lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: jonas.thambert at (
Subject: SA04-002 - Apache config file env variable buffer overflow

* SITIC Vulnerability Advisory *

           Advisory Name: Apache config file env variable buffer overflow
      Advisory Reference: SA04-002
 Date of initial release: 2004-09-15
                 Product: Apache 2.0.x
                Platform: Linux, BSD systems, Unix, Windows
                  Effect: Code execution when processing .htaccess files
Vulnerability Identifier: CAN-2004-0747


Apache suffers from a buffer overflow when expanding environment variables
in configuration files such as .htaccess and httpd.conf. In a setup typical
of ISPs, for instance, users are allowed to configure their own public_html
directories with .htaccess files, leading to possible privilege escalation.


The buffer overflow occurs when expanding ${ENVVAR} constructs in .htaccess
or httpd.conf files. The function ap_resolve_env() in server/util.c copies
data from environment variables to the character array tmp with strcat(3),
leading to a buffer overflow.

HTTP requests that exploit this problem are not shown in the access log. The
error log will show Segmentation faults, though.

Mitigating factors:

Exploitation requires manual installation of malicious .htaccess files by
someone with normal user rights.

Affected versions:

  o  Apache 2.0.50
  o  many other 2.0.x versions


  o  A fix for this issue is incorporated into Apache 2.0.51
  o  For Apache 2.0.*: The Apache Software Foundation has published a patch
     which is the official fix for this issue.

Patch information:

  o  The Apache 2.0.51 release is available from the following source:
  o  For Apache 2.0.*, the patch is available from the following source:


This vulnerability was discovered by Ulf Harnhammar for SITIC, Swedish IT 
Incident Centre.

Contact information:

Swedish IT Incident Centre, SITIC
P O Box 5398, SE-102 49 Stockholm, Sweden
Telephone: +46-8-678 5799
Email: sitic at pts dot se

Revision history:

Initial release 2004-09-15

About SITIC:

The Swedish IT Incident Centre within the National Post and Telecom Agency
has the task to support society in working with protection against IT
incidents. SITIC facilitates exchange of information regarding IT incidents
between organisations in society, and disseminates information about new
problems which potentially may impede the functionality of IT systems. In
addition, SITIC provides information and advice regarding proactive measures
and compiles and publishes statistics.


The decision to follow or act on information or advice contained in this
Vulnerability Advisory is the responsibility of each user or organisation.
SITIC accepts no responsibility for any errors or omissions contained within
this Vulnerability Advisory, nor for any consequences which may arise from
following or acting on information or advice contained herein.

Powered by blists - more mailing lists