* SITIC Vulnerability Advisory *

           Advisory Name: Apache config file env variable buffer overflow
      Advisory Reference: SA04-002
 Date of initial release: 2004-09-15
                 Product: Apache 2.0.x
                Platform: Linux, BSD systems, Unix, Windows
                  Effect: Code execution when processing .htaccess files
Vulnerability Identifier: CAN-2004-0747


Overview:

Apache suffers from a buffer overflow when expanding environment variables
in configuration files such as .htaccess and httpd.conf. In a setup typical
of ISPs, for instance, users are allowed to configure their own public_html
directories with .htaccess files, leading to possible privilege escalation.


Details:

The buffer overflow occurs when expanding ${ENVVAR} constructs in .htaccess
or httpd.conf files. The function ap_resolve_env() in server/util.c copies
data from environment variables to the character array tmp with strcat(3),
leading to a buffer overflow.

HTTP requests that exploit this problem are not shown in the access log. The
error log will show Segmentation faults, though.


Mitigating factors:

Exploitation requires manual installation of malicious .htaccess files by
someone with normal user rights.


Affected versions:

  o  Apache 2.0.50
  o  many other 2.0.x versions


Recommendations:

  o  A fix for this issue is incorporated into Apache 2.0.51
  o  For Apache 2.0.*: The Apache Software Foundation has published a patch
     which is the official fix for this issue.


Patch information:

  o  The Apache 2.0.51 release is available from the following source:
     http://httpd.apache.org/
  o  For Apache 2.0.*, the patch is available from the following source:
     http://www.apache.org/dist/httpd/patches/apply_to_2.0.50/


Acknowledgments:


This vulnerability was discovered by Ulf Harnhammar for SITIC, Swedish IT 
Incident Centre.


Contact information:

Swedish IT Incident Centre, SITIC
P O Box 5398, SE-102 49 Stockholm, Sweden
Telephone: +46-8-678 5799
Email: sitic at pts dot se
http://www.sitic.se


Revision history:

Initial release 2004-09-15


About SITIC:

The Swedish IT Incident Centre within the National Post and Telecom Agency
has the task to support society in working with protection against IT
incidents. SITIC facilitates exchange of information regarding IT incidents
between organisations in society, and disseminates information about new
problems which potentially may impede the functionality of IT systems. In
addition, SITIC provides information and advice regarding proactive measures
and compiles and publishes statistics.


Disclaimer:

The decision to follow or act on information or advice contained in this
Vulnerability Advisory is the responsibility of each user or organisation.
SITIC accepts no responsibility for any errors or omissions contained within
this Vulnerability Advisory, nor for any consequences which may arise from
following or acting on information or advice contained herein.