[16963] in bugtraq
Security vulnerability in Apache mod_rewrite
daemon@ATHENA.MIT.EDU (Kevin van der Raad)
Fri Sep 29 12:59:46 2000
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <39D4714F.1494DAF9@itsec.nl>
Date: Fri, 29 Sep 2000 12:39:11 +0200
Reply-To: k.van.der.raad@itsec.nl
From: Kevin van der Raad <k.van.der.raad@itsec.nl>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi,
We stumbled across the following article and did not see this issue here
in Bugtraq:
>
> http://www.apacheweek.com/issues/00-09-22
>
> Security vulnerability in mod_rewrite
>
> The Apache development list this week contains a fix for a security issue that affects previous
> versions of Apache, including Apache 1.3.12. Apache is only vulnerable if you use mod_rewrite
> and a specific case of the directive RewriteRule. If the result of a RewriteRule is a filename
> that contains regular expression references then an attacker may be able to access any
> file on the web server.
>
> Here are some example RewriteRule directives. The first is vulnerable, but the others are not
>
> RewriteRule /test/(.*) /usr/local/data/test-stuff/$1
> RewriteRule /more-icons/(.*) /icons/$1
> RewriteRule /go/(.*) http://www.apacheweek.com/$1
>
> The patch is currently being tested and will be part of the release of Apache 1.3.13. Until
> then, users should check their configuration files and not use rules that map to a filename
> such as the first example above.
>
--
Kevin van der Raad <mailto:k.van.der.raad@itsec.nl>
ITsec Nederland B.V. <http://www.itsec.nl>
Exploit & Vulnerability Alerting Service
P.O. box 5120
NL 2000 GC Haarlem
Tel +31(0)23 542 05 78
Fax +31(0)23 534 54 77
