Vulnerabilities > CVE-2006-3747 - Numeric Errors vulnerability in multiple products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
apache
canonical
debian
CWE-189
nessus
exploit available
metasploit

Summary

Off-by-one error in the ldap scheme handling in the Rewrite module (mod_rewrite) in Apache 1.3 from 1.3.28, 2.0.46 and other versions before 2.0.59, and 2.2, when RewriteEngine is enabled, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted URLs that are not properly handled using certain rewrite rules.

Common Weakness Enumeration (CWE)

Exploit-Db

  • descriptionApache Mod_Rewrite Off-by-one Remote Overflow Exploit (win32). CVE-2006-3747. Remote exploit for windows platform
    idEDB-ID:3680
    last seen2016-01-31
    modified2007-04-07
    published2007-04-07
    reporteraxis
    sourcehttps://www.exploit-db.com/download/3680/
    titleApache Mod_Rewrite Off-by-one Remote Overflow Exploit Win32
  • descriptionApache module mod_rewrite LDAP protocol Buffer Overflow. CVE-2006-3747. Remote exploit for windows platform
    idEDB-ID:16752
    last seen2016-02-02
    modified2010-02-15
    published2010-02-15
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16752/
    titleApache module mod_rewrite LDAP protocol Buffer Overflow
  • descriptionApache < 1.3.37, 2.0.59, 2.2.3 (mod_rewrite) Remote Overflow PoC. CVE-2006-3747. Dos exploits for multiple platform
    idEDB-ID:2237
    last seen2016-01-31
    modified2006-08-21
    published2006-08-21
    reporterJacobo Avariento
    sourcehttps://www.exploit-db.com/download/2237/
    titleApache < 1.3.37 / 2.0.59 / 2.2.3 - mod_rewrite Remote Overflow PoC
  • descriptionApache 2.0.58 mod_rewrite Remote Overflow Exploit (win2k3). CVE-2006-3747. Remote exploit for windows platform
    idEDB-ID:3996
    last seen2016-01-31
    modified2007-05-26
    published2007-05-26
    reporterfabio/b0x
    sourcehttps://www.exploit-db.com/download/3996/
    titleApache 2.0.58 mod_rewrite Remote Overflow Exploit win2k3

Metasploit

descriptionThis module exploits the mod_rewrite LDAP protocol scheme handling flaw discovered by Mark Dowd, which produces an off-by-one overflow. Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable. This module requires REWRITEPATH to be set accurately. In addition, the target must have 'RewriteEngine on' configured, with a specific 'RewriteRule' condition enabled to allow for exploitation. The flaw affects multiple platforms, however this module currently only supports Windows based installations.
idMSF:EXPLOIT/WINDOWS/HTTP/APACHE_MOD_REWRITE_LDAP
last seen2020-06-13
modified2017-11-08
published2009-03-10
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/apache_mod_rewrite_ldap.rb
titleApache Module mod_rewrite LDAP Protocol Buffer Overflow

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2006-133.NASL
    descriptionMark Dowd, of McAffee Avert Labs, discovered a potential remotely exploitable off-by-one flaw in Apache
    last seen2020-06-01
    modified2020-06-02
    plugin id23883
    published2006-12-16
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/23883
    titleMandrake Linux Security Advisory : apache (MDKSA-2006:133)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2006:133. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(23883);
      script_version ("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:48");
    
      script_cve_id("CVE-2006-3747");
      script_xref(name:"MDKSA", value:"2006:133");
    
      script_name(english:"Mandrake Linux Security Advisory : apache (MDKSA-2006:133)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Mark Dowd, of McAffee Avert Labs, discovered a potential remotely
    exploitable off-by-one flaw in Apache's mod_rewrite ldap scheme
    handling.
    
    In order for this to be exploitable, a number of conditions need to be
    met including a) running a vulnerable version of Apache (1.3.28+,
    2.0.46+, or 2.2.0+), b) enabling mod_rewrite, c) having a rewrite rule
    that the remote user can influence the beginning of, and d) a
    particular stack frame layout.
    
    By default, RewriteEngine is not enabled in Mandriva Linux Apache
    packages, and no RewriteRules are defined.
    
    Updated packages have been patched to correct this issue."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Apache Module mod_rewrite LDAP Protocol Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_cwe_id(189);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_cache");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_dav");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_deflate");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_disk_cache");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_file_cache");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_mem_cache");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_proxy");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_userdir");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-modules");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mpm-peruser");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mpm-prefork");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mpm-worker");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-source");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/07/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/16");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK2006.0", reference:"apache-base-2.0.54-13.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"apache-devel-2.0.54-13.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"apache-mod_cache-2.0.54-13.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"apache-mod_dav-2.0.54-13.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"apache-mod_deflate-2.0.54-13.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"apache-mod_disk_cache-2.0.54-13.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"apache-mod_file_cache-2.0.54-13.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"apache-mod_ldap-2.0.54-13.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"apache-mod_mem_cache-2.0.54-13.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"apache-mod_proxy-2.0.54-13.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"apache-mod_userdir-2.0.54-13.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"apache-modules-2.0.54-13.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"apache-mpm-peruser-2.0.54-13.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"apache-mpm-prefork-2.0.54-13.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"apache-mpm-worker-2.0.54-13.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"apache-source-2.0.54-13.3.20060mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1132.NASL
    descriptionMark Dowd discovered a buffer overflow in the mod_rewrite component of apache, a versatile high-performance HTTP server. In some situations a remote attacker could exploit this to execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id22674
    published2006-10-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22674
    titleDebian DSA-1132-1 : apache2 - buffer overflow
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_35436.NASL
    descriptions700_800 11.04 Virtualvault 4.7 OWS (Apache 2.x) update : The remote HP-UX host is affected by multiple vulnerabilities : - Potential security vulnerabilities have been identified with Apache running on HP-UX VirtualVault. These vulnerabilities could be exploited remotely to allow execution of arbitrary code, Denial of Service (DoS), or unauthorized access. (HPSBUX02172 SSRT061269) - A security vulnerability has been identified in OpenSSL used in HP VirtualVault 4.7, 4.6, 4.5 and HP WebProxy that may allow remote unauthorized access. (HPSBUX02165 SSRT061266)
    last seen2020-06-01
    modified2020-06-02
    plugin id23714
    published2006-11-22
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/23714
    titleHP-UX PHSS_35436 : s700_800 11.04 Virtualvault 4.7 OWS (Apache 2.x) update
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_35458.NASL
    descriptions700_800 11.04 Virtualvault 4.5 IWS Update : The remote HP-UX host is affected by multiple vulnerabilities : - A security vulnerability has been identified in OpenSSL used in HP VirtualVault 4.7, 4.6, 4.5 and HP WebProxy that may allow remote unauthorized access. (HPSBUX02165 SSRT061266) - Two potential security vulnerabilities have been reported in HP-UX VirtualVault Apache HTTP server versions prior to Apache 1.3.37 that may allow a Denial of Service (DoS) attack and execution of arbitrary code. (HPSBUX02164 SSRT061265)
    last seen2020-06-01
    modified2020-06-02
    plugin id23716
    published2006-11-22
    reporterThis script is Copyright (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/23716
    titleHP-UX PHSS_35458 : s700_800 11.04 Virtualvault 4.5 IWS Update
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_35463.NASL
    descriptions700_800 11.04 Virtualvault 4.7 (Apache 1.x) OWS update : The remote HP-UX host is affected by multiple vulnerabilities : - Two potential security vulnerabilities have been reported in HP-UX VirtualVault Apache HTTP server versions prior to Apache 1.3.37 that may allow a Denial of Service (DoS) attack and execution of arbitrary code. (HPSBUX02164 SSRT061265) - A security vulnerability has been identified in OpenSSL used in HP VirtualVault 4.7, 4.6, 4.5 and HP WebProxy that may allow remote unauthorized access. (HPSBUX02165 SSRT061266)
    last seen2020-06-01
    modified2020-06-02
    plugin id23721
    published2006-11-22
    reporterThis script is Copyright (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/23721
    titleHP-UX PHSS_35463 : s700_800 11.04 Virtualvault 4.7 (Apache 1.x) OWS update
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_36385.NASL
    descriptions700_800 11.X PA-RISC OV NNM7.51 Intermediate Patch 16 : Potential vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM) running Apache. These vulnerabilities could be exploited remotely resulting in cross site scripting (XSS), Denial of Service (DoS), or execution of arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id26154
    published2007-09-25
    reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/26154
    titleHP-UX PHSS_36385 : HP OpenView Network Node Manager (OV NNM) Running Apache, Remote Cross Site Scripting (XSS), Denial of Service (DoS), Execute Arbitrary Code (HPSBMA02328 SSRT071293 rev.2)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-328-1.NASL
    descriptionMark Dowd discovered an off-by-one buffer overflow in the mod_rewrite module
    last seen2020-06-01
    modified2020-06-02
    plugin id27907
    published2007-11-10
    reporterUbuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/27907
    titleUbuntu 5.04 / 5.10 / 6.06 LTS : apache2 vulnerability (USN-328-1)
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_35110.NASL
    descriptions700_800 11.04 Webproxy server 2.0 update : The remote HP-UX host is affected by multiple vulnerabilities : - Two potential security vulnerabilities have been reported in HP-UX VirtualVault Apache HTTP server versions prior to Apache 1.3.37 that may allow a Denial of Service (DoS) attack and execution of arbitrary code. (HPSBUX02164 SSRT061265) - A security vulnerability has been identified in OpenSSL used in HP VirtualVault 4.7, 4.6, 4.5 and HP WebProxy that may allow remote unauthorized access. (HPSBUX02165 SSRT061266)
    last seen2020-06-01
    modified2020-06-02
    plugin id23712
    published2006-11-22
    reporterThis script is Copyright (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/23712
    titleHP-UX PHSS_35110 : s700_800 11.04 Webproxy server 2.0 update
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2006_043.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2006:043 (apache,apache2). The following security problem was fixed in the Apache and Apache 2 web servers: mod_rewrite: Fix an off-by-one security problem in the ldap scheme handling. For some RewriteRules this could lead to a pointer being written out of bounds. Depending on stack alignment this could be used to potentially execute code. The mod_rewrite module is not enabled per default in our packages. This problem is tracked by the Mitre CVE ID CVE-2006-3747. A more detailed description of this problem is available in: http://www.apache.org/dist/httpd/Announcement2.0.html For SUSE Linux 10.0, 10.1 and SUSE Linux Enterprise 10 additionally a old bug was fixed that we missed to forward port to the Apache 2.2 packages: mod_imap: Fixes a cross-site-scripting bug in the imagemap module. This issue is tracked by the Mitre CVE ID CVE-2005-3352.
    last seen2019-10-28
    modified2007-02-18
    plugin id24423
    published2007-02-18
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24423
    titleSUSE-SA:2006:043: apache,apache2
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_35437.NASL
    descriptions700_800 11.04 Webproxy server 2.1 (Apache 2.x) update : The remote HP-UX host is affected by multiple vulnerabilities : - A security vulnerability has been identified in OpenSSL used in HP VirtualVault 4.7, 4.6, 4.5 and HP WebProxy that may allow remote unauthorized access. (HPSBUX02165 SSRT061266) - Potential security vulnerabilities have been identified with Apache running on HP-UX VirtualVault. These vulnerabilities could be exploited remotely to allow execution of arbitrary code, Denial of Service (DoS), or unauthorized access. (HPSBUX02172 SSRT061269)
    last seen2020-06-01
    modified2020-06-02
    plugin id23715
    published2006-11-22
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/23715
    titleHP-UX PHSS_35437 : s700_800 11.04 Webproxy server 2.1 (Apache 2.x) update
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_35461.NASL
    descriptions700_800 11.04 Virtualvault 4.5 OWS update : The remote HP-UX host is affected by multiple vulnerabilities : - Two potential security vulnerabilities have been reported in HP-UX VirtualVault Apache HTTP server versions prior to Apache 1.3.37 that may allow a Denial of Service (DoS) attack and execution of arbitrary code. (HPSBUX02164 SSRT061265) - A security vulnerability has been identified in OpenSSL used in HP VirtualVault 4.7, 4.6, 4.5 and HP WebProxy that may allow remote unauthorized access. (HPSBUX02165 SSRT061266)
    last seen2020-06-01
    modified2020-06-02
    plugin id23719
    published2006-11-22
    reporterThis script is Copyright (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/23719
    titleHP-UX PHSS_35461 : s700_800 11.04 Virtualvault 4.5 OWS update
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_36773.NASL
    descriptions700_800 11.X OV NNM7.01 Intermediate Patch 11 : The remote HP-UX host is affected by multiple vulnerabilities : - A potential vulnerability has been identified with HP OpenView Network Node Manager (OV NNM). This vulnerability could by exploited remotely to allow cross site scripting (XSS). (HPSBMA02283 SSRT071319) - A potential vulnerability has been identified with HP OpenView Network Node Manager (OV NNM). This vulnerability could be exploited remotely by an unauthorized user to execute arbitrary code with the permissions of the NNM server. (HPSBMA02281 SSRT061261) - Potential vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM). The vulnerabilities could be exploited remotely to create a Denial of Service (DoS) or to execute arbitrary code. References: CVE-2008-3536, CVE-2008-3537, CVE-2008-3544 (Bugtraq ID 28668). (HPSBMA02362 SSRT080044, SSRT080045, SSRT080042) - Potential vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM) running Apache. These vulnerabilities could be exploited remotely resulting in cross site scripting (XSS), Denial of Service (DoS), or execution of arbitrary code. (HPSBMA02328 SSRT071293) - A potential vulnerability has been identified with HP OpenView Network Node Manager (OV NNM) running Shared Trace Service. The vulnerability could be remotely exploited to execute arbitrary code. (HPSBMA02242 SSRT061260) - A potential vulnerability has been identified with HP OpenView Network Node Manager (OV NNM). The vulnerability could be exploited remotely to execute arbitrary code or to create a Denial of Service (DoS). (HPSBMA02348 SSRT080033)
    last seen2020-06-01
    modified2020-06-02
    plugin id26896
    published2007-10-03
    reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/26896
    titleHP-UX PHSS_36773 : s700_800 11.X OV NNM7.01 Intermediate Patch 11
  • NASL familyWeb Servers
    NASL idAPACHE_1_3_37.NASL
    descriptionThe remote host appears to be running a version of Apache which is older than 1.3.37. This version contains an off-by-one buffer overflow in the mod_rewrite module.
    last seen2020-06-01
    modified2020-06-02
    plugin id31654
    published2008-03-26
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31654
    titleApache < 1.3.37 mod_rewrite LDAP Protocol URL Handling Overflow
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2006-209-01.NASL
    descriptionNew Apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix a security issue with mod_rewrite.
    last seen2020-06-01
    modified2020-06-02
    plugin id22152
    published2006-08-04
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22152
    titleSlackware 10.0 / 10.1 / 10.2 / 8.1 / 9.0 / 9.1 / current : Apache httpd (SSA:2006-209-01)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_5_3.NASL
    descriptionThe remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.3. Mac OS X 10.5.3 contains security fixes for a number of programs.
    last seen2020-06-01
    modified2020-06-02
    plugin id32477
    published2008-05-29
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/32477
    titleMac OS X 10.5.x < 10.5.3 Multiple Vulnerabilities
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2008-002.NASL
    descriptionThe remote host is running a version of Mac OS X 10.5 or 10.4 that does not have the security update 2008-002 applied. This update contains several security fixes for a number of programs.
    last seen2020-06-01
    modified2020-06-02
    plugin id31605
    published2008-03-19
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31605
    titleMac OS X Multiple Vulnerabilities (Security Update 2008-002)
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_36386.NASL
    descriptions700_800 11.X IA-64 OV NNM7.51 Intermediate Patch 16 : Potential vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM) running Apache. These vulnerabilities could be exploited remotely resulting in cross site scripting (XSS), Denial of Service (DoS), or execution of arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id26155
    published2007-09-25
    reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/26155
    titleHP-UX PHSS_36386 : HP OpenView Network Node Manager (OV NNM) Running Apache, Remote Cross Site Scripting (XSS), Denial of Service (DoS), Execute Arbitrary Code (HPSBMA02328 SSRT071293 rev.2)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200608-01.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200608-01 (Apache: Off-by-one flaw in mod_rewrite) An off-by-one flaw has been found in Apache
    last seen2020-06-01
    modified2020-06-02
    plugin id22143
    published2006-08-04
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22143
    titleGLSA-200608-01 : Apache: Off-by-one flaw in mod_rewrite
  • NASL familyWeb Servers
    NASL idAPACHE_2_2_3.NASL
    descriptionThe remote host appears to be running a version of Apache which is older than 2.2.3. This version is vulnerable to an off-by-one buffer overflow attack in the mod_rewrite module.
    last seen2020-06-01
    modified2020-06-02
    plugin id31659
    published2008-03-26
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31659
    titleApache < 2.2.3 mod_rewrite LDAP Protocol URL Handling Overflow
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_35462.NASL
    descriptions700_800 11.04 Virtualvault 4.6 OWS update : The remote HP-UX host is affected by multiple vulnerabilities : - Two potential security vulnerabilities have been reported in HP-UX VirtualVault Apache HTTP server versions prior to Apache 1.3.37 that may allow a Denial of Service (DoS) attack and execution of arbitrary code. (HPSBUX02164 SSRT061265) - A security vulnerability has been identified in OpenSSL used in HP VirtualVault 4.7, 4.6, 4.5 and HP WebProxy that may allow remote unauthorized access. (HPSBUX02165 SSRT061266)
    last seen2020-06-01
    modified2020-06-02
    plugin id23720
    published2006-11-22
    reporterThis script is Copyright (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/23720
    titleHP-UX PHSS_35462 : s700_800 11.04 Virtualvault 4.6 OWS update
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2008-003.NASL
    descriptionThe remote host is running a version of Mac OS X 10.4 that does not have the security update 2008-003 applied. This update contains security fixes for a number of programs.
    last seen2020-06-01
    modified2020-06-02
    plugin id32478
    published2008-05-29
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/32478
    titleMac OS X Multiple Vulnerabilities (Security Update 2008-003)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_DC8C08C71E7C11DB88CF000C6EC775D9.NASL
    descriptionThe Apache Software Foundation and The Apache HTTP Server Project reports : An off-by-one flaw exists in the Rewrite module, mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0. Depending on the manner in which Apache HTTP Server was compiled, this software defect may result in a vulnerability which, in combination with certain types of Rewrite rules in the web server configuration files, could be triggered remotely. For vulnerable builds, the nature of the vulnerability can be denial of service (crashing of web server processes) or potentially allow arbitrary code execution. This issue has been rated as having important security impact by the Apache HTTP Server Security Team. This flaw does not affect a default installation of Apache HTTP Server. Users who do not use, or have not enabled, the Rewrite module mod_rewrite are not affected by this issue. This issue only affects installations using a Rewrite rule with the following characteristics : - The RewriteRule allows the attacker to control the initial part of the rewritten URL (for example if the substitution URL starts with $1) - The RewriteRule flags do NOT include any of the following flags: Forbidden (F), Gone (G), or NoEscape (NE). Please note that ability to exploit this issue is dependent on the stack layout for a particular compiled version of mod_rewrite. If the compiler used to compile Apache HTTP Server has added padding to the stack immediately after the buffer being overwritten, it will not be possible to exploit this issue, and Apache HTTP Server will continue operating normally. The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for the responsible reporting of this vulnerability.
    last seen2020-06-01
    modified2020-06-02
    plugin id22118
    published2006-07-29
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22118
    titleFreeBSD : apache -- mod_rewrite buffer overflow vulnerability (dc8c08c7-1e7c-11db-88cf-000c6ec775d9)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_APACHE2-1906.NASL
    descriptionThis update fixes security problems in the Apache2 webserver : mod_rewrite: Fixed an off-by-one security problem in the ldap scheme handling. For some RewriteRules this could lead to a pointer being written out of bounds. (CVE-2006-3747) For SUSE Linux Enterprise Server 10 additionally an old security problem was fixed: mod_imap: Fixes a cross-site scripting bug in the imagemap module. (CVE-2005-3352)
    last seen2020-06-01
    modified2020-06-02
    plugin id29372
    published2007-12-13
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/29372
    titleSuSE 10 Security Update : Apache2 (ZYPP Patch Number 1906)
  • NASL familyWeb Servers
    NASL idAPACHE_2_0_59.NASL
    descriptionThe remote host appears to be running a version of Apache that is older than 2.0.59. This version contains an off-by-one buffer overflow in the mod_rewrite module.
    last seen2020-06-01
    modified2020-06-02
    plugin id31655
    published2008-03-26
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31655
    titleApache < 2.0.59 mod_rewrite LDAP Protocol URL Handling Overflow
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1131.NASL
    descriptionMark Dowd discovered a buffer overflow in the mod_rewrite component of apache, a versatile high-performance HTTP server. In some situations a remote attacker could exploit this to execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id22673
    published2006-10-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22673
    titleDebian DSA-1131-1 : apache - buffer overflow
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2006-862.NASL
    descriptionThis update fixes a security issue in the mod_rewrite module. Mark Dowd of McAfee Avert Labs reported an off-by-one security problem in the LDAP scheme handling of the mod_rewrite module. Where RewriteEngine was enabled, and for certain RewriteRules, this could lead to a pointer being written out of bounds. (CVE-2006-3747) The ability to exploit this issue is dependent on the stack layout for a particular compiled version of mod_rewrite. The Fedora project has analyzed Fedora Core 4 and 5 binaries and determined that these distributions are vulnerable to this issue. However this flaw does not affect a default installation of Fedora Core; users who do not use, or have not enabled, the Rewrite module are not affected by this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id24161
    published2007-01-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24161
    titleFedora Core 4 : httpd-2.0.54-10.4 (2006-862)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2006-863.NASL
    descriptionThis update fixes a security issue in the mod_rewrite module. Mark Dowd of McAfee Avert Labs reported an off-by-one security problem in the LDAP scheme handling of the mod_rewrite module. Where RewriteEngine was enabled, and for certain RewriteRules, this could lead to a pointer being written out of bounds. (CVE-2006-3747) The ability to exploit this issue is dependent on the stack layout for a particular compiled version of mod_rewrite. The Fedora project has analyzed Fedora Core 4 and 5 binaries and determined that these distributions are vulnerable to this issue. However this flaw does not affect a default installation of Fedora Core; users who do not use, or have not enabled, the Rewrite module are not affected by this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id24162
    published2007-01-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24162
    titleFedora Core 5 : httpd-2.2.2-1.2 (2006-863)
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_35460.NASL
    descriptions700_800 11.04 Virtualvault 4.7 IWS update : The remote HP-UX host is affected by multiple vulnerabilities : - Two potential security vulnerabilities have been reported in HP-UX VirtualVault Apache HTTP server versions prior to Apache 1.3.37 that may allow a Denial of Service (DoS) attack and execution of arbitrary code. (HPSBUX02164 SSRT061265) - A security vulnerability has been identified in OpenSSL used in HP VirtualVault 4.7, 4.6, 4.5 and HP WebProxy that may allow remote unauthorized access. (HPSBUX02165 SSRT061266)
    last seen2020-06-01
    modified2020-06-02
    plugin id23718
    published2006-11-22
    reporterThis script is Copyright (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/23718
    titleHP-UX PHSS_35460 : s700_800 11.04 Virtualvault 4.7 IWS update
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_35459.NASL
    descriptions700_800 11.04 Virtualvault 4.6 IWS update : The remote HP-UX host is affected by multiple vulnerabilities : - Two potential security vulnerabilities have been reported in HP-UX VirtualVault Apache HTTP server versions prior to Apache 1.3.37 that may allow a Denial of Service (DoS) attack and execution of arbitrary code. (HPSBUX02164 SSRT061265) - A security vulnerability has been identified in OpenSSL used in HP VirtualVault 4.7, 4.6, 4.5 and HP WebProxy that may allow remote unauthorized access. (HPSBUX02165 SSRT061266)
    last seen2020-06-01
    modified2020-06-02
    plugin id23717
    published2006-11-22
    reporterThis script is Copyright (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/23717
    titleHP-UX PHSS_35459 : s700_800 11.04 Virtualvault 4.6 IWS update
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_37141.NASL
    descriptions700_800 11.X OV NNM6.4x/ET2.0x Intermediate Patch 17 : The remote HP-UX host is affected by multiple vulnerabilities : - Potential vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM) running Apache. These vulnerabilities could be exploited remotely resulting in cross site scripting (XSS), Denial of Service (DoS), or execution of arbitrary code. (HPSBMA02328 SSRT071293) - A potential vulnerability has been identified with HP OpenView Network Node Manager (OV NNM). This vulnerability could be exploited remotely by an unauthorized user to execute arbitrary code with the permissions of the NNM server. (HPSBMA02281 SSRT061261) - A potential vulnerability has been identified with HP OpenView Network Node Manager (OV NNM) running Shared Trace Service. The vulnerability could be remotely exploited to execute arbitrary code. (HPSBMA02242 SSRT061260) - A potential security vulnerability has been identified with HP OpenView Network Node Manager (OV NNM). The vulnerability could be exploited remotely to create a Denial of Service (DoS). (HPSBMA02307 SSRT071420) - A potential vulnerability has been identified with HP OpenView Network Node Manager (OV NNM). This vulnerability could by exploited remotely to allow cross site scripting (XSS). (HPSBMA02283 SSRT071319)
    last seen2020-06-01
    modified2020-06-02
    plugin id29200
    published2007-12-04
    reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/29200
    titleHP-UX PHSS_37141 : s700_800 11.X OV NNM6.4x/ET2.0x Intermediate Patch 17
  • NASL familySuSE Local Security Checks
    NASL idSUSE_APACHE2-1905.NASL
    descriptionThis update fixes the following security problem in the Apache webserver : mod_rewrite: Fix an off-by-one security problem in the ldap scheme handling. For some RewriteRules this could lead to a pointer being written out of bounds. (CVE-2006-3747)
    last seen2020-06-01
    modified2020-06-02
    plugin id27145
    published2007-10-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/27145
    titleopenSUSE 10 Security Update : apache2 (apache2-1905)
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_35111.NASL
    descriptions700_800 11.04 Webproxy 2.1 (Apache 1.x) update : The remote HP-UX host is affected by multiple vulnerabilities : - A security vulnerability has been identified in OpenSSL used in HP VirtualVault 4.7, 4.6, 4.5 and HP WebProxy that may allow remote unauthorized access. (HPSBUX02165 SSRT061266) - Two potential security vulnerabilities have been reported in HP-UX VirtualVault Apache HTTP server versions prior to Apache 1.3.37 that may allow a Denial of Service (DoS) attack and execution of arbitrary code. (HPSBUX02164 SSRT061265)
    last seen2020-06-01
    modified2020-06-02
    plugin id23713
    published2006-11-22
    reporterThis script is Copyright (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/23713
    titleHP-UX PHSS_35111 : s700_800 11.04 Webproxy 2.1 (Apache 1.x) update

Packetstorm

Saint

bid19204
descriptionApache mod_rewrite LDAP URL buffer overflow
idweb_server_apache_version
osvdb27588
titleapache_rewrite_ldap
typeremote

Seebug

  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:6610
    last seen2017-11-19
    modified2007-04-10
    published2007-04-10
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-6610
    titleApache Mod_Rewrite Off-by-one Remote Overflow Exploit (win32)
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:16391
    last seen2017-11-19
    modified2006-08-21
    published2006-08-21
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-16391
    titleApache &lt; 1.3.37 2.0.59 2.2.3 (mod_rewrite) Remote Overflow PoC
  • bulletinFamilyexploit
    descriptionApache是一款开放源代码WEB服务程序。 Apache的mod_rewrite模块在转义绝对URI主题时存在单字节缓冲区溢出漏洞,攻击者可能利用此漏洞在服务器上执行任意指令。 mod_rewrite模块的escape_absolute_uri()函数分离LDAP URL中的令牌时,会导致在字符指针数组以外写入指向用户控制数据的指针,这样就可能完全控制受影响的主机。 Apache Group Apache 2.2.x &gt;= 2.2.0 Apache Group Apache 2.0.x &gt;= 2.0.46 Apache Group Apache 1.3.x &gt;= 1.3.28 临时解决方法: * 禁用Apache的mod_rewrite模块。 厂商补丁: Apache Group ------------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="http://httpd.apache.org/download.cgi" target="_blank">http://httpd.apache.org/download.cgi</a> Debian ------ Debian已经为此发布了安全公告(DSA-1132-1, DSA-1131-1)以及相应补丁: DSA-1132-1:New apache2 packages fix buffer overflow 链接:<a href="http://www.debian.org/security/2005/dsa-1132" target="_blank">http://www.debian.org/security/2005/dsa-1132</a> DSA-1131-1:New apache package fix buffer overflow 链接:<a href="http://www.debian.org/security/2005/dsa-1131" target="_blank">http://www.debian.org/security/2005/dsa-1131</a> Gentoo ------ Gentoo已经为此发布了一个安全公告(GLSA-200608-01)以及相应补丁: GLSA-200608-01:Apache: Off-by-one flaw in mod_rewrite 链接:<a href="http://security.gentoo.org/glsa/glsa-200608-01.xml" target="_blank">http://security.gentoo.org/glsa/glsa-200608-01.xml</a> 所有Apache用户都应升级到最新版本: # emerge --sync # emerge --ask --oneshot --verbose net-www/apache
    idSSV:429
    last seen2017-11-19
    modified2006-11-05
    published2006-11-05
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-429
    titleApache mod_rewrite模块单字节缓冲区溢出漏洞
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:63874
    last seen2017-11-19
    modified2014-07-01
    published2014-07-01
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-63874
    titleApache < 1.3.37, 2.0.59, 2.2.3 (mod_rewrite) Remote Overflow PoC

Statements

  • contributorMark J Cox
    lastmodified2008-07-02
    organizationApache
    statementFixed in Apache HTTP Server 2.2.3, 2.0.59, and 1.3.37: http://httpd.apache.org/security/vulnerabilities_22.html http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_13.html
  • contributorMark J Cox
    lastmodified2006-07-31
    organizationRed Hat
    statementThe ability to exploit this issue is dependent on the stack layout for a particular compiled version of mod_rewrite. If the compiler has added padding to the stack immediately after the buffer being overwritten, this issue can not be exploited, and Apache httpd will continue operating normally. The Red Hat Security Response Team analyzed Red Hat Enterprise Linux 3 and Red Hat Enterprise Linux 4 binaries for all architectures as shipped by Red Hat and determined that these versions cannot be exploited. This issue does not affect the version of Apache httpd as supplied with Red Hat Enterprise Linux 2.1

References