The Apache log file vulnerability may execute arbitrary code-a vulnerability warning-the black bar safety net

2013-05-31T00:00:00
ID MYHACK58:62201339040
Type myhack58
Reporter 佚名
Modified 2013-05-31T00:00:00

Description

Recently foreign Safety researchers in the Apache server found a vulnerability, the vulnerability is the use of modules/mappers/mod_rewrite. c file in the Rewritelog()function incorrect handling of certain escape sequences that lead to a malicious attacker to send a specially crafted HTTP request can be injected into the log file, if the HTTP request contains the terminal emulator escape sequences that could allow an attacker without administrator privileges can execute the command.

Currently known as Apache 2.2. x version the vulnerability exists, but other versions may also be affected, the official publication of the relief methods are as follows:

Index: CHANGES=================================================================== --- CHANGES (revision 1 4 6 9 3 1 0) +++ CHANGES (working copy) @@ -1,8 +1,11 @@ -- coding: utf-8 -- Changes with Apache 2.2.25 + ) SECURITY: CVE-2 0 1 3-1 8 6 2 (cve.mitre.org) + mod_rewrite: Ensure that client data written to the RewriteLog is + escaped to prevent terminal escape sequences from entering the + log file. [Joe Orton] - Changes with Apache 2.2.24 ) SECURITY: CVE-2 0 1 2-3 4 9 9 (cve.mitre.org) Index: modules/mappers/mod_rewrite. c=================================================================== --- modules/mappers/mod_rewrite. c (revision 1 4 6 9 3 1 0) +++ modules/mappers/mod_rewrite. c (working copy) @@ -500,11 +500,11 @@ a logline = apr_psprintf(r->pool, "%s %s %s %s [%s/sid#%pp][rid#%pp/%s%s%s] " "(%d) %s%s%s%s" APR_EOL_STR, - rhost ? rhost : "UNKNOWN-HOST", - rname ? rname : "-", - r->user ? (r->user ? r->user : "\"\"") : "-", + rhost ? ap_escape_logitem(r->pool, rhost) : "UNKNOWN-HOST", + rname ? ap_escape_logitem(r->pool, rname) : "-", + r->user ? (r->user ? ap_escape_logitem(r->pool, r->user) : "\"\"") : "-", current_logtime(r), - ap_get_server_name(r), + ap_escape_logitem(r->pool, ap_get_server_name(r)), (void )(r->server), (void )r, r->main ? "subreq" : "initial", @@ -514,7 +514,7 @@ perdir ? "[perdir " : "", perdir ? perdir : "", perdir ? "] ": "", - text); + ap_escape_logitem(r->pool, text)); nbytes = strlen(a logline); apr_file_write(conf->rewritelogfp, a logline, &nbytes);

[1] [2] next