Vulnerability Note VU#549142
Apache mod_alias vulnerable to buffer overflow via crafted regular expression
A vulnerability in a supplementary module to the Apache HTTP server could allow an attacker to execute arbitrary code on an affected web server under certain circumstances.
The Apache HTTP server distribution includes a number of supplemental modules that provide additional functionality to the web server. One of these modules, mod_alias, provides for mapping different parts of the host filesystem into the document tree and for URL redirection. Several of the mod_alias directives can use regular expressions rather than simple prefix matches. A buffer overflow has been discovered in the way that mod_alias handles regular expressions containing more than 9 captures (stored strings matching a particular pattern). This flaw results in a remotely exploitable vulnerability on web servers that specify such a regular expression to the mod_alias module in their configuration files.
An attacker may be able to execute arbitrary code in the context of the web server user (e.g., "apache", "httpd", "nobody", etc.). The attacker would have to have the ability to supply a specially crafted configuration file (e.g., .htaccess or httpd.conf) to the Apache server in order to mount this attack.
Apply a patch from the vendor
Patches have been released to address this vulnerability. Please see the Systems Affected section of this document for more details.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apache Software Foundation||Affected||-||02 Feb 2004|
|Conectiva||Affected||-||02 Feb 2004|
|Gentoo Linux||Affected||-||02 Feb 2004|
|Guardian Digital Inc.||Affected||-||02 Feb 2004|
|Hewlett-Packard Company||Affected||-||08 Mar 2004|
|MandrakeSoft||Affected||-||02 Feb 2004|
|OpenPKG||Affected||-||02 Feb 2004|
|Red Hat Inc.||Affected||-||02 Feb 2004|
|SCO||Affected||-||08 Mar 2004|
|SGI||Affected||-||02 Feb 2004|
|Slackware||Affected||-||02 Feb 2004|
|Sun Microsystems Inc.||Affected||-||08 Mar 2004|
|Trustix||Affected||-||02 Feb 2004|
CVSS Metrics (Learn More)
The Apache Software Foundation credits André Malo with the discovery of this vulnerability.
This document was written by Chad R Dougherty.
- CVE IDs: CAN-2003-0542
- Date Public: 30 Oct 2003
- Date First Published: 03 Feb 2004
- Date Last Updated: 19 Mar 2004
- Severity Metric: 0.61
- Document Revision: 25
If you have feedback, comments, or additional information about this vulnerability, please send us email.