Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/")

From: "Alun Jones" <alun () texis com>
Date: Tue, 17 Feb 2004 11:47:10 -0600
If you'll read my message more carefully, you'll note that at no time did I
say "I can reproduce this bug with Apache right now".  I said that, in the
past, web servers have been exploited by requesting files with differently
formatted names that Windows resolves to the same target.

Notice also, that you are incorrect when you assign this as being an IE
behaviour.  IE doesn't remove the terminating dots in a file name - and
indeed it should not.  It is the web server, that accesses the file system,
that ends up opening "filename.asp." and thereby inadvertently turning the
name into "filename.asp", that would have such an error.

IIS has not exhibited this behaviour for a considerable time, IIRC.

Alun.
~~~~
-- 
Texas Imperial Software   | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place   | alun () texis com.
Cedar Park TX 78613-1419  | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.
 


-----Original Message-----
From: J. [mailto:jeruvy () shaw ca] 
Sent: Saturday, February 14, 2004 10:12 AM
To: 'Alun Jones'
Cc: bugtraq () securityfocus com
Subject: RE: Apache Http Server Reveals Script Source Code to 
Remote Users And Any Users Can Access The Forbidden Directory 
("/WEB-INF/")

I don't acknowledge this.

I tested this with Windows XPsp1 running IE 6.0.2800 with latest
patches.  Running on the latest build of Apache server on the 
same box.

IE knew the difference between 'web-inf..' And 'web-inf.' and
'web-inf...' (so did apache).  Matter of a fact creating 
separate pages
with these names resulted in separate loading.

Perhaps your 'claim' can be further substatiated by what 
'you' are doing
to IE to cause this.

J.


:> -----Original Message-----
:> From: Alun Jones [mailto:alun () texis com] 
:> Sent: Thursday, February 12, 2004 5:32 PM
:> To: 'Peter J. Holzer'; bugtraq () securityfocus com
:> Subject: RE: Apache Http Server Reveals Script Source Code 
:> to Remote Users And Any Users Can Access The Forbidden 
:> Directory ("/WEB-INF/")
:> 
:> 
:> > -----Original Message-----
:> > From: Peter J. Holzer [mailto:hjp () wsr ac at]
:> > Sent: Wednesday, February 11, 2004 6:50 AM
:> > 
:> > Right. On Unix "WEB-INF" and "WEB-INF.." are two 
:> different, legal file 
:> > names. On Windows, trailing dots seem to be ignored, so 
:> "WEB-INF" and 
:> > "WEB-INF.." are just two names for the same file. This 
:> also works if 
:> > the filename already has an extension, so for example 
:> "foo.html" and
:> > "foo.html....." are the same file, too. I wonder whether 
:> that can be
:> > exploited, too: Get the contents of a CGI script by requesting
:> > "foo.cgi."?
:> 
:> It's been done before - certainly in IIS, there was a bug 
:> where getting a "filename.asp." URL gave you the source of 
:> the ASP script.  Same for "filename.asp:$DATA".
:> 
:> Alun.
:> ~~~~
:> -- 
:> Texas Imperial Software   | Find us at 
http://www.wftpd.com or email
:> 1602 Harvest Moon Place   | alun () texis com.
:> Cedar Park TX 78613-1419  | WFTPD, WFTPD Pro are Windows FTP 
:> servers. Fax/Voice +1(512)258-9858 | Try our NEW client 
:> software, WFTPD Explorer.
:> 
:>
Previous By Date Next
Previous By Thread Next

Current thread: