Vulnerability Note VU#395412

Apache mod_rewrite contains off-by-one error in ldap scheme handling

Original Release date: 28 Jul 2006 | Last revised: 18 Oct 2006

Overview

A vulnerability in a common Apache HTTP server module, mod_rewrite, could allow a remote attacker to execute arbitrary code on an affected web server.

Description

The Apache HTTP server distribution includes a number of supplemental modules that provide additional functionality to the web server. One of these modules, mod_rewrite, provides a rule-based rewriting engine to rewrite requested URLs "on the fly" based on regular expressions.

An off-by-one error exists in the ldap scheme handling in mod_rewrite. For some RewriteRules, specifically those where the remote user can influence the beginning of a rewritten URL and that do not include any of the following flags: Forbidden (F), Gone (G), or NoEscape (NE), this could lead to a pointer being written out of bounds. This flaw causes a remotely exploitable vulnerability on web servers that have mod_rewrite enabled (configuration directive "RewriteEngine on") and configured to use certain rules. For example, rules with this format expose the vulnerability:

    RewriteRule fred/(.*)  $1

While rules with this format do not expose the vulnerability:
    RewriteRule fred/(.*)  joe/$1

The versions of the mod_rewrite module supplied with the Apache HTTP server versions
  • 1.3 branch from 1.3.28
  • 2.0 branch from 2.0.46
  • 2.2 branch from 2.2.0

are vulnerable to this issue but earlier versions are not. The Apache Software Foundation notes that mod_rewrite is not enabled and configured as a normal default, however it is a commonly used module and may be provided in a vulnerable configuration by redistributors.

Impact

An attacker may be able to execute arbitrary code in the context of the web server user (e.g., "apache", "httpd", "nobody", "SYSTEM", etc.). The Apache Software Foundation notes that, due to the nature of the underlying flaw, successful exploitation is dependent upon the stack frame layout of apache running on the target host.

Solution

Apply a patch from the vendor

Patches have been released to address this vulnerability. Please see the Systems Affected section of this document for more details.

Workarounds


Disable mod_rewrite if it is not required in your web server configuration. Instructions for doing this can be found in the Apache HTTP server documentation. Sites, particularly those that are not able to apply the patches, are encouraged to implement this workaround.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apache HTTP Server ProjectAffected-01 Aug 2006
Fedora ProjectAffected-27 Jul 2006
Gentoo LinuxAffected25 Jul 200601 Aug 2006
Hewlett-Packard CompanyAffected25 Jul 200615 Sep 2006
Mandriva, Inc.Affected25 Jul 200601 Aug 2006
OpenPKGAffected-01 Aug 2006
Oracle CorporationAffected25 Jul 200618 Oct 2006
Slackware Linux Inc.Affected25 Jul 200601 Aug 2006
SUSE LinuxAffected25 Jul 200601 Aug 2006
UbuntuAffected25 Jul 200601 Aug 2006
Apple Computer, Inc.Not Affected25 Jul 200627 Jul 2006
FujitsuNot Affected25 Jul 200627 Jul 2006
HitachiNot Affected25 Jul 200631 Jul 2006
Juniper Networks, Inc.Not Affected25 Jul 200627 Jul 2006
Openwall GNU/*/LinuxNot Affected25 Jul 200631 Jul 2006
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Mark Cox of the Apache Software Foundation for reporting this vulnerability. Mark, in turn, credits Mark Dowd of McAfee AVERT Labs with reporting this issue.

This document was written by Chad R Dougherty.

Other Information

  • CVE IDs: CVE-2006-3747
  • Date Public: 27 Jul 2006
  • Date First Published: 28 Jul 2006
  • Date Last Updated: 18 Oct 2006
  • Severity Metric: 6.48
  • Document Revision: 37

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.