Web Design Forums

oli · 31-07-2006, 08:02

http://www.shoemoney.com/2006/07/28/...r-servers-now/

Anyone care to explain ?

weldo · 31-07-2006, 10:08

dunno - but he's a freaky lookin' guy ...

sjd · 31-07-2006, 18:09

Sounds like what the advisory says - if you've...

a) compiled mod_rewrite in a particular way (they don't give details)
b) use rewrite rules which start with $1 (to insert the value of a previous match) and don't use the F, G or NE flags

...then applpy the fixes.

It sounds like the denial of service attacks can be achieved by passing a particular url to the server so that it runs itself in circles and starts requesting a crap load of pages from apache. The arbitrary code execution could be more worrying, since it could allow the attacker to gain control of the server, but again they don't go into details.

There are so many security vulnerabilities coming out all the time. If responsible for a server, I'd say you could take one of two approaches:

1. Monitor all security alerts by subscribing to the mailing lists. Apply fixes if the vulnerability could effect your environment. This process will be ongoing and time consuming, hence one of the reasons sys admins exist.

2. If your site doesn't contain any sensitive data (i.e. it's all public info available through the web site anyway) just take regular backups and periodically update the software. This of course adds risk of your server being compromised, in which case you'll have to spend a lot longer restoring the site (with down time), but you'll not have to spend all your time applying patches.

sjd · 31-07-2006, 18:10

So do you use any rewrite rules that begin with $1?

oli · 31-07-2006, 18:13

Not sure, got a few sites on my server that use it; gonna have to check through.
Ta for the explanation; didnt really understand the details.

sjd · 31-07-2006, 18:41

Your hosting provider should keep on top of these things if they're any good. You shouldn't have to worry about it unless you host sites yourself and are responsible for the server environment.

If you host sites yourself you're either going to have to start monitoring the advisories for all installed software (of which there wil be LOADS and you should consider how the ongoing effort will effect your time/costs) or make sure you don't have any contractual obligations along those lines and just do regular backups and periodic software updates.

31-07-2006, 08:02	#1 (permalink)
oli I Call Shenanigans™ Join Date: Feb 2003 Location: Manchester, England. Posts: 9,740	Something dangerous with mod_rewrite http://www.shoemoney.com/2006/07/28/...r-servers-now/ Anyone care to explain ?

31-07-2006, 10:08	#2 (permalink)
weldo now with added beard Join Date: Mar 2004 Location: Liverpool Posts: 5,432	dunno - but he's a freaky lookin' guy ... __________________ fuck signatures

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

31-07-2006, 18:09	#3 (permalink)
sjd Registered Abuser Join Date: Jun 2006 Location: London, England. Posts: 176	Sounds like what the advisory says - if you've... a) compiled mod_rewrite in a particular way (they don't give details) b) use rewrite rules which start with $1 (to insert the value of a previous match) and don't use the F, G or NE flags ...then applpy the fixes. It sounds like the denial of service attacks can be achieved by passing a particular url to the server so that it runs itself in circles and starts requesting a crap load of pages from apache. The arbitrary code execution could be more worrying, since it could allow the attacker to gain control of the server, but again they don't go into details. There are so many security vulnerabilities coming out all the time. If responsible for a server, I'd say you could take one of two approaches: 1. Monitor all security alerts by subscribing to the mailing lists. Apply fixes if the vulnerability could effect your environment. This process will be ongoing and time consuming, hence one of the reasons sys admins exist. 2. If your site doesn't contain any sensitive data (i.e. it's all public info available through the web site anyway) just take regular backups and periodically update the software. This of course adds risk of your server being compromised, in which case you'll have to spend a lot longer restoring the site (with down time), but you'll not have to spend all your time applying patches.

31-07-2006, 18:10	#4 (permalink)
sjd Registered Abuser Join Date: Jun 2006 Location: London, England. Posts: 176	So do you use any rewrite rules that begin with $1?

31-07-2006, 18:13	#5 (permalink)
oli I Call Shenanigans™ Join Date: Feb 2003 Location: Manchester, England. Posts: 9,740	Not sure, got a few sites on my server that use it; gonna have to check through. Ta for the explanation; didnt really understand the details.

31-07-2006, 18:41	#6 (permalink)
sjd Registered Abuser Join Date: Jun 2006 Location: London, England. Posts: 176	Your hosting provider should keep on top of these things if they're any good. You shouldn't have to worry about it unless you host sites yourself and are responsible for the server environment. If you host sites yourself you're either going to have to start monitoring the advisories for all installed software (of which there wil be LOADS and you should consider how the ongoing effort will effect your time/costs) or make sure you don't have any contractual obligations along those lines and just do regular backups and periodic software updates.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)