what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SITIC Security Advisory 2004.2

SITIC Security Advisory 2004.2
Posted Sep 17, 2004
Authored by Swedish IT Incident Center | Site sitic.se

SITIC Vulnerability Advisory - Apache 2.0.x suffers from a buffer overflow when expanding environment variables in configuration files such as .htaccess and httpd.conf. In a setup typical of ISPs, for instance, users are allowed to configure their own public_html directories with .htaccess files, leading to possible privilege escalation.

tags | advisory, overflow
advisories | CVE-2004-0747
SHA-256 | 9477ee2d98ddded93d0d277ed18e737445767878dc13e19f31e74199f9b89739

SITIC Security Advisory 2004.2

Change Mirror Download
* SITIC Vulnerability Advisory *

Advisory Name: Apache config file env variable buffer overflow
Advisory Reference: SA04-002
Date of initial release: 2004-09-15
Product: Apache 2.0.x
Platform: Linux, BSD systems, Unix, Windows
Effect: Code execution when processing .htaccess files
Vulnerability Identifier: CAN-2004-0747


Overview:

Apache suffers from a buffer overflow when expanding environment variables
in configuration files such as .htaccess and httpd.conf. In a setup typical
of ISPs, for instance, users are allowed to configure their own public_html
directories with .htaccess files, leading to possible privilege escalation.


Details:

The buffer overflow occurs when expanding ${ENVVAR} constructs in .htaccess
or httpd.conf files. The function ap_resolve_env() in server/util.c copies
data from environment variables to the character array tmp with strcat(3),
leading to a buffer overflow.

HTTP requests that exploit this problem are not shown in the access log. The
error log will show Segmentation faults, though.


Mitigating factors:

Exploitation requires manual installation of malicious .htaccess files by
someone with normal user rights.


Affected versions:

o Apache 2.0.50
o many other 2.0.x versions


Recommendations:

o A fix for this issue is incorporated into Apache 2.0.51
o For Apache 2.0.*: The Apache Software Foundation has published a patch
which is the official fix for this issue.


Patch information:

o The Apache 2.0.51 release is available from the following source:
http://httpd.apache.org/
o For Apache 2.0.*, the patch is available from the following source:
http://www.apache.org/dist/httpd/patches/apply_to_2.0.50/


Acknowledgments:


This vulnerability was discovered by Ulf Harnhammar for SITIC, Swedish IT
Incident Centre.


Contact information:

Swedish IT Incident Centre, SITIC
P O Box 5398, SE-102 49 Stockholm, Sweden
Telephone: +46-8-678 5799
Email: sitic at pts dot se
http://www.sitic.se


Revision history:

Initial release 2004-09-15


About SITIC:

The Swedish IT Incident Centre within the National Post and Telecom Agency
has the task to support society in working with protection against IT
incidents. SITIC facilitates exchange of information regarding IT incidents
between organisations in society, and disseminates information about new
problems which potentially may impede the functionality of IT systems. In
addition, SITIC provides information and advice regarding proactive measures
and compiles and publishes statistics.


Disclaimer:

The decision to follow or act on information or advice contained in this
Vulnerability Advisory is the responsibility of each user or organisation.
SITIC accepts no responsibility for any errors or omissions contained within
this Vulnerability Advisory, nor for any consequences which may arise from
following or acting on information or advice contained herein.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close