<<< Date Index >>>     <<< Thread Index >>>

Re: POC & exploit for Apache mod_rewrite off-by-one



Hi Jacobo,

If my httpd.conf file has defined with the follow directives, could you please 
let me know whether it will be affected by this vulnerability or not?


RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

I think, it will not be affected as per the below information:
This flaw does not affect a default installation of Apache HTTP Server. Users 
who do not use, or have not enabled, the Rewrite module mod_rewrite are not 
affected by this issue. This issue only affects installations using a Rewrite 
rule with the following characteristics:

    * The RewriteRule allows the attacker to control the initial part of the 
rewritten URL (for example if the substitution URL starts with $1)
    * The RewriteRule flags do NOT include any of the following flags: 
Forbidden (F), Gone (G), or NoEscape (NE)


Regards,
Ramesh