National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

CVE-2006-3747 Detail

Current Description

Off-by-one error in the ldap scheme handling in the Rewrite module (mod_rewrite) in Apache 1.3 from 1.3.28, 2.0.46 and other versions before 2.0.59, and 2.2, when RewriteEngine is enabled, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted URLs that are not properly handled using certain rewrite rules.

Source:  MITRE      Last Modified:  07/28/2006      View Analysis Description

Quick Info

CVE Dictionary Entry:
CVE-2006-3747
Original release date:
07/28/2006
Last revised:
07/19/2017
Source:
US-CERT/NIST

Impact

CVSS Severity (version 2.0):
CVSS v2 Base Score:
7.6 HIGH
Vector:
(AV:N/AC:H/Au:N/C:C/I:C/A:C) (legend)
Impact Subscore:
10.0
Exploitability Subscore:
4.9
CVSS Version 2 Metrics:
Access Vector:
Network exploitable
Access Complexity:
High
Authentication:
Not required to exploit
Impact Type:
Provides administrator access, Allows complete confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service

Vendor Statements (disclaimer)

Official Statement from Red Hat (07/31/2006)

The ability to exploit this issue is dependent on the stack layout for a particular compiled version of mod_rewrite. If the compiler has added padding to the stack immediately after the buffer being overwritten, this issue can not be exploited, and Apache httpd will continue operating normally. The Red Hat Security Response Team analyzed Red Hat Enterprise Linux 3 and Red Hat Enterprise Linux 4 binaries for all architectures as shipped by Red Hat and determined that these versions cannot be exploited. This issue does not affect the version of Apache httpd as supplied with Red Hat Enterprise Linux 2.1

Official Statement from Apache (07/02/2008)

Fixed in Apache HTTP Server 2.2.3, 2.0.59, and 1.3.37: http://httpd.apache.org/security/vulnerabilities_22.html http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_13.html

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource Type Source Name
http://docs.info.apple.com/article.html?artnum=307562 External Source CONFIRM http://docs.info.apple.com/article.html?artnum=307562
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01118771 External Source HP SSRT061275
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01428449 External Source HP HPSBMA02328
http://kbase.redhat.com/faq/FAQ_68_8653.shtm External Source MISC http://kbase.redhat.com/faq/FAQ_68_8653.shtm
http://lists.apple.com/archives/security-announce/2008//May/msg00001.html External Source APPLE APPLE-SA-2008-05-28
http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html External Source APPLE APPLE-SA-2008-03-18
http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/048267.html External Source FULLDISC 20060728 Apache 1.3.29/2.X mod_rewrite Buffer Overflow Vulnerability CVE-2006-3747
http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/048271.html External Source FULLDISC 20060728 [Announcement] Apache HTTP Server 2.2.3 (2.0.59, 1.3.37) Released
http://lwn.net/Alerts/194228/ External Source TRUSTIX 2006-0044
http://marc.info/?l=bugtraq&m=130497311408250&w=2 External Source HP HPSBOV02683
http://security.gentoo.org/glsa/glsa-200608-01.xml External Source GENTOO GLSA-200608-01
http://securityreason.com/securityalert/1312 External Source SREASON 1312
http://securitytracker.com/id?1016601 External Source SECTRACK 1016601
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102662-1 External Source SUNALERT 102662
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102663-1 External Source SUNALERT 102663
http://svn.apache.org/viewvc?view=rev&revision=426144 External Source MISC http://svn.apache.org/viewvc?view=rev&revision=426144
http://www.apache.org/dist/httpd/Announcement2.0.html Patch; Vendor Advisory External Source CONFIRM http://www.apache.org/dist/httpd/Announcement2.0.html
http://www.debian.org/security/2006/dsa-1131 Patch External Source DEBIAN DSA-1131
http://www.debian.org/security/2006/dsa-1132 Patch External Source DEBIAN DSA-1132
http://www.kb.cert.org/vuls/id/395412 US Government Resource External Source CERT-VN VU#395412
http://www.mandriva.com/security/advisories?name=MDKSA-2006:133 External Source MANDRIVA MDKSA-2006:133
http://www.novell.com/linux/security/advisories/2006_43_apache.html External Source SUSE SUSE-SA:2006:043
http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.015-apache.html External Source OPENPKG OpenPKG-SA-2006.015
http://www.securityfocus.com/archive/1/archive/1/441485/100/0/threaded External Source BUGTRAQ 20060728 [Announcement] Apache HTTP Server 2.2.3 (2.0.59, 1.3.37) Released
http://www.securityfocus.com/archive/1/archive/1/441487/100/0/threaded External Source BUGTRAQ 20060728 Apache mod_rewrite Buffer Overflow Vulnerability
http://www.securityfocus.com/archive/1/archive/1/441526/100/200/threaded External Source BUGTRAQ 20060728 rPSA-2006-0139-1 httpd mod_ssl
http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded External Source BUGTRAQ 20060820 POC & exploit for Apache mod_rewrite off-by-one
http://www.securityfocus.com/archive/1/archive/1/445206/100/0/threaded External Source HP SSRT061202
http://www.securityfocus.com/archive/1/archive/1/450321/100/0/threaded External Source HP SSRT061265
http://www.securityfocus.com/bid/19204 External Source BID 19204
http://www.ubuntu.com/usn/usn-328-1 External Source UBUNTU USN-328-1
http://www.us-cert.gov/cas/techalerts/TA08-150A.html US Government Resource External Source CERT TA08-150A
http://www.vupen.com/english/advisories/2006/3017 External Source VUPEN ADV-2006-3017
http://www.vupen.com/english/advisories/2006/3264 External Source VUPEN ADV-2006-3264
http://www.vupen.com/english/advisories/2006/3282 External Source VUPEN ADV-2006-3282
http://www.vupen.com/english/advisories/2006/3884 External Source VUPEN ADV-2006-3884
http://www.vupen.com/english/advisories/2006/3995 External Source VUPEN ADV-2006-3995
http://www.vupen.com/english/advisories/2006/4015 External Source VUPEN ADV-2006-4015
http://www.vupen.com/english/advisories/2006/4207 External Source VUPEN ADV-2006-4207
http://www.vupen.com/english/advisories/2006/4300 External Source VUPEN ADV-2006-4300
http://www.vupen.com/english/advisories/2006/4868 External Source VUPEN ADV-2006-4868
http://www.vupen.com/english/advisories/2007/2783 External Source VUPEN ADV-2007-2783
http://www.vupen.com/english/advisories/2008/0924/references External Source VUPEN ADV-2008-0924
http://www.vupen.com/english/advisories/2008/1246/references External Source VUPEN ADV-2008-1246
http://www.vupen.com/english/advisories/2008/1697 External Source VUPEN ADV-2008-1697
http://www-1.ibm.com/support/docview.wss?uid=swg1PK29154 External Source AIXAPAR PK29154
http://www-1.ibm.com/support/docview.wss?uid=swg1PK29156 External Source AIXAPAR PK29156
http://www-1.ibm.com/support/docview.wss?uid=swg24013080 External Source AIXAPAR PK27875
http://www-1.ibm.com/support/docview.wss?uid=swg27007951 External Source CONFIRM http://www-1.ibm.com/support/docview.wss?uid=swg27007951
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3117 External Source CONFIRM http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3117
https://exchange.xforce.ibmcloud.com/vulnerabilities/28063 External Source XF apache-modrewrite-offbyone-bo(28063)
https://issues.rpath.com/browse/RPL-538 External Source CONFIRM https://issues.rpath.com/browse/RPL-538

Technical Details

Vulnerability Type (View All)

Vulnerable software and versions Switch to CPE 2.2

Configuration 1
OR
cpe:2.3:a:apache:http_server:1.3.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.7:*:dev:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.28:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.29:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.30:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.31:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.32:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.33:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.46:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.47:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.48:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.49:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.50:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.51:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.52:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.53:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.54:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.55:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.56:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.57:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.58:*:*:*:*:*:*:*
Configuration 2
OR
cpe:2.3:o:ubuntu:ubuntu_linux:5.04:*:*:*:*:*:*:*
cpe:2.3:o:ubuntu:ubuntu_linux:5.10:*:*:*:*:*:*:*
cpe:2.3:o:ubuntu:ubuntu_linux:6.06_lts:*:*:*:*:*:*:*

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History 3 change records found - show changes