homepage Welcome to WebmasterWorld Guest from 54.163.168.15
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
Apache: Mod Rewrite Exploit: Patch Your Servers Now To 2.2.3
ShoeMoney

5+ Year Member



 
Msg#: 3026171 posted 5:37 pm on Jul 28, 2006 (gmt 0)

Apache released verson 2.2.3 today which fixes the buffer overflow exploit in apache webservers.

[apache.org...]

This is a really nasty exploit.

 

encyclo

WebmasterWorld Senior Member encyclo us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3026171 posted 5:47 pm on Jul 28, 2006 (gmt 0)

Note that the bug is also in Apache 2.0.x and 1.3.x. New versions of these branches have also been released:

  • Apache 2.0.59 release announcement [apache.org]
  • Apache 1.3.37 release announcement [apache.org]

    An important upgrade if you run your own servers. If you're on shared or managed hosting, you can check with your hosting company.

  • ShoeMoney

    5+ Year Member



     
    Msg#: 3026171 posted 7:10 pm on Jul 28, 2006 (gmt 0)

    Sorry... I am not why I used the 2.2.3 version I had that in my head for some reason.

    Please feel free to edit my post I do not want people to think that it only applies to the development tree

    g1smd

    WebmasterWorld Senior Member g1smd us a WebmasterWorld Top Contributor of All Time 10+ Year Member



     
    Msg#: 3026171 posted 10:40 am on Jul 31, 2006 (gmt 0)

    Verio have already sent out mail to people saying they have already upgraded.

    I wonder how many other hosts are on this?

    blaze

    WebmasterWorld Senior Member 10+ Year Member



     
    Msg#: 3026171 posted 11:24 am on Jul 31, 2006 (gmt 0)

    From the announcement:

    [apache.org...]


    This flaw does not affect a default installation of Apache HTTP Server. Users who do not use, or have not enabled, the Rewrite module mod_rewrite are not affected by this issue. This issue only affects installations using a Rewrite rule with the following characteristics:

    * The RewriteRule allows the attacker to control the initial part of the rewritten URL (for example if the substitution URL starts with $1)
    * The RewriteRule flags do NOT include any of the following flags: Forbidden (F), Gone (G), or NoEscape (NE).

    My read on this is that this is an AND condition and not an or.

    You should probably do the upgrade, but if you can't for technical reasons, then at least disable all the rules that start with a $1 and do not include the above flags..

    robzilla

    WebmasterWorld Senior Member 5+ Year Member



     
    Msg#: 3026171 posted 11:56 am on Jul 31, 2006 (gmt 0)

    You should probably do the upgrade, but if you can't for technical reasons, then at least disable all the rules that start with a $1 and do not include the above flags..

    The way I read it, you're at risk if you do not include those flags.

    EDIT: Never mind, I must've read your post wrong. Sorry.

    MatthewHSE

    WebmasterWorld Senior Member 10+ Year Member



     
    Msg#: 3026171 posted 3:37 pm on Jul 31, 2006 (gmt 0)

    You should probably do the upgrade, but if you can't for technical reasons, then at least disable all the rules that start with a $1 and do not include the above flags..

    I don't know mod_rewrite enough to understand what rules are safe and what ones aren't. With mod_rewrite syntax...

    RewriteRule Pattern Substitution [Flag(s)]

    ...may I assume that $1 can appear anywhere in the rule as long as you don't put it at the very start of the Substitution section?

    If so, all my sites are safe as I've never used a rewrite rule in that way in my life and can't even think of an instance where it would be helpful.

    [edited by: MatthewHSE at 3:38 pm (utc) on July 31, 2006]

    Clark

    WebmasterWorld Senior Member 10+ Year Member



     
    Msg#: 3026171 posted 4:44 pm on Jul 31, 2006 (gmt 0)

    Does cpanel fix this automatically?

    Rebrandt

    5+ Year Member



     
    Msg#: 3026171 posted 5:54 am on Aug 1, 2006 (gmt 0)

    You should upgrade if your rules look like this:

    RewriteRule fred/(.*) $1

    ($1 is the first thing in a Substitution section)

    While rules with this format do not expose the vulnerability:

    RewriteRule fred/(.*) joe/$1

    [edited by: Rebrandt at 5:57 am (utc) on Aug. 1, 2006]

    jake66

    5+ Year Member



     
    Msg#: 3026171 posted 8:41 am on Aug 2, 2006 (gmt 0)

    what about a rule like:
    RewriteRule ^([^/]*)\.html$ $1.php?%{QUERY_STRING} [NC]

    or

    RewriteRule ^/?(stuff)/([^/]*)\.html$ index.php?stuff_id=$2&%{QUERY_STRING} [NC]

    jdMorgan

    WebmasterWorld Senior Member jdmorgan us a WebmasterWorld Top Contributor of All Time 10+ Year Member



     
    Msg#: 3026171 posted 3:00 pm on Aug 2, 2006 (gmt 0)

    From the description above, it's obvious that your first rule is vulnerable, while your second rule is not --
    "...allows the attacker to control the initial part of the rewritten URL" is the operative phrase here.

    Jim

    jake66

    5+ Year Member



     
    Msg#: 3026171 posted 6:44 pm on Aug 2, 2006 (gmt 0)

    ok, how do i know if my host has upgraded? when i view the server info, it simly shows: HTTP Server: Apache

    g1smd

    WebmasterWorld Senior Member g1smd us a WebmasterWorld Top Contributor of All Time 10+ Year Member



     
    Msg#: 3026171 posted 7:41 pm on Aug 2, 2006 (gmt 0)

    Assuming that you also have PHP on your server, try running a file like test.php with just this in it:

    phpinfo ()

    to reveal what is on your server.

    Delete that file from the server immediately you have finished with it, as the information is very useful to hackers.

    jake66

    5+ Year Member



     
    Msg#: 3026171 posted 5:46 am on Aug 4, 2006 (gmt 0)

    it only shows HTTP Server: Apache

    jdMorgan

    WebmasterWorld Senior Member jdmorgan us a WebmasterWorld Top Contributor of All Time 10+ Year Member



     
    Msg#: 3026171 posted 1:37 pm on Aug 4, 2006 (gmt 0)

    Have you called your host and asked them?

    Jim

    jake66

    5+ Year Member



     
    Msg#: 3026171 posted 5:44 pm on Aug 4, 2006 (gmt 0)

    i just looked at SERVER_SIGNATURE on phpinfo() and it reads: <ADDRESS>Apache/1.3.33 Server at www.mysite.com Port 80</ADDRESS>

    just tossed them an email too :)

    jake66

    5+ Year Member



     
    Msg#: 3026171 posted 8:02 pm on Aug 4, 2006 (gmt 0)

    Unfortunately, it will not be possible to upgrade the server or have access to the update settings. You will have mod_rewrite privledges for your account. I apologize for the confusion.

    uhm, okay.
    i don't see why it isn't possible to upgrade.. for such a big-name company, this makes absolutely no sense.

    Clark

    WebmasterWorld Senior Member 10+ Year Member



     
    Msg#: 3026171 posted 11:58 pm on Aug 5, 2006 (gmt 0)

    Maybe they are based on CPanel, who has not yet updated easyapache the last time I tried...

    Global Options:
     top home search open messages active posts  
     

    Home / Forums Index / Code, Content, and Presentation / Apache Web Server
    rss feed

    All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
    Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
    WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
    © Webmaster World 1996-2014 all rights reserved