ID CVE-2006-3747
Summary Off-by-one error in the ldap scheme handling in the Rewrite module (mod_rewrite) in Apache 1.3 from 1.3.28, 2.0.46 and other versions before 2.0.59, and 2.2, when RewriteEngine is enabled, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted URLs that are not properly handled using certain rewrite rules.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:http_server:1.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.5:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.6:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.7:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.7:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.7:*:dev:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.7:*:dev:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.8:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.8:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.9:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.9:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.28:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.28:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.29:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.29:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.30:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.30:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.31:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.31:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.32:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.32:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.33:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.33:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.46:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.46:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.47:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.47:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.48:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.48:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.49:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.49:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.50:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.50:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.51:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.51:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.52:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.52:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.53:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.53:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.54:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.54:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.55:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.55:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.56:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.56:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.57:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.57:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.58:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.58:*:*:*:*:*:*:*
  • cpe:2.3:o:ubuntu:ubuntu_linux:5.04:*:*:*:*:*:*:*
    cpe:2.3:o:ubuntu:ubuntu_linux:5.04:*:*:*:*:*:*:*
  • cpe:2.3:o:ubuntu:ubuntu_linux:5.10:*:*:*:*:*:*:*
    cpe:2.3:o:ubuntu:ubuntu_linux:5.10:*:*:*:*:*:*:*
  • cpe:2.3:o:ubuntu:ubuntu_linux:6.06_lts:*:*:*:*:*:*:*
    cpe:2.3:o:ubuntu:ubuntu_linux:6.06_lts:*:*:*:*:*:*:*
CVSS
Base: 7.6 (as of 17-10-2018 - 21:29)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK HIGH NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:N/AC:H/Au:N/C:C/I:C/A:C
refmap via4
aixapar
  • PK27875
  • PK29154
  • PK29156
apple
  • APPLE-SA-2008-03-18
  • APPLE-SA-2008-05-28
bid 19204
bugtraq
  • 20060728 Apache mod_rewrite Buffer Overflow Vulnerability
  • 20060728 [Announcement] Apache HTTP Server 2.2.3 (2.0.59, 1.3.37) Released
  • 20060728 rPSA-2006-0139-1 httpd mod_ssl
  • 20060820 POC & exploit for Apache mod_rewrite off-by-one
cert TA08-150A
cert-vn VU#395412
confirm
debian
  • DSA-1131
  • DSA-1132
fulldisc
  • 20060728 Apache 1.3.29/2.X mod_rewrite Buffer Overflow Vulnerability CVE-2006-3747
  • 20060728 [Announcement] Apache HTTP Server 2.2.3 (2.0.59, 1.3.37) Released
gentoo GLSA-200608-01
hp
  • HPSBMA02250
  • HPSBMA02328
  • HPSBOV02683
  • HPSBUX02145
  • HPSBUX02164
  • SSRT061202
  • SSRT061265
  • SSRT061275
  • SSRT071293
  • SSRT090208
mandriva MDKSA-2006:133
misc
openpkg OpenPKG-SA-2006.015
osvdb 27588
sectrack 1016601
secunia
  • 21197
  • 21241
  • 21245
  • 21247
  • 21266
  • 21273
  • 21284
  • 21307
  • 21313
  • 21315
  • 21346
  • 21478
  • 21509
  • 22262
  • 22368
  • 22388
  • 22523
  • 23028
  • 23260
  • 26329
  • 29420
  • 29849
  • 30430
sreason 1312
sunalert
  • 102662
  • 102663
suse SUSE-SA:2006:043
trustix 2006-0044
ubuntu USN-328-1
vupen
  • ADV-2006-3017
  • ADV-2006-3264
  • ADV-2006-3282
  • ADV-2006-3884
  • ADV-2006-3995
  • ADV-2006-4015
  • ADV-2006-4207
  • ADV-2006-4300
  • ADV-2006-4868
  • ADV-2007-2783
  • ADV-2008-0924
  • ADV-2008-1246
  • ADV-2008-1697
xf apache-modrewrite-offbyone-bo(28063)
saint via4
bid 19204
description Apache mod_rewrite LDAP URL buffer overflow
id web_server_apache_version
osvdb 27588
title apache_rewrite_ldap
type remote
statements via4
  • contributor Mark J Cox
    lastmodified 2008-07-02
    organization Apache
    statement Fixed in Apache HTTP Server 2.2.3, 2.0.59, and 1.3.37: http://httpd.apache.org/security/vulnerabilities_22.html http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_13.html
  • contributor Mark J Cox
    lastmodified 2006-07-31
    organization Red Hat
    statement The ability to exploit this issue is dependent on the stack layout for a particular compiled version of mod_rewrite. If the compiler has added padding to the stack immediately after the buffer being overwritten, this issue can not be exploited, and Apache httpd will continue operating normally. The Red Hat Security Response Team analyzed Red Hat Enterprise Linux 3 and Red Hat Enterprise Linux 4 binaries for all architectures as shipped by Red Hat and determined that these versions cannot be exploited. This issue does not affect the version of Apache httpd as supplied with Red Hat Enterprise Linux 2.1
Last major update 17-10-2018 - 21:29
Published 28-07-2006 - 18:02
Back to Top