You are here

Apache httpd: mod_rewrite allows terminal escape sequences to be written to the log file

CVE-2013-1862, CB-K13/0146, CB-K13/0374
Apache, httpd, mod_rewrite

The vulnerability was found in the mod_rewrite module of the Apache HTTP Server. If logging is activated in the module data is written to a log file without sanitizing non-printable characters. A remote attacker could use this flaw to write terminal escape sequences to log files. This could possibly cause arbitrary command execution.

Airlock is not using the log functionality of mod_rewrite (Apache directive RewriteLog) and is therefore not affected.


back-end servers are protected by the default deny rules which are blocking such non-printable characters. Nevertheless Apache servers behind Airlock with activated mod_rewrite log functionality should be updated to version >= 2.2.25.

Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Back-ends may be vulnerable, see resolution