Home page logo

bugtraq logo Bugtraq mailing list archives

Security vulnerability in Apache mod_rewrite
From: Kevin van der Raad <k.van.der.raad () itsec nl>
Date: Fri, 29 Sep 2000 12:39:11 +0200


We stumbled across the following article and did not see this issue here
in Bugtraq:


Security vulnerability in mod_rewrite

The Apache development list this week contains a fix for a security issue that affects previous
versions of Apache, including Apache 1.3.12. Apache is only vulnerable if you use mod_rewrite
and a specific case of the directive RewriteRule. If the result of a RewriteRule is a filename
that contains regular expression references then an attacker may be able to access any
file on the web server.

Here are some example RewriteRule directives. The first is vulnerable, but the others are not

      RewriteRule    /test/(.*)               /usr/local/data/test-stuff/$1
      RewriteRule    /more-icons/(.*)         /icons/$1
      RewriteRule    /go/(.*)                 http://www.apacheweek.com/$1

The patch is currently being tested and will be part of the release of Apache 1.3.13. Until
then, users should check their configuration files and not use rules that map to a filename
such as the first example above.


Kevin van der Raad <mailto:k.van.der.raad () itsec nl>

ITsec Nederland B.V. <http://www.itsec.nl>
Exploit & Vulnerability Alerting Service

P.O. box 5120
NL 2000 GC Haarlem
Tel +31(0)23 542 05 78
Fax +31(0)23 534 54 77

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]