An off-by-one flaw exists in the Rewrite module,
mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0
since 2.0.46, and 2.2 since 2.2.0.
Depending on the manner in which Apache HTTP Server was
compiled, this software defect may result in a
vulnerability which, in combination with certain types of
Rewrite rules in the web server configuration files, could
be triggered remotely. For vulnerable builds, the nature
of the vulnerability can be denial of service (crashing of
web server processes) or potentially allow arbitrary code
execution. This issue has been rated as having important
security impact by the Apache HTTP Server Security Team.
This flaw does not affect a default installation of
Apache HTTP Server. Users who do not use, or have not
enabled, the Rewrite module mod_rewrite are not affected
by this issue. This issue only affects installations using
a Rewrite rule with the following characteristics:
- The RewriteRule allows the attacker to control the
initial part of the rewritten URL (for example if the
substitution URL starts with $1)
- The RewriteRule flags do NOT include any of the
following flags: Forbidden (F), Gone (G), or NoEscape
(NE).
Please note that ability to exploit this issue is
dependent on the stack layout for a particular compiled
version of mod_rewrite. If the compiler used to compile
Apache HTTP Server has added padding to the stack
immediately after the buffer being overwritten, it will
not be possible to exploit this issue, and Apache HTTP
Server will continue operating normally.
The Apache HTTP Server project thanks Mark Dowd of McAfee
Avert Labs for the responsible reporting of this
vulnerability.