WampServer
Apache, PHP, MySQL
on Windows
Apache HTTP Server 1.3, 2.0 and 2.2 mod_rewrite vulnerability
Posted by:
Hlspwn
(---.sutcol.ac.uk)
Date: August 07, 2006 12:17PM
A vulnerability in Apache's ReWrite module, mod_rewrite, has been discovered by McAfee and in combination with RewriteRule statements it may lead to arbitrary code execution. It exists in:
Apache 1.3 (since 1.3.28)
Apache 2.0 (since 2.0.46)
Apache 2.2 (since 2.2.0)
Exploitation of the vulnerability depends on the compilation of Apache.
Organizations who use vendor packages should seek further information from their vendors whilst those who compile their own packages should rebuild from the latest available sources (2.2.3, 2.0.59 and 1.3.37).
Whilst removing all RewriteRule statements from your configuration files will mitigate any risk, upgrading to the latest version is preferable.
Further information can be found at the following websites
[httpd.apache.org]
[www.kb.cert.org]
[cve.mitre.org]
Due to this security floor will there be an updated version of wamp availble ??????
Apache 1.3 (since 1.3.28)
Apache 2.0 (since 2.0.46)
Apache 2.2 (since 2.2.0)
Exploitation of the vulnerability depends on the compilation of Apache.
Organizations who use vendor packages should seek further information from their vendors whilst those who compile their own packages should rebuild from the latest available sources (2.2.3, 2.0.59 and 1.3.37).
Whilst removing all RewriteRule statements from your configuration files will mitigate any risk, upgrading to the latest version is preferable.
Further information can be found at the following websites
[httpd.apache.org]
[www.kb.cert.org]
[cve.mitre.org]
Due to this security floor will there be an updated version of wamp availble ??????
Re: More info
Posted by:
Hlspwn
(---.sutcol.ac.uk)
Date: August 07, 2006 12:24PM
Apache HTTP Server 2.2.3 Released
The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of version 2.2.3 of the Apache HTTP Server ("Apache"
.
This version of Apache is principally a bug and security fix release. The following potential security flaws are addressed;
CVE-2006-3747: An off-by-one flaw exists in the Rewrite module, mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0.
Depending on the manner in which Apache HTTP Server was compiled, this software defect may result in a vulnerability which, in combination with certain types of Rewrite rules in the web server configuration files, could be triggered remotely. For vulnerable builds, the nature of the vulnerability can be denial of service (crashing of web server processes) or potentially allow arbitrary code execution. This issue has been rated as having important security impact by the Apache HTTP Server Security Team.
This flaw does not affect a default installation of Apache HTTP Server. Users who do not use, or have not enabled, the Rewrite module mod_rewrite are not affected by this issue. This issue only affects installations using a Rewrite rule with the following characteristics:
The RewriteRule allows the attacker to control the initial part of the rewritten URL (for example if the substitution URL starts with $1)
The RewriteRule flags do NOT include any of the following flags: Forbidden (F), Gone (G), or NoEscape (NE).
Please note that ability to exploit this issue is dependent on the stack layout for a particular compiled version of mod_rewrite. If the compiler used to compile Apache HTTP Server has added padding to the stack immediately after the buffer being overwritten, it will not be possible to exploit this issue, and Apache HTTP Server will continue operating normally.
The Apache HTTP Server project recommends that all users who have built Apache from source apply the patch or upgrade to the latest level and rebuild. Providers of Apache-based web servers in pre-compiled form will be able to determine if this vulnerability applies to their builds. That determination has no bearing on any other builds of Apache HTTP Server, and Apache HTTP Server users are urged to exercise caution and apply patches or upgrade unless they have specific instructions from the provider of their web server. Statements from vendors can be obtained from the US-CERT vulnerability note for this issue at:
[www.kb.cert.org]
The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for the responsible reporting of this vulnerability.
We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade.
Apache HTTP Server 2.2.3 is available for download from:
[httpd.apache.org]
The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of version 2.2.3 of the Apache HTTP Server ("Apache"
.This version of Apache is principally a bug and security fix release. The following potential security flaws are addressed;
CVE-2006-3747: An off-by-one flaw exists in the Rewrite module, mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0.
Depending on the manner in which Apache HTTP Server was compiled, this software defect may result in a vulnerability which, in combination with certain types of Rewrite rules in the web server configuration files, could be triggered remotely. For vulnerable builds, the nature of the vulnerability can be denial of service (crashing of web server processes) or potentially allow arbitrary code execution. This issue has been rated as having important security impact by the Apache HTTP Server Security Team.
This flaw does not affect a default installation of Apache HTTP Server. Users who do not use, or have not enabled, the Rewrite module mod_rewrite are not affected by this issue. This issue only affects installations using a Rewrite rule with the following characteristics:
The RewriteRule allows the attacker to control the initial part of the rewritten URL (for example if the substitution URL starts with $1)
The RewriteRule flags do NOT include any of the following flags: Forbidden (F), Gone (G), or NoEscape (NE).
Please note that ability to exploit this issue is dependent on the stack layout for a particular compiled version of mod_rewrite. If the compiler used to compile Apache HTTP Server has added padding to the stack immediately after the buffer being overwritten, it will not be possible to exploit this issue, and Apache HTTP Server will continue operating normally.
The Apache HTTP Server project recommends that all users who have built Apache from source apply the patch or upgrade to the latest level and rebuild. Providers of Apache-based web servers in pre-compiled form will be able to determine if this vulnerability applies to their builds. That determination has no bearing on any other builds of Apache HTTP Server, and Apache HTTP Server users are urged to exercise caution and apply patches or upgrade unless they have specific instructions from the provider of their web server. Statements from vendors can be obtained from the US-CERT vulnerability note for this issue at:
[www.kb.cert.org]
The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for the responsible reporting of this vulnerability.
We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade.
Apache HTTP Server 2.2.3 is available for download from:
[httpd.apache.org]
Sorry, only registered users may post in this forum.
