mod_access_referer_1.0.2_third_part_patch.txt

   1 Some kind guy sent to me the next information. This WAS NOT revised or audited by the author, but it could help other people. So, enjoy!:
   2
   3 -----------------------------------------------------------------------
   4
   5 mod_access_referer contains a null-pinter dereferences vulnerability that may possibly be used in denial of service attacks. While the impact of this vulnerability is considered low-risk, we advise you to apply the following patch:
   6
   7 --- mod_access_referer.c.org    Wed Apr  9 19:27:00 2003
   8 +++ mod_access_referer.c        Wed Apr  9 19:36:20 2003
   9 @@ -492,6 +492,10 @@
  10                                                          (r->headers_in,
  11                                                           "Referer"),
  12                                                          &uptr);
  13 +                               if(uptr.hostname == NULL) {
  14 +                                       return 0;
  15 +                               }
  16 +
  17                                 if (!is_ip (uptr.hostname)) {
  18                                         /* XX resolv the domain name */
  19                                         got_refererhost_ip = 1;