homepage Welcome to WebmasterWorld Guest from 54.211.213.10
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
Apache: Mod Rewrite Exploit: Patch Your Servers Now To 2.2.3
ShoeMoney




msg:3026173
 5:37 pm on Jul 28, 2006 (gmt 0)

Apache released verson 2.2.3 today which fixes the buffer overflow exploit in apache webservers.

[apache.org...]

This is a really nasty exploit.

 

encyclo




msg:3026188
 5:47 pm on Jul 28, 2006 (gmt 0)

Note that the bug is also in Apache 2.0.x and 1.3.x. New versions of these branches have also been released:

  • Apache 2.0.59 release announcement [apache.org]
  • Apache 1.3.37 release announcement [apache.org]

    An important upgrade if you run your own servers. If you're on shared or managed hosting, you can check with your hosting company.

  • ShoeMoney




    msg:3026321
     7:10 pm on Jul 28, 2006 (gmt 0)

    Sorry... I am not why I used the 2.2.3 version I had that in my head for some reason.

    Please feel free to edit my post I do not want people to think that it only applies to the development tree

    g1smd




    msg:3028601
     10:40 am on Jul 31, 2006 (gmt 0)

    Verio have already sent out mail to people saying they have already upgraded.

    I wonder how many other hosts are on this?

    blaze




    msg:3028630
     11:24 am on Jul 31, 2006 (gmt 0)

    From the announcement:

    [apache.org...]


    This flaw does not affect a default installation of Apache HTTP Server. Users who do not use, or have not enabled, the Rewrite module mod_rewrite are not affected by this issue. This issue only affects installations using a Rewrite rule with the following characteristics:

    * The RewriteRule allows the attacker to control the initial part of the rewritten URL (for example if the substitution URL starts with $1)
    * The RewriteRule flags do NOT include any of the following flags: Forbidden (F), Gone (G), or NoEscape (NE).

    My read on this is that this is an AND condition and not an or.

    You should probably do the upgrade, but if you can't for technical reasons, then at least disable all the rules that start with a $1 and do not include the above flags..

    robzilla




    msg:3028647
     11:56 am on Jul 31, 2006 (gmt 0)

    You should probably do the upgrade, but if you can't for technical reasons, then at least disable all the rules that start with a $1 and do not include the above flags..

    The way I read it, you're at risk if you do not include those flags.

    EDIT: Never mind, I must've read your post wrong. Sorry.

    MatthewHSE




    msg:3028850
     3:37 pm on Jul 31, 2006 (gmt 0)

    You should probably do the upgrade, but if you can't for technical reasons, then at least disable all the rules that start with a $1 and do not include the above flags..

    I don't know mod_rewrite enough to understand what rules are safe and what ones aren't. With mod_rewrite syntax...

    RewriteRule Pattern Substitution [Flag(s)]

    ...may I assume that $1 can appear anywhere in the rule as long as you don't put it at the very start of the Substitution section?

    If so, all my sites are safe as I've never used a rewrite rule in that way in my life and can't even think of an instance where it would be helpful.

    [edited by: MatthewHSE at 3:38 pm (utc) on July 31, 2006]

    Clark




    msg:3028948
     4:44 pm on Jul 31, 2006 (gmt 0)

    Does cpanel fix this automatically?

    Rebrandt




    msg:3029684
     5:54 am on Aug 1, 2006 (gmt 0)

    You should upgrade if your rules look like this:

    RewriteRule fred/(.*) $1

    ($1 is the first thing in a Substitution section)

    While rules with this format do not expose the vulnerability:

    RewriteRule fred/(.*) joe/$1

    [edited by: Rebrandt at 5:57 am (utc) on Aug. 1, 2006]

    jake66




    msg:3031166
     8:41 am on Aug 2, 2006 (gmt 0)

    what about a rule like:
    RewriteRule ^([^/]*)\.html$ $1.php?%{QUERY_STRING} [NC]

    or

    RewriteRule ^/?(stuff)/([^/]*)\.html$ index.php?stuff_id=$2&%{QUERY_STRING} [NC]

    jdMorgan




    msg:3031553
     3:00 pm on Aug 2, 2006 (gmt 0)

    From the description above, it's obvious that your first rule is vulnerable, while your second rule is not --
    "...allows the attacker to control the initial part of the rewritten URL" is the operative phrase here.

    Jim

    jake66




    msg:3031895
     6:44 pm on Aug 2, 2006 (gmt 0)

    ok, how do i know if my host has upgraded? when i view the server info, it simly shows: HTTP Server: Apache

    g1smd




    msg:3031971
     7:41 pm on Aug 2, 2006 (gmt 0)

    Assuming that you also have PHP on your server, try running a file like test.php with just this in it:

    phpinfo ()

    to reveal what is on your server.

    Delete that file from the server immediately you have finished with it, as the information is very useful to hackers.

    jake66




    msg:3033860
     5:46 am on Aug 4, 2006 (gmt 0)

    it only shows HTTP Server: Apache

    jdMorgan




    msg:3034221
     1:37 pm on Aug 4, 2006 (gmt 0)

    Have you called your host and asked them?

    Jim

    jake66




    msg:3034570
     5:44 pm on Aug 4, 2006 (gmt 0)

    i just looked at SERVER_SIGNATURE on phpinfo() and it reads: <ADDRESS>Apache/1.3.33 Server at www.mysite.com Port 80</ADDRESS>

    just tossed them an email too :)

    jake66




    msg:3034704
     8:02 pm on Aug 4, 2006 (gmt 0)

    Unfortunately, it will not be possible to upgrade the server or have access to the update settings. You will have mod_rewrite privledges for your account. I apologize for the confusion.

    uhm, okay.
    i don't see why it isn't possible to upgrade.. for such a big-name company, this makes absolutely no sense.

    Clark




    msg:3035711
     11:58 pm on Aug 5, 2006 (gmt 0)

    Maybe they are based on CPanel, who has not yet updated easyapache the last time I tried...

    Global Options:
     top home search open messages active posts  
     

    Home / Forums Index / Code, Content, and Presentation / Apache Web Server
    rss feed

    All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
    Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
    WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
    © Webmaster World 1996-2014 all rights reserved