[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030416211433.GA14489@hal>
From: zillion at safemode.org (zillion)
Subject: Apache mod_access_referer denial of service issue
==================================================================
Safemode.org security advisory: mod_access_referer
==================================================================
Subject:
========
Apache module mod_access_referer 1.0.2 contains a NULL pointer
dereference vulnerability.
Problem description:
====================
In the find_allowdeny() function, the Apache uri_components structure
named "uptr" is initialized by the Apache ap_parse_uri_components
function. This struct contains a pointer named "hostname" that is
given to the is_ip() function in order to determine whether the
value given as referer header field is an IP address or domain name.
The relevant code snippets are:
--- -snip snip- ---
ap_parse_uri_components (r->pool,
ap_table_get
(r->headers_in,
"Referer"),
&uptr);
if (!is_ip (uptr.hostname)) {
--- -snip snip- ---
static int
is_ip (const char *host)
{
/* this just tests if it matches [\d.]* */
/* XX is a better test needed? */
while ((*host == '.') || ap_isdigit (*host))
host++;
return (*host == '\0');
}
--- -snip snip- ---
When the server is send an incorrect referer header field, the
ap_parse_uri_components will not initialize the uptr.hostname
pointer. This has the result that is_ip() can be forced to read
from a NULL pointer with a segmentation fault as result. An example
referer header field to trigger the issue:
Referer: ://its-missing-http.com
Abuse of this NULL pointer dereference vulnerability can possibly
be used in denial of service attacks against affected systems.
How to counter the issue:
=========================
New, unofficial, fixed RPM files can be found here:
ftp://ftp.pld.org.pl/dists/ra/test/
A simple patch is available here:
http://sourceforge.net/projects/accessreferer/
--
Greets to 0dd, SNO and all @defaced.be
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030416/c5046bf9/attachment.bin
Powered by blists - more mailing lists