[nycbug-talk] Apache Vuln, mod_rewrite

Okan Demirmen okan at demirmen.com
Wed Aug 2 13:06:28 EDT 2006


On Wed 2006.08.02 at 12:46 -0400, Isaac Levy wrote:
> Hi Folks,
> 
> I'm emailing to somewhat gently sound the alarm, there's an esoteric  
> Apache vulnerability which is not getting much attention (and from  
> what I understand, didn't even hit the Apache lists when the patches  
> were released?)
> 
> I went through patching systems this weekend after seeing this story,
> 
> http://isc.sans.org/diary.php?storyid=1523
> 
> Anouncements:
> 
> Apache 1.3.37 http://www.apache.org/dist/httpd/Announcement1.3.html
> Apache 2.0.59 http://www.apache.org/dist/httpd/Announcement2.0.html
> Apache 2.2.3  http://www.apache.org/dist/httpd/Announcement2.2.html
> 
> --
> Thing is, today this hit undeadly, indeed a fine publication online-  
> but a far cry from what I'd consider 'sane channels' for breaking  
> security vulnerability information.  (i.e. nothing has even yet been  
> posted to 'announce at httpd.apache.org' mailing list)

Not to be too picky, but the story on undeadly arrived on 07/31,
OpenBSD errata on 07/30, while the patch went in 07/28.

I can't speak for the other projects, but I'm sure they have somewhat
similar dates...and I can't speak for apache.org, for I haven't even
looked...it also hit the secunia lists as well.

I couldn't tell you why it has not gotten a lot of attention. Maybe
people who use mod_rewrite don't know that they do _use_ mod_rewrite, or
maybe the folks who do are quiet and just patch. If this were a php
thing, I'm sure more attention would have been paid; for, for some
reason, unknown to me, people use php.

> With that, this vulnerability is important, (if you use/enable  
> mod_rewrite, or run on systems without ProPolice/SSP stack guards).

thanks ike.



More information about the talk mailing list