Bugtraq mailing list archives
Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/")
From: "Peter J. Holzer" <hjp () wsr ac at>
Date: Tue, 17 Feb 2004 21:26:58 +0100
[reformatted for better readability] On 2004-02-14 09:11:40 -0700, J. wrote:
:> From: Alun Jones [mailto:alun () texis com] :> :> > -----Original Message----- :> > From: Peter J. Holzer [mailto:hjp () wsr ac at] :> > :> > Right. On Unix "WEB-INF" and "WEB-INF.." are two different, legal :> > file names. On Windows, trailing dots seem to be ignored, so :> > "WEB-INF" and "WEB-INF.." are just two names for the same file. :> > This also works if the filename already has an extension, so for :> > example "foo.html" and "foo.html....." are the same file, too. I :> > wonder whether that can be exploited, too: Get the contents of a :> > CGI script by requesting "foo.cgi."? :> :> It's been done before - certainly in IIS, there was a bug :> where getting a "filename.asp." URL gave you the source of :> the ASP script. Same for "filename.asp:$DATA". I don't acknowledge this. I tested this with Windows XPsp1 running IE 6.0.2800 with latest patches. Running on the latest build of Apache server on the same box. IE knew the difference between 'web-inf..' And 'web-inf.' and 'web-inf...' (so did apache). Matter of a fact creating separate pages with these names resulted in separate loading.
Alun wrote "there *was* a bug", which implies that is has been fixed. IE doesn't have anything to do with it it just sends the URL to the web server which serves some content. For static content, the server usually just tries to access a file and serves its content. It may impose additional rules, though.
Perhaps your 'claim' can be further substatiated by what 'you' are doing to IE to cause this.
I didn't do anything to IE. I just created a directory "testdir" and file "test.txt" and tried to access "testdir...." and "test.txt...." from cmd, which worked. That's why I claimed that "On Windows, trailing dots seem to be ignored". A web server on windows needs to take this into account, just like it has to take into account that filenames are case-insensitive. This was on Windows 2000, SP2 (oops, rather old - but that box is going to be reinstalled RSN anyway, says our Windows-Admin), so maybe it is fixed in WinXP or some W2K SP. hp -- _ | Peter J. Holzer | Shooting the users in the foot is bad. |_|_) | Sysadmin WSR / LUGA | Giving them a gun isn't. | | | hjp () wsr ac at | -- Gordon Schumacher, __/ | http://www.hjp.at/ | mozilla bug #84128
Attachment:
_bin
Description:
Current thread:
- Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Wang Yun (Feb 09)
- Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Dave Weis (Feb 10)
- Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Peter J. Holzer (Feb 12)
- Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Oliver Schneider (Feb 12)
- Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") André Malo (Feb 13)
- RE: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Alun Jones (Feb 13)
- RE: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") J. (Feb 17)
- RE: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Alun Jones (Feb 17)
- Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Peter J. Holzer (Feb 19)
- Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Peter J. Holzer (Feb 12)
- Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Dave Weis (Feb 10)
- Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/") Axel Beckert - ecos gmbh (Feb 16)