Security vulnerability in Apache mod_rewrite

[Kevin van der Raad <k.van.der.raad () itsec nl>]

Hi,

We stumbled across the following article and did not see this issue here
in Bugtraq:


> http://www.apacheweek.com/issues/00-09-22
>
> Security vulnerability in mod_rewrite
>
> The Apache development list this week contains a fix for a security issue that affects previous
> versions of Apache, including Apache 1.3.12. Apache is only vulnerable if you use mod_rewrite
> and a specific case of the directive RewriteRule. If the result of a RewriteRule is a filename
> that contains regular expression references then an attacker may be able to access any
> file on the web server.
>
> Here are some example RewriteRule directives. The first is vulnerable, but the others are not
>
>       RewriteRule    /test/(.*)               /usr/local/data/test-stuff/$1
>       RewriteRule    /more-icons/(.*)         /icons/$1
>       RewriteRule    /go/(.*)                 http://www.apacheweek.com/$1
>
> The patch is currently being tested and will be part of the release of Apache 1.3.13. Until
> then, users should check their configuration files and not use rules that map to a filename
> such as the first example above.


--

Kevin van der Raad <mailto:k.van.der.raad () itsec nl>

ITsec Nederland B.V. <http://www.itsec.nl>
Exploit & Vulnerability Alerting Service

P.O. box 5120
NL 2000 GC Haarlem
Tel +31(0)23 542 05 78
Fax +31(0)23 534 54 77