{"vuid":"VU#395412","idnumber":"395412","name":"Apache mod_rewrite contains off-by-one error in ldap scheme handling","keywords":["Apache","httpd","off-by-one","ldap scheme","mod_rewrite","Oracle_CPU_Oct_2006"],"overview":"A vulnerability in a common Apache HTTP server module, mod_rewrite, could allow a remote attacker to execute arbitrary code on an affected web server.","clean_desc":"The Apache HTTP server distribution includes a number of supplemental modules that provide additional functionality to the web server. One of these modules, mod_rewrite, provides a rule-based rewriting engine to rewrite requested URLs \"on the fly\" based on regular expressions. An off-by-one error exists in the ldap scheme handling in mod_rewrite. For some RewriteRules, specifically those where the remote user can influence the beginning of a rewritten URL and that do not include any of the following flags: Forbidden (F), Gone (G), or NoEscape (NE), this could lead to a pointer being written out of bounds. This flaw causes a remotely exploitable vulnerability on web servers that have mod_rewrite enabled (configuration directive \"RewriteEngine on\") and configured to use certain rules. For example, rules with this format expose the vulnerability: RewriteRule fred/(.*)  $1 While rules with this format do not expose the vulnerability: RewriteRule fred/(.*)  joe/$1 The versions of the mod_rewrite module supplied with the Apache HTTP server versions 1.3 branch from 1.3.28\n2.0 branch from 2.0.46\n2.2 branch from 2.2.0 are vulnerable to this issue but earlier versions are not. The Apache Software Foundation notes that mod_rewrite is not enabled and configured as a normal default, however it is a commonly used module and may be provided in a vulnerable configuration by redistributors.","impact":"An attacker may be able to execute arbitrary code in the context of the web server user (e.g., \"apache\", \"httpd\", \"nobody\", \"SYSTEM\", etc.). The Apache Software Foundation notes that, due to the nature of the underlying flaw, successful exploitation is dependent upon the stack frame layout of apache running on the target host.","resolution":"Apply a patch from the vendor Patches have been released to address this vulnerability. Please see the Systems Affected section of this document for more details.","workarounds":"Workarounds Disable mod_rewrite if it is not required in your web server configuration. Instructions for doing this can be found in the Apache HTTP server documentation. Sites, particularly those that are not able to apply the patches, are encouraged to implement this workaround.","sysaffected":"","thanks":"Thanks to Mark Cox of the \nApache Software Foundation\n for reporting this vulnerability. Mark, in turn, credits Mark Dowd of \nMcAfee\n AVERT Labs\n with reporting this issue.","author":"This document was written by Chad R Dougherty.","public":["http://www.apache.org/dist/httpd/Announcement2.2.html","http://www.apache.org/dist/httpd/Announcement2.0.html","http://www.apache.org/dist/httpd/Announcement1.3.html","http://secunia.com/advisories/21197/","http://secunia.com/advisories/21273/","http://secunia.com/advisories/21245/","http://secunia.com/advisories/21266/","http://secunia.com/advisories/21247/","http://secunia.com/advisories/21307/","http://secunia.com/advisories/21315/","http://secunia.com/advisories/21313/","http://secunia.com/advisories/21284/","http://www.niscc.gov.uk/niscc/docs/al-20060728-00515.html?lang=en","http://jvn.jp/cert/JVNVU%23395412/index.html"],"cveids":["CVE-2006-3747"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2006-07-25T14:37:22Z","publicdate":"2006-07-27T00:00:00Z","datefirstpublished":"2006-07-28T13:58:30Z","dateupdated":"2006-10-18T12:52:30Z","revision":43,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"5","cam_exploitation":"0","cam_internetinfrastructure":"10","cam_population":"8","cam_impact":"18","cam_easeofexploitation":"8","cam_attackeraccessrequired":"20","cam_scorecurrent":"6.48","cam_scorecurrentwidelyknown":"12.96","cam_scorecurrentwidelyknownexploited":"21.6","ipprotocol":"tcp","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":6.48,"vulnote":null}