Re: Security vulnerability in Apache mod_rewrite (fwd)

Fri, 06 Oct 2000 16:29:32 -0700 


---------- Forwarded message ----------
From: Tony Finch <[EMAIL PROTECTED]>
Subject: Re: Security vulnerability in Apache mod_rewrite
Organization: Covalent Technologies, Inc
Date: Fri, 6 Oct 2000 15:40:24 +0000
To: [EMAIL PROTECTED]

A few poeple have asked me for more details of the problem, and I have
been made aware of an error in ApacheWeek's description:

>> Here are some example RewriteRule directives. The first is
>> vulnerable, but the others are not
>>
>>      RewriteRule    /test/(.*)               /usr/local/data/test-stuff/$1
>>      RewriteRule    /more-icons/(.*)         /icons/$1
>>      RewriteRule    /go/(.*)                 http://www.apacheweek.com/$1

*Both* of the first two configurations are vulnerable.

To check if you are vulnerable, make a request for
        http://www.example.com/%25{TIME}
(changing the hostname as appropriate) and look for a line like:
        [Fri Oct  6 15:33:20 2000] [error] [client 127.0.0.1]
        File does not exist: /usr/local/apache/docs/20001006153320
in your error log. A patched server reports the error as:
        [Fri Oct  6 15:36:14 2000] [error] [client 127.0.0.1]
        File does not exist: /usr/local/apache/docs/%{TIME}
(I have wrapped the error log lines.)

Details of the problem, for those that couldn't work it out from the
patch:

The unpatched mod_rewrite expands the RewriteRule substitution string
in four phases: RewriteRule regexp match backreferences $N;
RewriteCond regexp match backreferences %N; environment variables
%{VAR}; and RewriteMap lookups ${mapspec}. The output of one phase may
contain expansion specifiers (from the interpolated string) that
weren't in the original substitution string, so if the interpolated
string comes from the network then an attacker can include expansions
in the RewriteRule that the server administrator did not intend.

Tony.
--
en oeccget g mtcaa    f.a.n.finch
v spdlkishrhtewe y    [EMAIL PROTECTED]
eatp o v eiti i d.    [EMAIL PROTECTED]

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to