Vulnerability Note VU#395412
Apache mod_rewrite contains off-by-one error in ldap scheme handling
A vulnerability in a common Apache HTTP server module, mod_rewrite, could allow a remote attacker to execute arbitrary code on an affected web server.
The Apache HTTP server distribution includes a number of supplemental modules that provide additional functionality to the web server. One of these modules, mod_rewrite, provides a rule-based rewriting engine to rewrite requested URLs "on the fly" based on regular expressions.
An off-by-one error exists in the ldap scheme handling in mod_rewrite. For some RewriteRules, specifically those where the remote user can influence the beginning of a rewritten URL and that do not include any of the following flags: Forbidden (F), Gone (G), or NoEscape (NE), this could lead to a pointer being written out of bounds. This flaw causes a remotely exploitable vulnerability on web servers that have mod_rewrite enabled (configuration directive "RewriteEngine on") and configured to use certain rules. For example, rules with this format expose the vulnerability:
While rules with this format do not expose the vulnerability:
The versions of the mod_rewrite module supplied with the Apache HTTP server versions
are vulnerable to this issue but earlier versions are not. The Apache Software Foundation notes that mod_rewrite is not enabled and configured as a normal default, however it is a commonly used module and may be provided in a vulnerable configuration by redistributors.
An attacker may be able to execute arbitrary code in the context of the web server user (e.g., "apache", "httpd", "nobody", "SYSTEM", etc.). The Apache Software Foundation notes that, due to the nature of the underlying flaw, successful exploitation is dependent upon the stack frame layout of apache running on the target host.
Apply a patch from the vendor
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apache HTTP Server Project||Affected||-||01 Aug 2006|
|Fedora Project||Affected||-||27 Jul 2006|
|Gentoo Linux||Affected||25 Jul 2006||01 Aug 2006|
|Hewlett-Packard Company||Affected||25 Jul 2006||15 Sep 2006|
|Mandriva, Inc.||Affected||25 Jul 2006||01 Aug 2006|
|OpenPKG||Affected||-||01 Aug 2006|
|Oracle Corporation||Affected||25 Jul 2006||18 Oct 2006|
|Slackware Linux Inc.||Affected||25 Jul 2006||01 Aug 2006|
|SUSE Linux||Affected||25 Jul 2006||01 Aug 2006|
|Ubuntu||Affected||25 Jul 2006||01 Aug 2006|
|Apple Computer, Inc.||Not Affected||25 Jul 2006||27 Jul 2006|
|Fujitsu||Not Affected||25 Jul 2006||27 Jul 2006|
|Hitachi||Not Affected||25 Jul 2006||31 Jul 2006|
|Juniper Networks, Inc.||Not Affected||25 Jul 2006||27 Jul 2006|
|Openwall GNU/*/Linux||Not Affected||25 Jul 2006||31 Jul 2006|
CVSS Metrics (Learn More)
This document was written by Chad R Dougherty.
- CVE IDs: CVE-2006-3747
- Date Public: 27 Jul 2006
- Date First Published: 28 Jul 2006
- Date Last Updated: 18 Oct 2006
- Severity Metric: 6.48
- Document Revision: 37
If you have feedback, comments, or additional information about this vulnerability, please send us email.