Re: POC & exploit for Apache mod_rewrite off-by-one

[arulvadivel1 () rediffmail com]

Hi Jacobo,

If my httpd.conf file has defined with the follow directives, could you please let me know whether it will be affected 
by this vulnerability or not?


RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

I think, it will not be affected as per the below information:
This flaw does not affect a default installation of Apache HTTP Server. Users who do not use, or have not enabled, the 
Rewrite module mod_rewrite are not affected by this issue. This issue only affects installations using a Rewrite rule 
with the following characteristics:

    * The RewriteRule allows the attacker to control the initial part of the rewritten URL (for example if the 
substitution URL starts with $1)
    * The RewriteRule flags do NOT include any of the following flags: Forbidden (F), Gone (G), or NoEscape (NE)


Regards,
Ramesh