CVE-2003-0460

Vulnerability

Apache HTTP Server versions prior to 1.3.28 on Windows and OS/2 systems contain a flaw in the rotatelogs program, which does not properly ignore the control character 0x1A (Ctrl‑Z) received over the pipe. When a client sends a crafted URI containing this character, the pipe to the log rotation process interprets it as an end-of-file mark, causing the logging pipeline to stop writing new entries. This affects the default configuration when rotatelogs is used with CustomLog or ErrorLog directives [1].

Exploitation

An attacker needs only a network connection to the Apache server; no authentication or special privileges are required. The attack consists of sending a specially crafted `Request-URI that includes the 0x1A byte. The server forwards the URI to the rotatelogs` utility, which treats the byte as a command to close the logging pipe. Once the pipe is closed, further log entries are silently dropped [1].

Impact

Successful exploitation disables logging on the web server. While this does not directly affect the confidentiality, integrity, or availability of the server content, it removes the ability to audit requests. An attacker can then perform subsequent malicious actions—such as further exploitation attempts—without those actions being recorded, thus masking the attack [1].

Mitigation

The vulnerability is addressed in Apache HTTP Server version 1.3.28, released on 2003-07-21 [1]. Administrators who cannot upgrade immediately should remove the rotatelogs utility from CustomLog or ErrorLog directives in the server configuration, reverting to direct file logging. No workaround is available if rotatelogs must be used [1].