Full Disclosure mailing list archives
Apache mod_access_referer denial of service issue
From: zillion <zillion () safemode org>
Date: Wed, 16 Apr 2003 23:14:33 +0200
================================================================== Safemode.org security advisory: mod_access_referer ================================================================== Subject: ======== Apache module mod_access_referer 1.0.2 contains a NULL pointer dereference vulnerability. Problem description: ==================== In the find_allowdeny() function, the Apache uri_components structure named "uptr" is initialized by the Apache ap_parse_uri_components function. This struct contains a pointer named "hostname" that is given to the is_ip() function in order to determine whether the value given as referer header field is an IP address or domain name. The relevant code snippets are: --- -snip snip- --- ap_parse_uri_components (r->pool, ap_table_get (r->headers_in, "Referer"), &uptr); if (!is_ip (uptr.hostname)) { --- -snip snip- --- static int is_ip (const char *host) { /* this just tests if it matches [\d.]* */ /* XX is a better test needed? */ while ((*host == '.') || ap_isdigit (*host)) host++; return (*host == '\0'); } --- -snip snip- --- When the server is send an incorrect referer header field, the ap_parse_uri_components will not initialize the uptr.hostname pointer. This has the result that is_ip() can be forced to read from a NULL pointer with a segmentation fault as result. An example referer header field to trigger the issue: Referer: ://its-missing-http.com Abuse of this NULL pointer dereference vulnerability can possibly be used in denial of service attacks against affected systems. How to counter the issue: ========================= New, unofficial, fixed RPM files can be found here: ftp://ftp.pld.org.pl/dists/ra/test/ A simple patch is available here: http://sourceforge.net/projects/accessreferer/ -- Greets to 0dd, SNO and all @defaced.be
Attachment:
_bin
Description:
Current thread:
- Apache mod_access_referer denial of service issue zillion (Apr 16)