Security experts discovered vulnerability identified as CVE-2013-1862 in module ‘mod_rewrite’ of the Apache HTTP server (series 2.2.x). The flaw allows an attacker to execute arbitrary command when viewing the log file by the server administrator.
Through specially crafted requests to the web-server, the attacker can encrypt system commands into the log file, since the ‘mod_rewrite’ does not escape special symbols. Proper manipulation of the sequences allows executing arbitrary commands with the rights of the user viewing the log (usually these log files are readable only for the root user).
There is a patch fixing the vulnerability. Developers at RHEL and CentOS fixed the existing problem in their products. Representatives of Debian stated they know about the bug, but it is not considered as being serious. Gentoo developers did not fix the flaw.