Key Information Vulnerability Title Title: Mod_dosevasive Symbolic Link and Race Condition Vulnerability Vulnerability Details Content Handling ID: LSS-2005-01-4 Date: January 1, 2005 Advisory URL: [](http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-01) Impact: Arbitrary File Creation Risk Level: Low Vulnerability Type: Local Vendor Contacted: December 16, 2004 Vulnerability Overview Mod_dosevasive is an Apache module designed to provide evasion capabilities in case of HTTP DoS or DDoS attacks, or brute force attacks. When a denial-of-service attack is detected, Mod_dosevasive creates a temporary file to track actions from the attacking IP address. This file is created insecurely in the directory, with a name that is easily predictable. Vulnerability Details 1. Symbolic Link Attack - An attacker can create an arbitrary file in any directory where the user running Apache has write permissions. - Example command: - Mod_dosevasive checks if the target file already exists before creating it and will not overwrite it, thus only allowing arbitrary file creation in directories where the Apache user has write permissions. 2. Race Condition Attack - Once the target file is opened, a race condition vulnerability exists (though difficult to exploit), which could allow Mod_dosevasive to overwrite any file where the Apache user has write permissions. Affected Versions All versions of mod_security are affected, including the latest CVS version (1.9). Mitigation Recommendations The proper fix is to rewrite the file-opening code. In the absence of such a fix, a simple and quick workaround is to create a directory with write permissions only for the Apache user, and configure Mod_dosevasive to use this directory for temporary files. A single line change in the source code can switch to a different directory: Proof of Concept No PoC required. Acknowledgments This vulnerability was discovered by the LSS Security Team. LSS Security Team Contact Information Website: http://security.lss.hr Email: security@LSS.hr Phone: +385 1 6129 775