[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: POC & exploit for Apache mod_rewrite off-by-one



Hi Jacobo,

If my httpd.conf file has defined with the follow directives, could you please let me know whether it will be affected by this vulnerability or not?


RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

I think, it will not be affected as per the below information:
This flaw does not affect a default installation of Apache HTTP Server. Users who do not use, or have not enabled, the Rewrite module mod_rewrite are not affected by this issue. This issue only affects installations using a Rewrite rule with the following characteristics:

    * The RewriteRule allows the attacker to control the initial part of the rewritten URL (for example if the substitution URL starts with $1)
    * The RewriteRule flags do NOT include any of the following flags: Forbidden (F), Gone (G), or NoEscape (NE)


Regards,
Ramesh