Apache Security Vulnerability in mod_rewrite ------------------------------------------------------------------------ SUMMARY The Apache development list reports a security issue that affects previous versions of Apache, including Apache 1.3.12. Apache is only vulnerable if you use mod_rewrite and a specific case of the directive RewriteRule. If the result of a RewriteRule is a filename that contains regular expression references then an attacker may be able to access any file on the web server. DETAILS Vulnerable systems: Apache versions 1.3.12 and prior. Immune systems: Apache 1.3.13 will not be vulnerable to this problem. If the RewriteRule directive contains a regular expression reference (like '.*') it might be possible for a remote attacker to access arbitrary files on the local system. Note that the mod_rewrite must be loaded, and only certain structures of RewriteRule directive expose this vulnerability. Here are some example RewriteRule directives. The first is vulnerable, but the others are not: RewriteRule /test/(.*) /usr/local/data/test-stuff/$1 RewriteRule /more-icons/(.*) /icons/$1 RewriteRule /go/(.*) http://www.apacheweek.com/$1 Solution: A patch is currently being tested and will be part of the release of Apache 1.3.13. Until then, users should check their configuration files and not use rules that map to a filename such as the first example above. ADDITIONAL INFORMATION This information has been provided by <http://www.apacheweek.com/issues/00-09-22> Apache Week -- Eko Sulistiono MIKRODATA & AntiVirus Media Web: http://www.mikrodata.co.id/ WAP: http://www.mikrodata.co.id/wap/index.wml This message contains no viruses. Guaranteed by AVP. ------------------------------------------------------------------------ Forum Komunikasi Penulis-Pembaca MIKRODATA (FKPPM) Informasi : http:[EMAIL PROTECTED] Arsip : http://www.mail-archive.com/forum%40mikrodata.co.id/ WAP : http://mikrodata.co.id/wap/index.wml Milis ini menjadi kontribusi beberapa rubrik yang diasuh tim MIKRODATA. Termasuk rubrik-rubrik yang ada di media lain. Memakai, Menyebarluaskan, dan Memperbanyak software bajakan adalah tindakan kriminal. Please check with the latest AVP update before you ask about virus: ftp://mikrodata.co.id/avirus_&_security/AntiViral_Toolkit_Pro/avp30.zip
