By Kurt Seifried (kurt@seifried.org)

The Apache Software Foundation has just corrected an off-by-one vulnerability in the mod_rewrite engine. It should be noted that many web applications, such as WordPress make use of mod_rewrite to create URL’s that are more easily indexed by search engines, meaning that although mod_rewrite is often disabled by default it is typically enabled and used on many sites.

http://httpd.apache.org/

This is of course a classic example of a technological risk. A least privilege approach with as many things disabled or otherwise removed as possible would result in a system that is not affected by this flaw, however because user’s want easily indexed URL’s, and the easiest way to accomplish this for a program such as WordPress is to use mod_rewrite you end up with numerous sites using mod_rewrite when it is not strictly necessary.

Related posts:

1. The IRS is Very Mistaken
2. Rainbow Tables and Easy Password Recovery
3. “It’s getting hot in here” - so turn off all your servers
4. Testing AudioBlog.com
5. Why User Education Will Never Work

Posted by Kurt.Seifried on Friday, July 28th, 2006, at 12:26 am, and filed under Quick News, Technical.

Follow any responses to this entry with the RSS 2.0 feed.

You can post a comment, or trackback from your site.