logo Home

Untitled Document

Home > Archives Advisories > Articles

Untitled Document

Untitled Document

Apache mod_access_referer denial of service issue
Date: 2003-04-17

Author : zillion <zillion@safemode.org>

Safemode.org security advisory: mod_access_referer


Apache module mod_access_referer 1.0.2 contains a NULL pointer
dereference vulnerability.

Problem description:

In the find_allowdeny() function, the Apache uri_components structure
named "uptr" is initialized by the Apache ap_parse_uri_components
function. This struct contains a pointer named "hostname" that is
given to the is_ip() function in order to determine whether the
value given as referer header field is an IP address or domain name.

The relevant code snippets are:

--- -snip snip- ---

ap_parse_uri_components (r->pool,

if (!is_ip (uptr.hostname)) {

--- -snip snip- ---

static int
is_ip (const char *host)
/* this just tests if it matches [\d.]* */
/* XX is a better test needed? */
while ((*host == '.') || ap_isdigit (*host))

return (*host == '\0');

--- -snip snip- ---

When the server is send an incorrect referer header field, the
ap_parse_uri_components will not initialize the uptr.hostname
pointer. This has the result that is_ip() can be forced to read
from a NULL pointer with a segmentation fault as result. An example
referer header field to trigger the issue:

Referer: ://its-missing-http.com

Abuse of this NULL pointer dereference vulnerability can possibly
be used in denial of service attacks against affected systems.

How to counter the issue:

New, unofficial, fixed RPM files can be found here:

A simple patch is available here:


Greets to 0dd, SNO and all @defaced.be


arrowSearch Advisories


Free weekly Newsletter.

Please enter your email address here:
arrowReport Vulnerability

If you've found a vulnerability please
click here to report it.


About Us | Contact Us | Advertise | email | Backend flag
Copyright © 2016-2017 Security Corporation - All Rights Reserved - Legal - Privacy Policy