Vigil@nce - Apache httpd: rules added by mod_access_compat or mod_authz_host
June 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
If the configuration of ACLs of Apache httpd contains comments,
they are interpreted as IP addresses or domain names, which
installs ACLs different from the one wanted by the administrator.
Impacted products: Apache httpd
Severity: 2/4
Creation date: 16/04/2015
DESCRIPTION OF THE VULNERABILITY
The mod_access_compat and mod_authz_host modules of Apache httpd
manage ACLs containing a list of IP addresses or host names. For
example:
Order allow,deny
Allow from 127.0.0.1
However, comments are ignored in the address list. For example:
Allow from 127.0.0.1 # but not 10 example.com
is interpreted as:
Allow from 127.0.0.1 10/8 example.com
If the configuration of ACLs of Apache httpd contains comments,
they are interpreted as IP addresses or domain names, which
installs ACLs different from the one wanted by the administrator.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN