mod_rewrite sicherheitsproblem

Alles, was den Apache betrifft, kann hier besprochen werden.

mod_rewrite sicherheitsproblem

Postby marder553 » 31. July 2006 10:17

wie ihr vllt schon gelesen habt gibt es ein "off-by-one flaw" sicherheitsproblem im mod_rewrite :
This flaw does not affect a default installation of Apache HTTP Server. Users who do not use, or have not enabled, the Rewrite module mod_rewrite are not affected by this issue. This issue only affects installations using a Rewrite rule with the following characteristics:

* The RewriteRule allows the attacker to control the initial part of the rewritten URL (for example if the substitution URL starts with $1)
* The RewriteRule flags do NOT include any of the following flags: Forbidden (F), Gone (G), or NoEscape (NE).

Please note that ability to exploit this issue is dependent on the stack layout for a particular compiled version of mod_rewrite. If the compiler used to compile Apache HTTP Server has added padding to the stack immediately after the buffer being overwritten, it will not be possible to exploit this issue, and Apache HTTP Server will continue operating normally.


ist der LAMPP davon betroffen ?
marder553
 
Posts: 1
Joined: 31. July 2006 09:52

Return to Apache

Who is online

Users browsing this forum: No registered users and 2 guests