Full Disclosure mailing list archives
Re: Path Parsing Errata in Apache HTTP Server
From: Ben Laurie <ben () algroup co uk>
Date: Wed, 22 Jan 2003 18:13:13 +0000
Gilles Cuesta wrote:
On Wed, 22 Jan 2003 09:00:58 -0500 "mattmurphy () kc rr com" <mattmurphy () kc rr com> wrote:Issue 3 (VU#384033):Exploitation of this condition could lead to bypass of default script mapping behavior. This flaw impacts Apache on all platforms. This issue is best described with an example:http://localhost/folder.php/file Apache should parse 'file' as plain text -- that is, simply returningit to the browser. However, an incorrect check in Apache's mapping algorithms, causes the 'php' extension to be associated with this request. Rather than checking only the file's extension, Apachechecks for extensions in any path member, stopping at the first.This is more of a weakness than a vulnerability, as exploitation only yields UID nobody if you allow uploading under the docroot *and*filter by filename only, in which case you have far more serious concerns than the exploitation of this issue. DETECTIONThese issues are believed to be specific to the 2.0 branch; Apache 1.3.27 (and all other 1.x versions) are believed immune from these issues. Apache 2.0.43 and prior should be upgraded to the 2.0.44 release, which will be available from <http://httpd.apache.org/dist/httpd>.This issue doesn't run on a RH 8.O httpd server: # cat /etc/issue Red Hat Linux release 8.0 (Psyche) Kernel \r on an \m # rpm -qa | grep httpd httpd-2.0.40-11
Redhat backport fixes, so there's no way to relate their version number to an Apache advisory. I believe I've already sent my rant about this particular kind of brain death, so I'll leave it as an exercise for the reader.
The short version is: very interesting, but that adds no information to the status of Apache 2.0.40.
Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Path Parsing Errata in Apache HTTP Server mattmurphy () kc rr com (Jan 22)
- Re: Path Parsing Errata in Apache HTTP Server Gilles Cuesta (Jan 22)
- Re: Path Parsing Errata in Apache HTTP Server Ben Laurie (Jan 22)
- Re: Path Parsing Errata in Apache HTTP Server Gilles Cuesta (Jan 22)