FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

apache -- mod_rewrite buffer overflow vulnerability

Affected packages
1.3.28 <= apache < 1.3.36_1
2.0.46 <= apache < 2.0.58_2
2.2.0 <= apache < 2.2.2_1
1.3.28 <= apache+mod_perl < 1.3.36_1
1.3.28 <= apache+ipv6 < 1.3.37
0 <= apache_fp
1.3.28 <= ru-apache < 1.3.37+30.23
1.3.28 <= ru-apache+mod_ssl < 1.3.34.1.57_2
1.3.28 <= apache+ssl < 1.3.34.1.57_2
1.3.28 <= apache+mod_ssl < 1.3.36+2.8.27_1
1.3.28 <= apache+mod_ssl+ipv6 < 1.3.36+2.8.27_1
1.3.28 <= apache+mod_ssl+mod_accel < 1.3.36+2.8.27_1
1.3.28 <= apache+mod_ssl+mod_accel+ipv6 < 1.3.36+2.8.27_1
1.3.28 <= apache+mod_ssl+mod_accel+mod_deflate < 1.3.36+2.8.27_1
1.3.28 <= apache+mod_ssl+mod_accel+mod_deflate+ipv6 < 1.3.36+2.8.27_1
1.3.28 <= apache+mod_ssl+mod_deflate < 1.3.36+2.8.27_1
1.3.28 <= apache+mod_ssl+mod_deflate+ipv6 < 1.3.36+2.8.27_1
1.3.28 <= apache+mod_ssl+mod_snmp < 1.3.36+2.8.27_1
1.3.28 <= apache+mod_ssl+mod_snmp+mod_accel < 1.3.36+2.8.27_1
1.3.28 <= apache+mod_ssl+mod_snmp+mod_accel+ipv6 < 1.3.36+2.8.27_1
1.3.28 <= apache+mod_ssl+mod_snmp+mod_accel+mod_deflate+ipv6 < 1.3.36+2.8.27_1
1.3.28 <= apache+mod_ssl+mod_snmp+mod_deflate < 1.3.36+2.8.27_1
1.3.28 <= apache+mod_ssl+mod_snmp+mod_deflate+ipv6 < 1.3.36+2.8.27_1

Details

VuXML ID dc8c08c7-1e7c-11db-88cf-000c6ec775d9
Discovery 2006-07-27
Entry 2006-07-28
Modified 2006-11-01

The Apache Software Foundation and The Apache HTTP Server Project reports:

An off-by-one flaw exists in the Rewrite module, mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0.

Depending on the manner in which Apache HTTP Server was compiled, this software defect may result in a vulnerability which, in combination with certain types of Rewrite rules in the web server configuration files, could be triggered remotely. For vulnerable builds, the nature of the vulnerability can be denial of service (crashing of web server processes) or potentially allow arbitrary code execution. This issue has been rated as having important security impact by the Apache HTTP Server Security Team.

This flaw does not affect a default installation of Apache HTTP Server. Users who do not use, or have not enabled, the Rewrite module mod_rewrite are not affected by this issue. This issue only affects installations using a Rewrite rule with the following characteristics:

Please note that ability to exploit this issue is dependent on the stack layout for a particular compiled version of mod_rewrite. If the compiler used to compile Apache HTTP Server has added padding to the stack immediately after the buffer being overwritten, it will not be possible to exploit this issue, and Apache HTTP Server will continue operating normally.

The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for the responsible reporting of this vulnerability.

References

CERT/CC Vulnerability Note 395412
CVE Name CVE-2006-3747
Message 44CA22D9.6020200@apache.org