Date: Sat, 30 Sep 2000 21:02:15 -0400 (EDT) From: Igor Roshchin <str@giganda.komkon.org> To: security@freebsd.org Cc: ache@freebsd.org Subject: A new problem in apache ? Message-ID: <200010010102.VAA41966@giganda.komkon.org>
next in thread | raw e-mail | index | archive | help
Hello! Since this information has not appeared on this list yet, I am just forwarding what appeared on http://www.apacheweek.com/issues/00-09-22 and was quoted on BUGTRAQ yesterday. (in case somebody didn't notice it) I didn't find anything on the apache.org itself related to this problem yet. (Neither a patch nor a new release is available yet) However, www.apache.org is running a version that reports itself as Apache/1.3.13-dev Server at www.apache.org Port 80 Igor > Date: Sat, 30 Sep 2000 00:00:07 -0700 > From: Automatic digest processor <LISTSERV@LISTS.SECURITYFOCUS.COM> > Subject: BUGTRAQ Digest - 28 Sep 2000 to 29 Sep 2000 (#2000-219) > To: Recipients of BUGTRAQ digests <BUGTRAQ@LISTS.SECURITYFOCUS.COM> > > <..> > > --cMZZGAUNAKbTNcRMXARPPCaQdFUQGW > > Date: Fri, 29 Sep 2000 12:39:11 +0200 > From: Kevin van der Raad <k.van.der.raad@ITSEC.NL> > Subject: Security vulnerability in Apache mod_rewrite > MIME-Version: 1.0 > Content-Type: text/plain; charset=us-ascii > Content-Transfer-Encoding: 7bit > > Hi, > > We stumbled across the following article and did not see this issue here > in Bugtraq: > > > > > > http://www.apacheweek.com/issues/00-09-22 > > > > Security vulnerability in mod_rewrite > > > > The Apache development list this week contains a fix for a security issue that affects previous > > versions of Apache, including Apache 1.3.12. Apache is only vulnerable if you use mod_rewrite > > and a specific case of the directive RewriteRule. If the result of a RewriteRule is a filename > > that contains regular expression references then an attacker may be able to access any > > file on the web server. > > > > Here are some example RewriteRule directives. The first is vulnerable, but the others are not > > > > RewriteRule /test/(.*) /usr/local/data/test-stuff/$1 > > RewriteRule /more-icons/(.*) /icons/$1 > > RewriteRule /go/(.*) http://www.apacheweek.com/$1 > > > > The patch is currently being tested and will be part of the release of Apache 1.3.13. Until > > then, users should check their configuration files and not use rules that map to a filename > > such as the first example above. > > > > > -- > > Kevin van der Raad <mailto:k.van.der.raad@itsec.nl> > > ITsec Nederland B.V. <http://www.itsec.nl>; > Exploit & Vulnerability Alerting Service > > P.O. box 5120 > NL 2000 GC Haarlem > Tel +31(0)23 542 05 78 > Fax +31(0)23 534 54 77 > > --cMZZGAUNAKbTNcRMXARPPCaQdFUQGW > <..> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200010010102.VAA41966>