Vulnerability Note VU#434566

Apache mod_rewrite vulnerable to buffer overflow via crafted regular expression

Original Release date: 03 Feb 2004 | Last revised: 19 Mar 2004

Overview

A vulnerability in a supplementary module to the Apache HTTP server could allow an attacker to execute arbitrary code on an affected web server under certain circumstances.

Description

The Apache HTTP server distribution includes a number of supplemental modules that provide additional functionality to the web server. One of these modules, mod_rewrite, provides a rule-based rewriting engine to rewrite requested URLs "on the fly" based regular expressions. A buffer overflow has been discovered in the way that mod_rewrite handles regular expressions containing more than 9 captures (stored strings matching a particular pattern). This flaw results in a remotely exploitable vulnerability on web servers that specify such a regular expression to the mod_rewrite module in their configuration files.

Impact

An attacker may be able to execute arbitrary code in the context of the web server user (e.g., "apache", "httpd", "nobody", etc.). The attacker would have to have the ability to supply a specially crafted configuration file (e.g., .htaccess or httpd.conf) to the Apache server in order to mount this attack.

Solution

Apply a patch from the vendor

Patches have been released to address this vulnerability. Please see the Systems Affected section of this document for more details.

Workarounds


Disable mod_rewrite if it is not required in your web server configuration. Instructions for doing this can be found in the Apache HTTP server documentation. Sites, particularly those that are not able to apply the patches, are encouraged to consider implementing this workaround.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apache Software FoundationAffected-02 Feb 2004
ConectivaAffected-02 Feb 2004
Gentoo LinuxAffected-02 Feb 2004
Guardian Digital Inc. Affected-02 Feb 2004
Hewlett-Packard CompanyAffected-08 Mar 2004
MandrakeSoftAffected-02 Feb 2004
OpenPKGAffected-02 Feb 2004
Red Hat Inc.Affected-02 Feb 2004
SCOAffected-08 Mar 2004
SGIAffected-02 Feb 2004
SlackwareAffected-02 Feb 2004
Sun Microsystems Inc.Affected-08 Mar 2004
TrustixAffected-02 Feb 2004
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The Apache Software Foundation credits André Malo with the discovery of this vulnerability.

This document was written by Chad R Dougherty.

Other Information

  • CVE IDs: CAN-2003-0542
  • Date Public: 30 Oct 2003
  • Date First Published: 03 Feb 2004
  • Date Last Updated: 19 Mar 2004
  • Severity Metric: 0.61
  • Document Revision: 23

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.