Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Security vulnerability in Apache mod_rewrite
From: Kevin van der Raad (k.van.der.raadITSEC.NL)
Date: Fri Sep 29 2000 - 05:39:11 CDT


We stumbled across the following article and did not see this issue here
in Bugtraq:

> http://www.apacheweek.com/issues/00-09-22
> Security vulnerability in mod_rewrite
> The Apache development list this week contains a fix for a security issue that affects previous
> versions of Apache, including Apache 1.3.12. Apache is only vulnerable if you use mod_rewrite
> and a specific case of the directive RewriteRule. If the result of a RewriteRule is a filename
> that contains regular expression references then an attacker may be able to access any
> file on the web server.
> Here are some example RewriteRule directives. The first is vulnerable, but the others are not
> RewriteRule /test/(.*) /usr/local/data/test-stuff/$1
> RewriteRule /more-icons/(.*) /icons/$1
> RewriteRule /go/(.*) http://www.apacheweek.com/$1
> The patch is currently being tested and will be part of the release of Apache 1.3.13. Until
> then, users should check their configuration files and not use rules that map to a filename
> such as the first example above.


Kevin van der Raad <mailto:k.van.der.raaditsec.nl>

ITsec Nederland B.V. <http://www.itsec.nl> Exploit & Vulnerability Alerting Service

P.O. box 5120 NL 2000 GC Haarlem Tel +31(0)23 542 05 78 Fax +31(0)23 534 54 77