from the interpolated string) that weren't in the original substitution string, so if the interpolated string comes from the network then an attacker can include expansions in the RewriteRule that the server administrator did not intend. Tony. -- en oeccget g mtcaa f.a.n.finch v spdlkishrhtewe y dot () dotat at eatp o v eiti i d. fanf () covalent net
Current thread:
- Re: Security vulnerability in Apache mod_rewrite Tony Finch (Oct 06)
- Re: Security vulnerability in Apache mod_rewrite Tony Finch (Oct 18)