Welcome to WebmasterWorld Guest from 50.17.16.177

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

Apache: Mod Rewrite Exploit: Patch Your Servers Now To 2.2.3

     
5:37 pm on Jul 28, 2006 (gmt 0)

New User

10+ Year Member

joined:Nov 18, 2005
posts:11
votes: 0


Apache released verson 2.2.3 today which fixes the buffer overflow exploit in apache webservers.

[apache.org...]

This is a really nasty exploit.

5:47 pm on July 28, 2006 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 31, 2003
posts:9063
votes: 2


Note that the bug is also in Apache 2.0.x and 1.3.x. New versions of these branches have also been released:

  • Apache 2.0.59 release announcement [apache.org]
  • Apache 1.3.37 release announcement [apache.org]

    An important upgrade if you run your own servers. If you're on shared or managed hosting, you can check with your hosting company.

  • 7:10 pm on July 28, 2006 (gmt 0)

    New User

    10+ Year Member

    joined:Nov 18, 2005
    posts:11
    votes: 0


    Sorry... I am not why I used the 2.2.3 version I had that in my head for some reason.

    Please feel free to edit my post I do not want people to think that it only applies to the development tree

    10:40 am on July 31, 2006 (gmt 0)

    Senior Member

    WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

    joined:July 3, 2002
    posts:18903
    votes: 0


    Verio have already sent out mail to people saying they have already upgraded.

    I wonder how many other hosts are on this?

    11:24 am on July 31, 2006 (gmt 0)

    Senior Member

    WebmasterWorld Senior Member 10+ Year Member

    joined:Mar 10, 2004
    posts:1342
    votes: 0


    From the announcement:

    [apache.org...]


    This flaw does not affect a default installation of Apache HTTP Server. Users who do not use, or have not enabled, the Rewrite module mod_rewrite are not affected by this issue. This issue only affects installations using a Rewrite rule with the following characteristics:

    * The RewriteRule allows the attacker to control the initial part of the rewritten URL (for example if the substitution URL starts with $1)
    * The RewriteRule flags do NOT include any of the following flags: Forbidden (F), Gone (G), or NoEscape (NE).

    My read on this is that this is an AND condition and not an or.

    You should probably do the upgrade, but if you can't for technical reasons, then at least disable all the rules that start with a $1 and do not include the above flags..

    11:56 am on July 31, 2006 (gmt 0)

    Senior Member

    WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

    joined:Sept 25, 2005
    posts:966
    votes: 68


    You should probably do the upgrade, but if you can't for technical reasons, then at least disable all the rules that start with a $1 and do not include the above flags..

    The way I read it, you're at risk if you do not include those flags.

    EDIT: Never mind, I must've read your post wrong. Sorry.

    3:37 pm on July 31, 2006 (gmt 0)

    Senior Member

    WebmasterWorld Senior Member 10+ Year Member

    joined:June 9, 2003
    posts:1908
    votes: 0


    You should probably do the upgrade, but if you can't for technical reasons, then at least disable all the rules that start with a $1 and do not include the above flags..

    I don't know mod_rewrite enough to understand what rules are safe and what ones aren't. With mod_rewrite syntax...

    RewriteRule Pattern Substitution [Flag(s)]

    ...may I assume that $1 can appear anywhere in the rule as long as you don't put it at the very start of the Substitution section?

    If so, all my sites are safe as I've never used a rewrite rule in that way in my life and can't even think of an instance where it would be helpful.

    [edited by: MatthewHSE at 3:38 pm (utc) on July 31, 2006]

    4:44 pm on July 31, 2006 (gmt 0)

    Senior Member

    WebmasterWorld Senior Member 10+ Year Member

    joined:Nov 8, 2002
    posts:2335
    votes: 0


    Does cpanel fix this automatically?
    5:54 am on Aug 1, 2006 (gmt 0)

    New User

    10+ Year Member

    joined:Feb 2, 2005
    posts:34
    votes: 0


    You should upgrade if your rules look like this:

    RewriteRule fred/(.*) $1

    ($1 is the first thing in a Substitution section)

    While rules with this format do not expose the vulnerability:

    RewriteRule fred/(.*) joe/$1

    [edited by: Rebrandt at 5:57 am (utc) on Aug. 1, 2006]

    8:41 am on Aug 2, 2006 (gmt 0)

    Preferred Member

    10+ Year Member

    joined:Nov 2, 2005
    posts:505
    votes: 0


    what about a rule like:
    RewriteRule ^([^/]*)\.html$ $1.php?%{QUERY_STRING} [NC]

    or

    RewriteRule ^/?(stuff)/([^/]*)\.html$ index.php?stuff_id=$2&%{QUERY_STRING} [NC]

    3:00 pm on Aug 2, 2006 (gmt 0)

    Senior Member

    WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

    joined:Mar 31, 2002
    posts:25430
    votes: 0


    From the description above, it's obvious that your first rule is vulnerable, while your second rule is not --
    "...allows the attacker to control the initial part of the rewritten URL" is the operative phrase here.

    Jim

    6:44 pm on Aug 2, 2006 (gmt 0)

    Preferred Member

    10+ Year Member

    joined:Nov 2, 2005
    posts:505
    votes: 0


    ok, how do i know if my host has upgraded? when i view the server info, it simly shows: HTTP Server: Apache
    7:41 pm on Aug 2, 2006 (gmt 0)

    Senior Member

    WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

    joined:July 3, 2002
    posts:18903
    votes: 0


    Assuming that you also have PHP on your server, try running a file like test.php with just this in it:

    phpinfo ()

    to reveal what is on your server.

    Delete that file from the server immediately you have finished with it, as the information is very useful to hackers.

    5:46 am on Aug 4, 2006 (gmt 0)

    Preferred Member

    10+ Year Member

    joined:Nov 2, 2005
    posts:505
    votes: 0


    it only shows HTTP Server: Apache
    1:37 pm on Aug 4, 2006 (gmt 0)

    Senior Member

    WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

    joined:Mar 31, 2002
    posts:25430
    votes: 0


    Have you called your host and asked them?

    Jim

    5:44 pm on Aug 4, 2006 (gmt 0)

    Preferred Member

    10+ Year Member

    joined:Nov 2, 2005
    posts:505
    votes: 0


    i just looked at SERVER_SIGNATURE on phpinfo() and it reads: <ADDRESS>Apache/1.3.33 Server at www.mysite.com Port 80</ADDRESS>

    just tossed them an email too :)

    8:02 pm on Aug 4, 2006 (gmt 0)

    Preferred Member

    10+ Year Member

    joined:Nov 2, 2005
    posts:505
    votes: 0


    Unfortunately, it will not be possible to upgrade the server or have access to the update settings. You will have mod_rewrite privledges for your account. I apologize for the confusion.

    uhm, okay.
    i don't see why it isn't possible to upgrade.. for such a big-name company, this makes absolutely no sense.

    11:58 pm on Aug 5, 2006 (gmt 0)

    Senior Member

    WebmasterWorld Senior Member 10+ Year Member

    joined:Nov 8, 2002
    posts:2335
    votes: 0


    Maybe they are based on CPanel, who has not yet updated easyapache the last time I tried...