Headline
CVE-2013-1862
mod_rewrite.c in the mod_rewrite module in the Apache HTTP Server 2.2.x before 2.2.25 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to execute arbitrary commands via an HTTP request containing an escape sequence for a terminal emulator.
Index: CHANGES =================================================================== — CHANGES (revision 1469310) +++ CHANGES (working copy) @@ -1,8 +1,11 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.25 + *) SECURITY: CVE-2013-1862 (cve.mitre.org) + mod_rewrite: Ensure that client data written to the RewriteLog is + escaped to prevent terminal escape sequences from entering the + log file. [Joe Orton] - Changes with Apache 2.2.24 *) SECURITY: CVE-2012-3499 (cve.mitre.org) Index: modules/mappers/mod_rewrite.c =================================================================== — modules/mappers/mod_rewrite.c (revision 1469310) +++ modules/mappers/mod_rewrite.c (working copy) @@ -500,11 +500,11 @@ logline = apr_psprintf(r->pool, “%s %s %s %s [%s/sid#%pp][rid#%pp/%s%s%s] " "(%d) %s%s%s%s” APR_EOL_STR, - rhost ? rhost : "UNKNOWN-HOST", - rname ? rname : "-", - r->user ? (*r->user ? r->user : “\"\"”) : "-", + rhost ? ap_escape_logitem(r->pool, rhost) : "UNKNOWN-HOST", + rname ? ap_escape_logitem(r->pool, rname) : "-", + r->user ? (*r->user ? ap_escape_logitem(r->pool, r->user) : “\"\"”) : "-", current_logtime®, - ap_get_server_name®, + ap_escape_logitem(r->pool, ap_get_server_name®), (void *)(r->server), (void *)r, r->main ? “subreq” : "initial", @@ -514,7 +514,7 @@ perdir ? "[perdir " : "", perdir ? perdir : "", perdir ? "] ": "", - text); + ap_escape_logitem(r->pool, text)); nbytes = strlen(logline); apr_file_write(conf->rewritelogfp, logline, &nbytes);
Related news
If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.33 and earlier and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition.
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.33 and earlier and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition.