We got a heads up today from one of our readers (thanks Oliver) that there is a newly discovered security issue with the mod_rewrite module in the Apache httpd server. The issue itself has been in the Apache httpd code for sometime, depending on which of the three version trees you are using. The vulnerability affects all three major version trees that Apache still supports (1.3, 2.0 and 2.2). From the release notes on Apache's web site:
CVE-2006-3747: An off-by-one flaw exists in the Rewrite module, mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0.
The newest versions of each release can be obtained here:
Apache 1.3.37 Announcement Change Log GZIP'd TarBall
Apache 2.0.59 Announcement Change Log GZIP'd TarBall
Apache 2.2.3 Announcement Change Log GZIP'd TarBall
Although there are some conditions and restrictions on the specific combination of mod_rewrite directives that create the vulnerability, it is still recommended that anyone using the mod_rewrite module upgrade their Apache httpd installation sooner rather than later. If you are not using the mod_rewrite module, you are not vulnerable to this potential issue.
If you have installed the Apache httpd web server from a binary distibution from your vendor, please check your vendor's patch announcements and distribution sites to see when you will be able to install the newer version of the software which addresses the flaw.
Jul 28th 2006
1 decade ago