logo Home

Untitled Document

Home > Archives Advisories > Articles


Untitled Document

Untitled Document

Apache mod_access_referer denial of service issue
Date: 2003-04-17

Author : zillion <zillion@safemode.org>

==================================================================
Safemode.org security advisory: mod_access_referer
==================================================================

Subject:
========

Apache module mod_access_referer 1.0.2 contains a NULL pointer
dereference vulnerability.

Problem description:
====================

In the find_allowdeny() function, the Apache uri_components structure
named "uptr" is initialized by the Apache ap_parse_uri_components
function. This struct contains a pointer named "hostname" that is
given to the is_ip() function in order to determine whether the
value given as referer header field is an IP address or domain name.

The relevant code snippets are:

--- -snip snip- ---

ap_parse_uri_components (r->pool,
ap_table_get
(r->headers_in,
"Referer"),
&uptr);

if (!is_ip (uptr.hostname)) {

--- -snip snip- ---

static int
is_ip (const char *host)
{
/* this just tests if it matches [\d.]* */
/* XX is a better test needed? */
while ((*host == '.') || ap_isdigit (*host))
host++;

return (*host == '\0');
}

--- -snip snip- ---

When the server is send an incorrect referer header field, the
ap_parse_uri_components will not initialize the uptr.hostname
pointer. This has the result that is_ip() can be forced to read
from a NULL pointer with a segmentation fault as result. An example
referer header field to trigger the issue:

Referer: ://its-missing-http.com

Abuse of this NULL pointer dereference vulnerability can possibly
be used in denial of service attacks against affected systems.


How to counter the issue:
=========================

New, unofficial, fixed RPM files can be found here:
ftp://ftp.pld.org.pl/dists/ra/test/

A simple patch is available here:
http://sourceforge.net/projects/accessreferer/

--

Greets to 0dd, SNO and all @defaced.be



 

arrowSearch Advisories

arrowNewsletter

Free weekly Newsletter.

Please enter your email address here:
arrowReport Vulnerability

If you've found a vulnerability please
click here to report it.
arrowPartners

newsnow

About Us | Contact Us | Advertise | email | Backend flag
Copyright © 2016-2017 Security Corporation - All Rights Reserved - Legal - Privacy Policy