Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Security Fix for Apache - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Security Fix for Apache
We got a heads up today from one of our readers (thanks Oliver) that there is a newly discovered security issue with the mod_rewrite module in the Apache httpd server.  The issue itself has been in the Apache httpd code for sometime, depending on which of the three version trees you are using.  The vulnerability affects all three major version trees that Apache still supports (1.3, 2.0 and 2.2). From the release notes on Apache's web site:

    CVE-2006-3747: An off-by-one flaw exists in the Rewrite module, mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0.

The newest versions of each release can be obtained here:

Apache 1.3.37    Announcement   Change Log    GZIP'd TarBall
Apache 2.0.59    Announcement   Change Log    GZIP'd TarBall
Apache 2.2.3     Announcement   Change Log    GZIP'd TarBall

Although there are some conditions and restrictions on the specific combination of mod_rewrite directives that create the vulnerability, it is still recommended that anyone using the mod_rewrite module upgrade their Apache httpd installation sooner rather than later.  If you are not using the mod_rewrite module, you are not vulnerable to this potential issue.

If you have installed the Apache httpd web server from a binary distibution from your vendor, please check your vendor's patch announcements and distribution sites to see when you will be able to install the newer version of the software which addresses the flaw.

78 Posts
Jul 28th 2006

Sign Up for Free or Log In to start participating in the conversation!