Bugtraq mailing list archives
Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)
From: Vietnamese Security Group <security () security com vn>
Date: 3 Feb 2004 13:48:53 -0000
In-Reply-To: <20040131211851.30391.qmail () www securityfocus com> Note : of course it affected also in the current version 2.0.48 ( tested) Vietnamese Security Group www.security.com.vn
Received: (qmail 2149 invoked from network); 3 Feb 2004 02:12:35 -0000 Received: from outgoing3.securityfocus.com (205.206.231.27) by mail.securityfocus.com with SMTP; 3 Feb 2004 02:12:35 -0000 Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20]) by outgoing3.securityfocus.com (Postfix) with QMQP id 9667FA3153; Mon, 2 Feb 2004 18:23:17 -0700 (MST) Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq () securityfocus com> List-Help: <mailto:bugtraq-help () securityfocus com> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com> Delivered-To: mailing list bugtraq () securityfocus com Delivered-To: moderator for bugtraq () securityfocus com Received: (qmail 31275 invoked from network); 31 Jan 2004 21:08:29 -0000 Date: 31 Jan 2004 21:18:51 -0000 Message-ID: <20040131211851.30391.qmail () www securityfocus com> Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) From: Vietnamese Security Group <security () security com vn> To: bugtraq () securityfocus com Subject: BUG IN APACHE HTTPD SERVER (current version 2.0.47) APACHE HTTPD SERVER (current version 2.0.47): ########################################################## How to return files in a Apache Deny All directory. The Directives controlling host access may be bypassed even if they have not permission to be override. 11 Jan 2004 DESCRIPTION Apache Web Server allows manage configurations via the main httpd.conf file, and via the other configuration files placed inside the children web trees, may owned by the user accounts, named .htaccess by default. The server administrator further controls what Directives may be placed in .htaccess files by configuring the AllowOverride Directive in the main httpd.conf files. If the server admin sets the Deny Directive to All (for example), and does not allow the user accounts to modify this Directive in their .htaccess file by setting the AllowOverride values without the Limit type, his/her users are still able to bypass the Deny option by using the ErrorDocument Directive. Tested in Apache 2.0.47/RH-Linux/WinXP. EXAMPLE ########################################################## # In the main httpd.conf file: # <Directory /> AllowOverride FileInfo Deny From All </Directory> ########################################################## ########################################################## # In the user's .htaccess file placed in a child directory: ErrorDocument 403 /child/dir/fetch.php ########################################################## /********************************************************/ <?php // In the fetch.php placed in the same directory: $url = parse_url( $_SERVER['REQUEST_URI'] ); @include basename( $url['path'] ); ?> /********************************************************/ In this example, assuming the web server can execute PHP script or some scripts/server-includes. By modifying some codes you can return other mime file types such as image/gif etc. Event if the server does not allow any file parsed (Deny From All), the script file fetch.php will still be executed, and it includes again and parses any other files in a same directory, which indecated by the query variables, to the web client. Looking in the source code, I think the missing auth checking is in the function ap_process_request_internal() in the file request.c. One of the major changes in Apache 2.0 is to the internal redirect mechanism. To prevent the code from falling out of sync again in the current directory, the configuration comparing between two config directories may bypass the authentication checking again. That explains why this vulnerability (if any?) can only done if the redirect ErrorDocument file is placed in the same request directory. FIX Do not skip auth checker even if the per_dir_config member value doesn't change in the ap_process_request_internal() function. NOTE I post this issue in the public mailing list, because I think this vuln is not exploitable by a remote attacker. If something were wrong, drop a line to me. Vietnamese Security Group Trung - caothuvolam - trungonly () yahoo com http://www.security.com.vn 31 Nui Truc st. Ba Dinh dist. Ha Noi . Vietnamese Phone : 84.4.8465701 / Fax: 84.4.8465701
Current thread:
- BUG IN APACHE HTTPD SERVER (current version 2.0.47) Vietnamese Security Group (Feb 02)
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) André Malo (Feb 03)
- <Possible follow-ups>
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) Vietnamese Security Group (Feb 03)
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) langtuhaohoa caothuvolam (Feb 04)
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) André Malo (Feb 04)
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) Dan Yefimov (Feb 05)
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) Seth Arnold (Feb 06)
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) Todd C. Campbell (Feb 06)
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) Tyler Larson (Feb 06)
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) André Malo (Feb 04)