One possible reason for Apache segfaulting when hit by this worm in some configurations is addressed in the below patch that has been committed to the 1.3 tree. This does not represent a security problem, just a good old normal bug. A very mild DoS potential, but that is Very with a capital V. dgaudet 01/09/20 20:51:54 Modified: src CHANGES src/include httpd.h src/modules/standard mod_include.c Log: ErrorDocument 404 pointing to a parsed html file with a <!--#include virtual="file" --> with a request URI containing %2f would result in a segfault (NULL pointer deref, not a security problem). PR: 8362 Revision Changes Path 1.1708 +5 -0 apache-1.3/src/CHANGES Index: CHANGES =================================================================== RCS file: /home/cvs/apache-1.3/src/CHANGES,v retrieving revision 1.1707 retrieving revision 1.1708 diff -u -r1.1707 -r1.1708 --- CHANGES 2001/09/12 15:16:41 1.1707 +++ CHANGES 2001/09/21 03:51:53 1.1708 @@ -1,5 +1,10 @@ Changes with Apache 1.3.21 + *) ErrorDocument 404 pointing to a parsed html file with a + <!--#include virtual="file" --> with a request URI containing + %2f would result in a segfault (NULL pointer deref, not a + security problem). [Jeff Moe <tuxat_private>, Dean Gaudet] PR#8362 + *) UnsetEnv from main body of httpd.conf file didn't work; backport of bugfix from 2.0 codebase. [Gary Benson <gbensonat_private>] PR#8254 1.345 +1 -1 apache-1.3/src/include/httpd.h Index: httpd.h =================================================================== RCS file: /home/cvs/apache-1.3/src/include/httpd.h,v retrieving revision 1.344 retrieving revision 1.345 diff -u -r1.344 -r1.345 --- httpd.h 2001/08/13 17:09:42 1.344 +++ httpd.h 2001/09/21 03:51:54 1.345 @@ -806,7 +806,7 @@ char *unparsed_uri; /* the uri without any parsing performed */ char *uri; /* the path portion of the URI */ - char *filename; + char *filename; /* filename if found, otherwise NULL */ char *path_info; char *args; /* QUERY_ARGS, if any */ struct stat finfo; /* ST_MODE set to zero if no such file */ 1.130 +1 -1 apache-1.3/src/modules/standard/mod_include.c Index: mod_include.c =================================================================== RCS file: /home/cvs/apache-1.3/src/modules/standard/mod_include.c,v retrieving revision 1.129 retrieving revision 1.130 diff -u -r1.129 -r1.130 --- mod_include.c 2001/07/13 19:45:52 1.129 +++ mod_include.c 2001/09/21 03:51:54 1.130 @@ -718,7 +718,7 @@ for (p = r; p != NULL && !founddupe; p = p->main) { request_rec *q; for (q = p; q != NULL; q = q->prev) { - if ( (strcmp(q->filename, rr->filename) == 0) || + if ( (q->filename && strcmp(q->filename, rr->filename) == 0) || (strcmp(q->uri, rr->uri) == 0) ){ founddupe = 1; break; ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Sep 21 2001 - 08:40:18 PDT