the apache mod_rewrite module command to perform a detailed analysis attached to POC(CVE-2 0 1 3-1 8 6 2)-vulnerability warning-the black bar safety net

2013-06-05T00:00:00
ID MYHACK58:62201339116
Type myhack58
Reporter 佚名
Modified 2013-06-05T00:00:00

Description

The vulnerability by the security treasure inside security researcher analysis. The analysis is as follows:

Recently see a lot of security media are in the description”Apache log file vulnerability could execute arbitrary code”,

As security researchers look into”execute arbitrary code”, of course, is the need for highly sensitive, because it means that the attacker can spike your server, coupled with the Apche of the use of the wide range of feeling harm is still very large, so in the spirit study the spirit of the decision of this vulnerability for the following analysis,

We first look at the official description:

!

mod_rewrite:ensure that client is written to the RewriteLog data is the result of a terminal escape sequence and then written to the log file. (Note:own translation, feel the meaning should be almost J)

So here is the first correction following the media vulnerabilities described it(estimated to be someone to attract attention or benefit and to whom), where the first science, it is clear that the problem is found in apache's mod_rewrite module, the mod_rewrite module via the RewriteLog function records the rewrite operation of the log, but the RewriteLog function without a filter, the user data is directly written into the LogFile.

CVE-2 0 1 3-1 8 6 2 vulnerability is the essence of:

1 RewriteLog function without the user's input data is the terminal escape character filtering

2 essentially should be the Mod_Rewrite log file vulnerability, rather than the Apache log file

Really have been scammed feel, but still decided to continue the analysis of this vulnerability:

We first look at the latest version of mod_rewrite. c this file is the specific content:

!

Function first will first read the mod_rewrite configuration files, access to rewritelog file pointer, then get the log file of the desired variable information, the variable data is the terminal escape character, the last format write rewitelog file.

[1] [2] [3] next