Most deployed versions of Apache are potentially exploitable, as mod_rewrite has been found to be vulnerable to a stack smashing attack. It is somewhat muted by the fact that only certain rules cause the problem. The vulnerability is caused by an off-by-one error — the most common programming error known to man. Many SEOs use mod_rewrite, but not all will be affected; I checked my rules, and I am not exploitable (otherwise I wouldn't post this), but I'm upgrading anything I have anyway. This affects all branches of Apache — 1.3 to 2.2. The original report from McAfee is here.
Jun
30
Archived; click post to view.
Excerpt: Note: the code for the auditing script is located here. As a programmer, I cannot stress it enough. What is it? Escaping all data processed by your web application's code! It's a common security issue, but most people are only accustomed to it, these days, in the context of SQL. Every programmer worth salt knows that he must escape/sanitize data sent to a SQL database. Otherwise, carefully-constructed input can form a totally cool query that exposes and/or vandalizes data. Despite this, many programmers forget to escape SQL input; and even more of them forget to…
powered by
SEO Pager
