Apache HTTP Server mod_rewrite Improper Output Escaping Vulnerability Allowing Code Execution or Source Code Disclosure

A vulnerability exists in Apache HTTP Server in the mod_rewrite module, specifically in versions 2.4.59 and earlier. The issue arises from improper escaping of output, which allows an attacker to map URLs to filesystem locations that the server is permitted to serve but are not intentionally or directly accessible via any URL. This can lead to unauthorized code execution or disclosure of source code. The vulnerability is particularly relevant for substitutions in server context that use backreferences or variables as the first segment of the substitution. Some unsafe RewriteRules may be disrupted by this change, but the rewrite flag 'UnsafePrefixStat' can be used to revert to the previous behavior, provided the substitution is properly constrained.

Impact

Exploitation of this vulnerability could result in unauthorized code execution or disclosure of sensitive source code.

Reproduction

To reproduce this vulnerability, create a RewriteRule that captures a URL segment and uses a backreference or variable in the substitution. The rule should be applied in a server context where it can access the filesystem. When the rule is processed, the improper escaping will allow the backreference or variable to map to a restricted filesystem location, leading to code execution or source code disclosure.

Remediation

Users are advised to upgrade to Apache HTTP Server version 2.4.60 or later, which addresses this vulnerability. After upgrading, review and adjust any RewriteRules that may be affected by the change in how substitutions are handled.