Apache HTTP server mod_alias and mod_rewrite buffer overflow

apache-modalias-modrewrite-bo (13400) The risk level is classified as HighHigh Risk

Description:

Apache HTTP Server is vulnerable to a buffer overflow in the mod_alias and mod_rewrite module. By creating a specially-crafted configuration file containing a regular expression with more than nine capturing parentheses, a local attacker could overflow a buffer and possibly execute arbitrary code on the system.

Platforms Affected:

  • Apache, HTTP Server 1.3
  • Apache, HTTP Server 1.3.1
  • Apache, HTTP Server 1.3.11
  • Apache, HTTP Server 1.3.12
  • Apache, HTTP Server 1.3.14
  • Apache, HTTP Server 1.3.17
  • Apache, HTTP Server 1.3.18
  • Apache, HTTP Server 1.3.19
  • Apache, HTTP Server 1.3.20
  • Apache, HTTP Server 1.3.22
  • Apache, HTTP Server 1.3.23
  • Apache, HTTP Server 1.3.24
  • Apache, HTTP Server 1.3.25
  • Apache, HTTP Server 1.3.26
  • Apache, HTTP Server 1.3.27
  • Apache, HTTP Server 1.3.28
  • Apache, HTTP Server 1.3.3
  • Apache, HTTP Server 1.3.4
  • Apache, HTTP Server 1.3.6
  • Apache, HTTP Server 1.3.9
  • Apache, HTTP Server 2.0
  • Apache, HTTP Server 2.0.28
  • Apache, HTTP Server 2.0.32
  • Apache, HTTP Server 2.0.35
  • Apache, HTTP Server 2.0.36
  • Apache, HTTP Server 2.0.37
  • Apache, HTTP Server 2.0.38
  • Apache, HTTP Server 2.0.39
  • Apache, HTTP Server 2.0.40
  • Apache, HTTP Server 2.0.41
  • Apache, HTTP Server 2.0.42
  • Apache, HTTP Server 2.0.43
  • Apache, HTTP Server 2.0.44
  • Apache, HTTP Server 2.0.45
  • Apache, HTTP Server 2.0.46
  • Apache, HTTP Server 2.0.47
  • Conectiva, Linux 7.0
  • Conectiva, Linux 8.0
  • Conectiva, Linux 9.0
  • Gentoo, Linux
  • HP, HP-UX 11.00
  • HP, HP-UX 11.11
  • HP, HP-UX 11.20
  • HP, HP-UX 11.22
  • MandrakeSoft, Mandrake Linux 9.0
  • MandrakeSoft, Mandrake Linux 9.1 PPC
  • MandrakeSoft, Mandrake Linux 9.1
  • MandrakeSoft, Mandrake Linux 9.2
  • MandrakeSoft, Mandrake Linux Corporate Server 2.1
  • MandrakeSoft, Mandrake Linux Corporate Server 2.1 X86_64
  • MandrakeSoft, Mandrake Multi Network Firewall 8.2
  • OpenPKG, OpenPKG 1.2
  • OpenPKG, OpenPKG 1.3
  • OpenPKG, OpenPKG CURRENT
  • RedHat, Enterprise Linux 2.1 ES
  • RedHat, Enterprise Linux 2.1 AS
  • RedHat, Enterprise Linux 2.1 WS
  • RedHat, Enterprise Linux 2.1 AW
  • RedHat, Enterprise Linux 3 ES
  • RedHat, Enterprise Linux 3 AS
  • RedHat, Enterprise Linux 3 WS
  • RedHat, Linux 7.1
  • RedHat, Linux 7.2
  • RedHat, Linux 7.3
  • RedHat, Linux 8.0
  • RedHat, Linux 9.0
  • RedHat, Linux Advanced Workstation 2.1 Itanium
  • RedHat, Stronghold
  • SCO, Caldera OpenUnix 8.0.0
  • SCO, Caldera UnixWare 7.1.1
  • SCO, Caldera UnixWare 7.1.3
  • Slackware, Slackware Linux 8.1
  • Slackware, Slackware Linux 9.0
  • Slackware, Slackware Linux 9.1
  • Slackware, Slackware Linux current
  • Sun, Solaris 8 SPARC
  • Sun, Solaris 8 x86
  • Sun, Solaris 9 x86
  • Sun, Solaris 9 SPARC
  • Trustix, Secure Linux 1.2
  • Trustix, Secure Linux 1.5
  • Trustix, Secure Linux 2.0
  • Turbolinux, Turbolinux 7 Server
  • Turbolinux, Turbolinux 7 Workstation
  • Turbolinux, Turbolinux 8 Server
  • Turbolinux, Turbolinux 8 Workstation
  • Turbolinux, Turbolinux Appliance Server 1.0
  • Turbolinux, Turbolinux Advanced Server 6
  • Turbolinux, Turbolinux Appliance Server 1.0 Hosting Ed
  • Turbolinux, Turbolinux Appliance Server 1.0 Workgroup Ed
  • Turbolinux, Turbolinux Server 6.1
  • Turbolinux, Turbolinux Server 6.5
  • Turbolinux, Turbolinux Workstation 6.0

Remedy:

For Apache HTTP Server 1.3.28 and earlier:
Upgrade to the latest version of Apache HTTP Server (1.3.29 or later), available from the Apache Web site. See References.

For Apache HTTP Server 2.0.47 and earlier:
Upgrade to the latest version of Apache HTTP Server (2.0.48 or later), available from the Apache Web site. See References.

For OpenPKG:
Upgrade to the latest apache package, as listed below. Refer to OpenPKG Security Advisory OpenPKG-SA-2003.046 for more information. See References.

OpenPKG CURRENT: 1.3.29-20031028 or later
OpenPKG 1.2: 1.3.27-1.2.3 or later
OpenPKG 1.3: 1.3.28-1.3.1 or later

For Gentoo Linux:
Upgrade to the latest version of net-www/apache (2.0.48 or later), as listed in Gentoo Linux Security Announcement 200310-04. See References.

For Mandrake Linux:
Upgrade to the latest apache package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2003:103 : apache for more information. See References.

Mandrake Linux 9.0 and Corporate Server 2.1: 1.3.26-6.3.90mdk or later
Mandrake Linux 9.1: 1.3.27-8.1.91mdk or later
Mandrake Linux 9.2: 1.3.28-3.1.92mdk or later
Mandrake Multi Network Firewall 8.2: 1.3.23-4.3.M82mdk or later

For Slackware Linux:
Upgrade to the latest apache package, as listed below. Refer to slackware-security Mailing List, Tue, 4 Nov 2003 16:48:11 -0800 (PST) for more information. See References.

Slackware Linux 8.1, 9.0, 9.1, and -current: 1.3.29-i386-1 or later

For Conectiva Linux:
Upgrade to the latest apache package, as listed below. Refer to Conectiva Linux Security Announcement CLSA-2003:775 for more information. See References.

Conectiva Linux 7.0: 1.3.28-1U70_2cl or later
Conectiva Linux 8: 1.3.28-1U80_2cl or later
Conectiva Linux 9: 2.0.45-2879OU90_5cl or later

For Trustix Secure Linux 1.2, 1.5, and 2.0:
Upgrade to the latest apache package (1.3.29-1tr or 2.0.48-1tr or later), as listed in Trustix Secure Linux Security Advisory #2003-0041. See References.

For Red Hat Linux:
Upgrade to the latest apache package, as listed below. Refer to RHSA-2003:405-04 for more information. See References.

Red Hat 7.1: 1.3.27-3.7.1 or later
Red Hat 7.2: 1.3.27-3.7.2 or later
Red Hat 7.3: 1.3.27-4 or later

For Red Hat Linux:
Upgrade to the latest httpd package, as listed below. Refer to RHSA-2003:320-09 for more information. See References.

Red Hat 8.0: 2.0.40-11.9 or later
Red Hat 9: 2.0.40-21.9

For Red Hat Linux containing the apache package:
Upgrade to the latest apache package, as listed below. Refer to RHSA-2003:360-08 for more information. See References.

Red Hat Enterprise Linux AS (v. 2.1), ES (v. 2.1), WS (v. 2.1), and Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor: 3.27-6 or later

For Red Hat Linux Stronghold:
Refer to RHSA-2005:816-10 for patch, upgrade, or suggested workaround information. See References.

For SGI IRIX:
Apply the 10039 patch for this vulnerability, as listed in SGI Security Advisory 20031203-01-U. See References.

For HP-UX 11.00, 11.11, 11.20, and 11.22 :
Apply the appropriate patch for your system, as listed in Hewlett-Packard Company Security Bulletin HPSBUX01098. See References.

For Turbolinux:
Upgrade to the latest apache package (1.3.27-22 or later), as listed in Turbolinux Security Advisory TLSA-2004-10. See References.

For Caldera UnixWare 7.1.3, OpenUnix 8.0.0, and UnixWare 7.1.1:
Update to the latest fixed binaries, as listed in SCO Security Advisory CSSA-2004-6. See References.

For Sun Solaris:
Apply the appropriate patch for your system, as listed below. Refer to Sun Alert ID: 57496 for more information. See References.

SPARC Platform
Solaris 8 with patch 116973-01 or later
Solaris 9 with patch 113146-03 or later

x86 Platform
Solaris 8 with patch 116974-01 or later
Solaris 9 with patch 114145-02 or later

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Privileges

References:

Reported:

Oct 24, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page