Re: POC & exploit for Apache mod_rewrite off-by-one
Hi Jacobo,
If my httpd.conf file has defined with the follow directives, could you please
let me know whether it will be affected by this vulnerability or not?
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
I think, it will not be affected as per the below information:
This flaw does not affect a default installation of Apache HTTP Server. Users
who do not use, or have not enabled, the Rewrite module mod_rewrite are not
affected by this issue. This issue only affects installations using a Rewrite
rule with the following characteristics:
* The RewriteRule allows the attacker to control the initial part of the
rewritten URL (for example if the substitution URL starts with $1)
* The RewriteRule flags do NOT include any of the following flags:
Forbidden (F), Gone (G), or NoEscape (NE)
Regards,
Ramesh