One possible reason for Apache segfaulting when hit by this worm in some
configurations is addressed in the below patch that has been committed to
the 1.3 tree.
This does not represent a security problem, just a good old normal bug.
A very mild DoS potential, but that is Very with a capital V.
dgaudet 01/09/20 20:51:54
Modified: src CHANGES
src/include httpd.h
src/modules/standard mod_include.c
Log:
ErrorDocument 404 pointing to a parsed html file with a
<!--#include virtual="file" --> with a request URI containing
%2f would result in a segfault (NULL pointer deref, not a
security problem).
PR: 8362
Revision Changes Path
1.1708 +5 -0 apache-1.3/src/CHANGES
Index: CHANGES
===================================================================
RCS file: /home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.1707
retrieving revision 1.1708
diff -u -r1.1707 -r1.1708
--- CHANGES 2001/09/12 15:16:41 1.1707
+++ CHANGES 2001/09/21 03:51:53 1.1708
@@ -1,5 +1,10 @@
Changes with Apache 1.3.21
+ *) ErrorDocument 404 pointing to a parsed html file with a
+ <!--#include virtual="file" --> with a request URI containing
+ %2f would result in a segfault (NULL pointer deref, not a
+ security problem). [Jeff Moe <tuxat_private>, Dean Gaudet] PR#8362
+
*) UnsetEnv from main body of httpd.conf file didn't work; backport
of bugfix from 2.0 codebase. [Gary Benson <gbensonat_private>] PR#8254
1.345 +1 -1 apache-1.3/src/include/httpd.h
Index: httpd.h
===================================================================
RCS file: /home/cvs/apache-1.3/src/include/httpd.h,v
retrieving revision 1.344
retrieving revision 1.345
diff -u -r1.344 -r1.345
--- httpd.h 2001/08/13 17:09:42 1.344
+++ httpd.h 2001/09/21 03:51:54 1.345
@@ -806,7 +806,7 @@
char *unparsed_uri; /* the uri without any parsing performed */
char *uri; /* the path portion of the URI */
- char *filename;
+ char *filename; /* filename if found, otherwise NULL */
char *path_info;
char *args; /* QUERY_ARGS, if any */
struct stat finfo; /* ST_MODE set to zero if no such file */
1.130 +1 -1 apache-1.3/src/modules/standard/mod_include.c
Index: mod_include.c
===================================================================
RCS file: /home/cvs/apache-1.3/src/modules/standard/mod_include.c,v
retrieving revision 1.129
retrieving revision 1.130
diff -u -r1.129 -r1.130
--- mod_include.c 2001/07/13 19:45:52 1.129
+++ mod_include.c 2001/09/21 03:51:54 1.130
@@ -718,7 +718,7 @@
for (p = r; p != NULL && !founddupe; p = p->main) {
request_rec *q;
for (q = p; q != NULL; q = q->prev) {
- if ( (strcmp(q->filename, rr->filename) == 0) ||
+ if ( (q->filename && strcmp(q->filename, rr->filename) == 0) ||
(strcmp(q->uri, rr->uri) == 0) ){
founddupe = 1;
break;
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Sep 21 2001 - 08:40:18 PDT