Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.6
CVSSv2

CVE-2006-3747

Published: 28/07/2006 Updated: 13/02/2023
CVSS v2 Base Score: 7.6 | Impact Score: 10 | Exploitability Score: 4.9
VMScore: 781
Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C
Subscribe to Http Server

Vulnerability Summary

Off-by-one error in the ldap scheme handling in the Rewrite module (mod_rewrite) in Apache 1.3 from 1.3.28, 2.0.46 and other versions prior to 2.0.59, and 2.2, when RewriteEngine is enabled, allows remote malicious users to cause a denial of service (application crash) and possibly execute arbitrary code via crafted URLs that are not properly handled using certain rewrite rules.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache http server

canonical ubuntu linux 5.04

canonical ubuntu linux 5.10

canonical ubuntu linux 6.06

debian debian linux 3.1

Vendor Advisories

Ubuntu Security Notice: apache2 vulnerability
Mark Dowd discovered an off-by-one buffer overflow in the mod_rewrite module’s ldap scheme handling On systems which activate “RewriteEngine on”, a remote attacker could exploit certain rewrite rules to crash Apache, or potentially even execute arbitrary code (this has not been verified) ...
Debian CVElist Bug Report Logs: CVE-2006-3747: off-by-one security problem in mod_rewrite
Debian Bug report logs - #380182 CVE-2006-3747: off-by-one security problem in mod_rewrite Package: apache2; Maintainer for apache2 is Debian Apache Maintainers <debian-apache@listsdebianorg>; Source for apache2 is src:apache2 (PTS, buildd, popcon) Reported by: sf@sfritschde Date: Fri, 28 Jul 2006 08:48:01 UTC Severity ...
Debian CVElist Bug Report Logs: CVE-2006-3918: Missing Expect header sanitation may lead to XSS vulnerabilities
Debian Bug report logs - #381376 CVE-2006-3918: Missing Expect header sanitation may lead to XSS vulnerabilities Package: apache2; Maintainer for apache2 is Debian Apache Maintainers <debian-apache@listsdebianorg>; Source for apache2 is src:apache2 (PTS, buildd, popcon) Reported by: Stefan Fritsch <sf@sfritschde> ...
Debian Security Advisories: DSA-1131-1 apache -- buffer overflow
Mark Dowd discovered a buffer overflow in the mod_rewrite component of apache, a versatile high-performance HTTP server In some situations a remote attacker could exploit this to execute arbitrary code For the stable distribution (sarge) this problem has been fixed in version 1333-6sarge2 For the unstable distribution (sid) this problem will b ...
Debian Security Advisories: DSA-1132-1 apache2 -- buffer overflow
Mark Dowd discovered a buffer overflow in the mod_rewrite component of apache, a versatile high-performance HTTP server In some situations a remote attacker could exploit this to execute arbitrary code For the stable distribution (sarge) this problem has been fixed in version 2054-5sarge1 For the unstable distribution (sid) this problem will b ...

Exploits

Exploit DB: modrewritepoc.txt
Proof of concept exploit for the mod_rewrite vulnerability in Apache that makes use of an off by one overflow in the handling of ldap requests ...
Exploit DB: modrewrite-offbyone.txt
Apache mod_rewrite off-by-one remote overflow exploit for win32 Tested on 2058 ...
Exploit DB: Apache mod_rewrite (Windows x86) - Off-by-One Remote Overflow
#!/bin/sh # Exploit for Apache mod_rewrite off-by-one(Win32) # # by axis <axis@ph4nt0m> # wwwph4nt0morg # 2007-04-06 # # Tested on Apache 2058 (Win32) # Windows2003 CN SP1 # # Vulnerable Apache Versions: # * 13 branch: >1328 and <1337 # * 20 branch: >2046 and <2059 # * 22 branch: >220 and <223 # # ...
Exploit DB: Apache < 1.3.37/2.0.59/2.2.3 mod_rewrite - Remote Overflow
#!/bin/sh # Exploit for Apache mod_rewrite off-by-one # Vulnerability discovered by Mark Dowd # CVE-2006-3747 # # by jack &lt;jack\x40gulcas\x2Eorg&gt; # 2006-08-20 # # Thx to xuso for help me with the shellcode # # I suppose that you've the "RewriteRule kung/(*) $1" rule if not # you must recalculate adressess # # Shellcode is based on Taeho ...
Exploit DB: Apache mod_rewrite - LDAP protocol Buffer Overflow (Metasploit)
## # $Id: apache_mod_rewrite_ldaprb 8498 2010-02-15 00:48:03Z hdm $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # Framework web site for more information on licensing and terms of use # metasploitcom/framework/ ## require 'msf/core' ...
Exploit DB: Apache 2.0.58 mod_rewrite (Windows 2003) - Remote Overflow
/* apache mod rewrite exploit (win32) By: fabio/b0x (oc-192, old CoTS member) Vuln details: wwwsecurityfocuscom/archive/1/archive/1/443870/100/0/threaded Code: bind shell on port 4445, tested on apache 2058 with mod_rewrite (windows 2003) original exploit (milw0rmcom/exploits/3680) only had a call back on 19216801, al ...

Github Repositories

https://github.com/defensahacker/CVE-2006-3747

Information about my advisory on CVE-2006-3747 (Apache mod_rewrite LDAP off-by-one buffer overflow).. At the time, it was the first public working exploit :)

Files about my bugtraq publication and first working exploit for CVE-2006-3747 (Apache mod_rewrite LDAP off-by-one buffer overflow) (wwwsecurityfocuscom/archive/1/443870) Public release date of POC/Exploit: 2006-08-20 Author: Jacobo Avariento Gimeno CVE id: CVE-2006-3747 Bugtraq id: 19204 CERT advisory: VU#395412 Severity: high CVSS v2 Base Score: 76 HIGH (AV:N/AC:H

https://github.com/spinfoo/CVE-2006-3747

Information about my advisory on CVE-2006-3747 (Apache mod_rewrite LDAP off-by-one buffer overflow).. At the time, it was the first public working exploit :)

Files about my bugtraq publication and first working exploit for CVE-2006-3747 (Apache mod_rewrite LDAP off-by-one buffer overflow) (wwwsecurityfocuscom/archive/1/443870) Public release date of POC/Exploit: 2006-08-20 Author: Jacobo Avariento Gimeno CVE id: CVE-2006-3747 Bugtraq id: 19204 CERT advisory: VU#395412 Severity: high CVSS v2 Base Score: 76 HIGH (AV:N/AC:H

References

CWE-189http://www.apache.org/dist/httpd/Announcement2.0.htmlhttp://svn.apache.org/viewvc?view=rev&revision=426144http://www.kb.cert.org/vuls/id/395412http://www.ubuntu.com/usn/usn-328-1http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/048267.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2006-July/048271.htmlhttp://www.openpkg.org/security/advisories/OpenPKG-SA-2006.015-apache.htmlhttp://www.novell.com/linux/security/advisories/2006_43_apache.htmlhttp://www.securityfocus.com/bid/19204http://securitytracker.com/id?1016601http://secunia.com/advisories/21197http://secunia.com/advisories/21241http://kbase.redhat.com/faq/FAQ_68_8653.shtmhttp://www.debian.org/security/2006/dsa-1131http://www.debian.org/security/2006/dsa-1132http://security.gentoo.org/glsa/glsa-200608-01.xmlhttp://secunia.com/advisories/21245http://secunia.com/advisories/21266http://secunia.com/advisories/21273http://secunia.com/advisories/21284http://secunia.com/advisories/21313https://issues.rpath.com/browse/RPL-538http://www-1.ibm.com/support/docview.wss?uid=swg24013080http://www-1.ibm.com/support/docview.wss?uid=swg1PK29154http://www-1.ibm.com/support/docview.wss?uid=swg1PK29156http://www.osvdb.org/27588http://secunia.com/advisories/21307http://secunia.com/advisories/21315http://secunia.com/advisories/21247http://secunia.com/advisories/21478http://secunia.com/advisories/21509http://secunia.com/advisories/22262http://sunsolve.sun.com/search/document.do?assetkey=1-26-102662-1http://sunsolve.sun.com/search/document.do?assetkey=1-26-102663-1http://secunia.com/advisories/22368http://secunia.com/advisories/22388http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3117http://secunia.com/advisories/22523http://www-1.ibm.com/support/docview.wss?uid=swg27007951http://secunia.com/advisories/23028http://secunia.com/advisories/23260http://lwn.net/Alerts/194228/http://secunia.com/advisories/21346http://www.mandriva.com/security/advisories?name=MDKSA-2006:133http://secunia.com/advisories/26329http://securityreason.com/securityalert/1312http://docs.info.apple.com/article.html?artnum=307562http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.htmlhttp://secunia.com/advisories/29420http://secunia.com/advisories/29849http://lists.apple.com/archives/security-announce/2008//May/msg00001.htmlhttp://www.us-cert.gov/cas/techalerts/TA08-150A.htmlhttp://secunia.com/advisories/30430http://www.vupen.com/english/advisories/2008/1697http://www.vupen.com/english/advisories/2006/3995http://www.vupen.com/english/advisories/2006/4300http://www.vupen.com/english/advisories/2006/3017http://www.vupen.com/english/advisories/2006/3264http://www.vupen.com/english/advisories/2008/0924/referenceshttp://www.vupen.com/english/advisories/2006/4207http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01428449http://www.vupen.com/english/advisories/2007/2783http://www.vupen.com/english/advisories/2006/3282http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01118771http://www.vupen.com/english/advisories/2006/4015http://www.vupen.com/english/advisories/2006/4868http://www.vupen.com/english/advisories/2008/1246/referenceshttp://www.vupen.com/english/advisories/2006/3884http://marc.info/?l=bugtraq&m=130497311408250&w=2https://exchange.xforce.ibmcloud.com/vulnerabilities/28063http://www.securityfocus.com/archive/1/450321/100/0/threadedhttp://www.securityfocus.com/archive/1/445206/100/0/threadedhttp://www.securityfocus.com/archive/1/443870/100/0/threadedhttp://www.securityfocus.com/archive/1/441526/100/200/threadedhttp://www.securityfocus.com/archive/1/441487/100/0/threadedhttp://www.securityfocus.com/archive/1/441485/100/0/threadedhttps://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/reb542d2038e9c331506e0cbff881b47e40fbe2bd93ff00979e60cdf7%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/rafd145ba6cd0a4ced113a5823cdaff45aeb36eb09855b216401c66d6%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r652fc951306cdeca5a276e2021a34878a76695a9f3cfb6490b4a6840%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3Ehttps://usn.ubuntu.com/328-1/https://nvd.nist.govhttps://www.exploit-db.com/exploits/3680/https://www.kb.cert.org/vuls/id/395412
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-32744privilege escalationCVE-2024-30253CVE-2024-3914cross-site scriptingCVE-2024-31497CVE-2024-3400CVE-2024-32341hardcoded
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook