Vulnwatch mailing list archives

Previous By Date Next
Previous By Thread Next

Apache mod_access_referer denial of service issue

From: zillion <zillion () safemode org>
Date: Wed, 16 Apr 2003 23:14:33 +0200


==================================================================
      Safemode.org security advisory: mod_access_referer 
==================================================================

Subject:
========

Apache module mod_access_referer 1.0.2 contains a NULL pointer
dereference vulnerability.

Problem description:
====================

In the find_allowdeny() function, the Apache uri_components structure
named "uptr" is initialized by the Apache ap_parse_uri_components
function. This struct contains a pointer named "hostname" that is
given to the is_ip() function in order to determine whether the
value given as referer header field is an IP address or domain name.

The relevant code snippets are:

         --- -snip snip- ---

         ap_parse_uri_components (r->pool,
                                       ap_table_get
                                       (r->headers_in,
                                       "Referer"),
                                        &uptr);

         if (!is_ip (uptr.hostname)) {

         --- -snip snip- ---

static int
is_ip (const char *host)
{
        /* this just tests if it matches [\d.]* */
        /* XX is a better test needed? */
        while ((*host == '.') || ap_isdigit (*host))
                host++;
                
        return (*host == '\0');
}

         --- -snip snip- ---

When the server is send an incorrect referer header field, the 
ap_parse_uri_components will not initialize the uptr.hostname
pointer. This has the result that is_ip() can be forced to read
from a NULL pointer with a segmentation fault as result. An example
referer header field to trigger the issue:

Referer: ://its-missing-http.com

Abuse of this NULL pointer dereference vulnerability can possibly
be used in denial of service attacks against affected systems.


How to counter the issue:
=========================

New, unofficial, fixed RPM files can be found here:
ftp://ftp.pld.org.pl/dists/ra/test/

A simple patch is available here:
http://sourceforge.net/projects/accessreferer/

--

Greets to 0dd, SNO and all @defaced.be

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: