[Snort-sigs] Apache mod_rewrite off-by-one sig

Jon Hart jhart at ...288...
Mon Jul 31 22:53:02 EDT 2006


On Mon, Jul 31, 2006 at 09:12:52PM -0400, Joel Esler wrote:
> Jon,
> 
> Anyway you can provide a packet capture?  Or perhaps fill in an offset/depth for that content match at least?

I can't.  The way I understand the prerequisites of the vulnerability is
that you have to have a rewrite rule similar to:

RewriteRule ^/blah(.*) $1/some/stuff/that/doesntmatter/

I actually can't think of any good reason to give a user control over
the very first part of the rewrite target, but alas, there may be a good
reason and there are plenty of bad rewrite rules out there.

Anyway...

That said, the exploit for this particular vulnerability depends
entirely on the RewriteRule being attacked, so the best we can hope for
is looking for ldap:// in the uri.  Actually, I suppose it is possible
that the exploit could come not in the form of a URI, but really
anywhere in the request as mod_rewrite can base its actions on damn near
anything.

-jon




More information about the Snort-sigs mailing list