Welcome to WebmasterWorld Guest from 54.144.206.214

Forum Moderators: Ocean10000 & incrediBILL & phranque

Apache: Mod Rewrite Exploit: Patch Your Servers Now To 2.2.3

   
5:37 pm on Jul 28, 2006 (gmt 0)

5+ Year Member



Apache released verson 2.2.3 today which fixes the buffer overflow exploit in apache webservers.

[apache.org...]

This is a really nasty exploit.

5:47 pm on Jul 28, 2006 (gmt 0)

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Note that the bug is also in Apache 2.0.x and 1.3.x. New versions of these branches have also been released:

  • Apache 2.0.59 release announcement [apache.org]
  • Apache 1.3.37 release announcement [apache.org]

    An important upgrade if you run your own servers. If you're on shared or managed hosting, you can check with your hosting company.

  • 7:10 pm on Jul 28, 2006 (gmt 0)

    5+ Year Member



    Sorry... I am not why I used the 2.2.3 version I had that in my head for some reason.

    Please feel free to edit my post I do not want people to think that it only applies to the development tree

    10:40 am on Jul 31, 2006 (gmt 0)

    WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



    Verio have already sent out mail to people saying they have already upgraded.

    I wonder how many other hosts are on this?

    11:24 am on Jul 31, 2006 (gmt 0)

    WebmasterWorld Senior Member 10+ Year Member



    From the announcement:

    [apache.org...]


    This flaw does not affect a default installation of Apache HTTP Server. Users who do not use, or have not enabled, the Rewrite module mod_rewrite are not affected by this issue. This issue only affects installations using a Rewrite rule with the following characteristics:

    * The RewriteRule allows the attacker to control the initial part of the rewritten URL (for example if the substitution URL starts with $1)
    * The RewriteRule flags do NOT include any of the following flags: Forbidden (F), Gone (G), or NoEscape (NE).

    My read on this is that this is an AND condition and not an or.

    You should probably do the upgrade, but if you can't for technical reasons, then at least disable all the rules that start with a $1 and do not include the above flags..

    11:56 am on Jul 31, 2006 (gmt 0)

    WebmasterWorld Senior Member 5+ Year Member



    You should probably do the upgrade, but if you can't for technical reasons, then at least disable all the rules that start with a $1 and do not include the above flags..

    The way I read it, you're at risk if you do not include those flags.

    EDIT: Never mind, I must've read your post wrong. Sorry.

    3:37 pm on Jul 31, 2006 (gmt 0)

    WebmasterWorld Senior Member 10+ Year Member



    You should probably do the upgrade, but if you can't for technical reasons, then at least disable all the rules that start with a $1 and do not include the above flags..

    I don't know mod_rewrite enough to understand what rules are safe and what ones aren't. With mod_rewrite syntax...

    RewriteRule Pattern Substitution [Flag(s)]

    ...may I assume that $1 can appear anywhere in the rule as long as you don't put it at the very start of the Substitution section?

    If so, all my sites are safe as I've never used a rewrite rule in that way in my life and can't even think of an instance where it would be helpful.

    [edited by: MatthewHSE at 3:38 pm (utc) on July 31, 2006]

    4:44 pm on Jul 31, 2006 (gmt 0)

    WebmasterWorld Senior Member 10+ Year Member



    Does cpanel fix this automatically?
    5:54 am on Aug 1, 2006 (gmt 0)

    10+ Year Member



    You should upgrade if your rules look like this:

    RewriteRule fred/(.*) $1

    ($1 is the first thing in a Substitution section)

    While rules with this format do not expose the vulnerability:

    RewriteRule fred/(.*) joe/$1

    [edited by: Rebrandt at 5:57 am (utc) on Aug. 1, 2006]

    8:41 am on Aug 2, 2006 (gmt 0)

    5+ Year Member



    what about a rule like:
    RewriteRule ^([^/]*)\.html$ $1.php?%{QUERY_STRING} [NC]

    or

    RewriteRule ^/?(stuff)/([^/]*)\.html$ index.php?stuff_id=$2&%{QUERY_STRING} [NC]

    3:00 pm on Aug 2, 2006 (gmt 0)

    WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member



    From the description above, it's obvious that your first rule is vulnerable, while your second rule is not --
    "...allows the attacker to control the initial part of the rewritten URL" is the operative phrase here.

    Jim

    6:44 pm on Aug 2, 2006 (gmt 0)

    5+ Year Member



    ok, how do i know if my host has upgraded? when i view the server info, it simly shows: HTTP Server: Apache
    7:41 pm on Aug 2, 2006 (gmt 0)

    WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



    Assuming that you also have PHP on your server, try running a file like test.php with just this in it:

    phpinfo ()

    to reveal what is on your server.

    Delete that file from the server immediately you have finished with it, as the information is very useful to hackers.

    5:46 am on Aug 4, 2006 (gmt 0)

    5+ Year Member



    it only shows HTTP Server: Apache
    1:37 pm on Aug 4, 2006 (gmt 0)

    WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member



    Have you called your host and asked them?

    Jim

    5:44 pm on Aug 4, 2006 (gmt 0)

    5+ Year Member



    i just looked at SERVER_SIGNATURE on phpinfo() and it reads: <ADDRESS>Apache/1.3.33 Server at www.mysite.com Port 80</ADDRESS>

    just tossed them an email too :)

    8:02 pm on Aug 4, 2006 (gmt 0)

    5+ Year Member



    Unfortunately, it will not be possible to upgrade the server or have access to the update settings. You will have mod_rewrite privledges for your account. I apologize for the confusion.

    uhm, okay.
    i don't see why it isn't possible to upgrade.. for such a big-name company, this makes absolutely no sense.

    11:58 pm on Aug 5, 2006 (gmt 0)

    WebmasterWorld Senior Member 10+ Year Member



    Maybe they are based on CPanel, who has not yet updated easyapache the last time I tried...
     

    Featured Threads

    Hot Threads This Week

    Hot Threads This Month