SA04-002 - Apache config file env variable buffer overflow Sep 15 2004 01:20PM
jonas thambert pts se
* SITIC Vulnerability Advisory *

Advisory Name: Apache config file env variable buffer overflow
Advisory Reference: SA04-002
Date of initial release: 2004-09-15
Product: Apache 2.0.x
Platform: Linux, BSD systems, Unix, Windows
Effect: Code execution when processing .htaccess files
Vulnerability Identifier: CAN-2004-0747


Apache suffers from a buffer overflow when expanding environment variables
in configuration files such as .htaccess and httpd.conf. In a setup typical
of ISPs, for instance, users are allowed to configure their own public_html
directories with .htaccess files, leading to possible privilege escalation.


The buffer overflow occurs when expanding ${ENVVAR} constructs in .htaccess
or httpd.conf files. The function ap_resolve_env() in server/util.c copies
data from environment variables to the character array tmp with strcat(3),
leading to a buffer overflow.

HTTP requests that exploit this problem are not shown in the access log. The
error log will show Segmentation faults, though.

Mitigating factors:

Exploitation requires manual installation of malicious .htaccess files by
someone with normal user rights.

Affected versions:

o Apache 2.0.50
o many other 2.0.x versions


o A fix for this issue is incorporated into Apache 2.0.51
o For Apache 2.0.*: The Apache Software Foundation has published a patch
which is the official fix for this issue.

Patch information:

o The Apache 2.0.51 release is available from the following source:
o For Apache 2.0.*, the patch is available from the following source:


This vulnerability was discovered by Ulf Harnhammar for SITIC, Swedish IT
Incident Centre.

Contact information:

Swedish IT Incident Centre, SITIC
P O Box 5398, SE-102 49 Stockholm, Sweden
Telephone: +46-8-678 5799
Email: sitic at pts dot se

Revision history:

Initial release 2004-09-15

About SITIC:

The Swedish IT Incident Centre within the National Post and Telecom Agency
has the task to support society in working with protection against IT
incidents. SITIC facilitates exchange of information regarding IT incidents
between organisations in society, and disseminates information about new
problems which potentially may impede the functionality of IT systems. In
addition, SITIC provides information and advice regarding proactive measures
and compiles and publishes statistics.


The decision to follow or act on information or advice contained in this
Vulnerability Advisory is the responsibility of each user or organisation.
SITIC accepts no responsibility for any errors or omissions contained within
this Vulnerability Advisory, nor for any consequences which may arise from
following or acting on information or advice contained herein.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus