Buffer Overflows in mod_alias and mod_rewrite in Apache 1.3.27: Limited Urchin 5 Exposure


Urchin 5 ships with an embedded Apache webserver that provides access to the web-based Urchin administration and reporting functions. As reported in the following ISS security advisory:

Apache versions up through 1.3.28 are vulnerable to a buffer overflow in the mod_alias and mod_rewrite modules. Urchin 5.101 and earlier ship with Apache 1.3.27.

Impact on Urchin Customers

After careful examination of the fix and the threat, Urchin Software Corporation's position on this issue is that:

  1. When used in a standard configuration, the Apache shipped with Urchin 5 is not vulnerable because neither mod_alias or mod_rewrite are configured or used. In order for an Urchin installation to be vulnerable, explicit unsupported changes to the webserver configuration would need to be made.
  2. Urchin Software Corporation has made updated urchinwebd binaries available on our web site at ftp://ftp.urchin.com/pub/support for those customers who wish to upgrade the binaries in their Urchin 5 distributions. These urchinwebd binaries are based on Apache 1.3.29, which is not vulnerable to the buffer overflows.
  3. The next release of Urchin 5 will contain urchinwebd binaries that are based on Apache 1.3.29.

See Also