Apache mod_alias Buffer Overflow via Regex Capture Groups (CVE-2003-0542)

Key Information Vulnerability ID: VU#549142 Release Date: 2004-02-03 Last Revised: 2004-03-19 CVE ID: CVE-2003-0542 Vulnerability Summary A vulnerability exists in an auxiliary module of the Apache HTTP server, which may allow an attacker to execute arbitrary code on the affected web server under specific conditions. Description The Apache HTTP server distribution includes several optional modules for additional functionality. The module provides functionality to map different parts of the host file system into the document tree and to perform URL redirections. Certain directives in this module support regular expressions. When processes regular expressions containing more than nine capture groups, a buffer overflow vulnerability occurs, potentially leading to a remotely exploitable condition. Impact An attacker may execute arbitrary code on the system with the privileges of the web server user, provided that specific configuration files (such as or ) are available. Solution Patch: Apply the patch provided by the vendor. Alternative: If is not required, disable it. Affected Vendors Apache Software Foundation Conectiva Gentoo Linux Guardian Digital Inc. Hewlett-Packard Company MandrakeSoft OpenPKG Red Hat Inc. SCO SGI CVSS Metrics Base Score: Not provided Temporal Factor: Not provided Environmental Factor: Not provided References List of multiple Secunia security advisory links. Acknowledgments Thanks to the Apache Software Foundation for acknowledging André Malo, the contributor who discovered this vulnerability.

Goal Reached Thanks to every supporter — we hit 100%!

Apache mod_alias Buffer Overflow via Regex Capture Groups (CVE-2003-0542)