Bugtraq mailing list archives
Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/")
From: Axel Beckert - ecos gmbh <beckert () ecos de>
Date: Fri, 13 Feb 2004 19:40:57 +0100
Hi! Am Wed, Feb 11, 2004 at 01:49:30PM +0100, Peter J. Holzer wrote:
Right. On Unix "WEB-INF" and "WEB-INF.." are two different, legal file names. On Windows, trailing dots seem to be ignored, so "WEB-INF" and "WEB-INF.." are just two names for the same file. This also works if the filename already has an extension, so for example "foo.html" and "foo.html....." are the same file, too.
Yes and no. At least on my W2K box here it seems to work only for one and two additional dots on the cmd commandline, but not three. (Just to be picky. :-) Another (some kind of obvious) way to exploit the two-dot directory "feature" of Windows under Apache is to bypass <Location ...> based restrictions on directories. e.g. if you have a directory foo in your DocumentRoot and restrict access by <Location "/foo/"> Order deny,allow Deny from all </Location> you can easily access it by requesting http://host/foo../ instead of http://host/foo/, which results in a 403 Forbidden. (It must be a real directory to work, aliasses won't do the trick.) Of course you usually won't lock up directories with <Location ...>, but a there other cases, where you would use <Location ...> in favor of <Directory ...> or <Files ...>. Kind regards, Axel Beckert -- ------------------------------------------------------------- Axel Beckert ecos electronic communication services gmbh it security solutions * web applications with apache and perl Mail: Tulpenstrasse 5 D-55276 Dienheim near Mainz E-Mail: beckert () ecos de Voice: +49 6133 939-220 WWW: http://www.ecos.de/ Fax: +49 6133 939-333 ------------------------------------------------------------- Visit us at CeBIT (18. - 24. March 2004) Halle 6 Stand B38-452 --------------------------------------------------------------
Current thread:
- Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Wang Yun (Feb 09)
- Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Dave Weis (Feb 10)
- Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Peter J. Holzer (Feb 12)
- Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Oliver Schneider (Feb 12)
- Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") André Malo (Feb 13)
- RE: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Alun Jones (Feb 13)
- RE: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") J. (Feb 17)
- RE: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Alun Jones (Feb 17)
- Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Peter J. Holzer (Feb 19)
- Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Peter J. Holzer (Feb 12)
- Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Dave Weis (Feb 10)
- Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Axel Beckert - ecos gmbh (Feb 16)