Note that the bug is also in Apache 2.0.x and 1.3.x. New versions of these branches have also been released:

Apache 2.0.59 release announcement [apache.org]

Apache 1.3.37 release announcement [apache.org]

An important upgrade if you run your own servers. If you're on shared or managed hosting, you can check with your hosting company.

Sorry... I am not why I used the 2.2.3 version I had that in my head for some reason.

Please feel free to edit my post I do not want people to think that it only applies to the development tree

Verio have already sent out mail to people saying they have already upgraded.

I wonder how many other hosts are on this?

From the announcement:

[apache.org...]

This flaw does not affect a default installation of Apache HTTP Server. Users who do not use, or have not enabled, the Rewrite module mod_rewrite are not affected by this issue. This issue only affects installations using a Rewrite rule with the following characteristics:

* The RewriteRule allows the attacker to control the initial part of the rewritten URL (for example if the substitution URL starts with $1)
* The RewriteRule flags do NOT include any of the following flags: Forbidden (F), Gone (G), or NoEscape (NE).

My read on this is that this is an AND condition and not an or.

You should probably do the upgrade, but if you can't for technical reasons, then at least disable all the rules that start with a $1 and do not include the above flags..

You should probably do the upgrade, but if you can't for technical reasons, then at least disable all the rules that start with a $1 and do not include the above flags..

The way I read it, you're at risk if you do not include those flags.

EDIT: Never mind, I must've read your post wrong. Sorry.

You should probably do the upgrade, but if you can't for technical reasons, then at least disable all the rules that start with a $1 and do not include the above flags..

I don't know mod_rewrite enough to understand what rules are safe and what ones aren't. With mod_rewrite syntax...

RewriteRule Pattern Substitution [Flag(s)]

...may I assume that $1 can appear anywhere in the rule as long as you don't put it at the very start of the Substitution section?

If so, all my sites are safe as I've never used a rewrite rule in that way in my life and can't even think of an instance where it would be helpful.

[edited by: MatthewHSE at 3:38 pm (utc) on July 31, 2006]

Does cpanel fix this automatically?

You should upgrade if your rules look like this:

RewriteRule fred/(.*) $1

($1 is the first thing in a Substitution section)

While rules with this format do not expose the vulnerability:

RewriteRule fred/(.*) joe/$1

[edited by: Rebrandt at 5:57 am (utc) on Aug. 1, 2006]

what about a rule like:
RewriteRule ^([^/]*)\.html$ $1.php?%{QUERY_STRING} [NC]

or

RewriteRule ^/?(stuff)/([^/]*)\.html$ index.php?stuff_id=$2&%{QUERY_STRING} [NC]

From the description above, it's obvious that your first rule is vulnerable, while your second rule is not --
"...allows the attacker to control the initial part of the rewritten URL" is the operative phrase here.

Jim

ok, how do i know if my host has upgraded? when i view the server info, it simly shows: HTTP Server: Apache

Assuming that you also have PHP on your server, try running a file like test.php with just this in it:

phpinfo ()

to reveal what is on your server.

Delete that file from the server immediately you have finished with it, as the information is very useful to hackers.

it only shows HTTP Server: Apache

Have you called your host and asked them?

Jim

i just looked at SERVER_SIGNATURE on phpinfo() and it reads: <ADDRESS>Apache/1.3.33 Server at www.mysite.com Port 80</ADDRESS>

just tossed them an email too :)

Unfortunately, it will not be possible to upgrade the server or have access to the update settings. You will have mod_rewrite privledges for your account. I apologize for the confusion.

uhm, okay.
i don't see why it isn't possible to upgrade.. for such a big-name company, this makes absolutely no sense.

Maybe they are based on CPanel, who has not yet updated easyapache the last time I tried...