Urchin WebAnalytics Software is discontinued and is no longer supported. All Urchin documentation applies only to the Urchin product as it was at the time of discontinuation, and does not apply to any Google Analytics products or services.

Buffer Overflows in mod_alias and mod_rewrite in Apache 1.3.27: Limited Urchin 4 Exposure


Urchin 4 ships with an embedded Apache webserver that provides access to the web-based Urchin administration and reporting functions. As reported in the following ISS security advisory:

Apache versions up through 1.3.28 are vulnerable to a buffer overflow in the mod_alias and mod_rewrite modules. Urchin 4.101 through 4.106 ship with Apache 1.3.27.

Impact on Urchin Customers

After careful examination of the fix and the threat, Urchin Software Corporation's position on this issue is that:

  1. When used in a standard configuration, the Apache shipped with Urchin 4 is not vulnerable because neither mod_alias or mod_rewrite are configured or used. In order for an Urchin installation to be vulnerable, explicit unsupported changes to the webserver configuration would need to be made.
  2. Urchin Software Corporation has made updated urchinwebd binaries available on our web site at for those customers who wish to upgrade the binaries in their Urchin 4 distributions. These urchinwebd binaries are based on Apache 1.3.29, which is not vulnerable to the buffer overflows.

See Also

Clear search
Close search
Google apps
Main menu
Search Help Center