Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/")

From: "Peter J. Holzer" <hjp () wsr ac at>
Date: Tue, 17 Feb 2004 21:26:58 +0100
[reformatted for better readability]

On 2004-02-14 09:11:40 -0700, J. wrote:

:> From: Alun Jones [mailto:alun () texis com] 
:> 
:> > -----Original Message-----
:> > From: Peter J. Holzer [mailto:hjp () wsr ac at]
:> > 
:> > Right. On Unix "WEB-INF" and "WEB-INF.." are two different, legal
:> > file names. On Windows, trailing dots seem to be ignored, so
:> > "WEB-INF" and "WEB-INF.." are just two names for the same file.
:> > This also works if the filename already has an extension, so for
:> > example "foo.html" and "foo.html....." are the same file, too. I
:> > wonder whether that can be exploited, too: Get the contents of a
:> > CGI script by requesting "foo.cgi."?
:> 
:> It's been done before - certainly in IIS, there was a bug 
:> where getting a "filename.asp." URL gave you the source of 
:> the ASP script.  Same for "filename.asp:$DATA".

I don't acknowledge this.

I tested this with Windows XPsp1 running IE 6.0.2800 with latest
patches.  Running on the latest build of Apache server on the same box.

IE knew the difference between 'web-inf..' And 'web-inf.' and
'web-inf...' (so did apache).  Matter of a fact creating separate pages
with these names resulted in separate loading.


Alun wrote "there *was* a bug", which implies that is has been fixed.

IE doesn't have anything to do with it it just sends the URL to the web
server which serves some content. For static content, the server usually
just tries to access a file and serves its content. It may impose
additional rules, though.


Perhaps your 'claim' can be further substatiated by what 'you' are doing
to IE to cause this.


I didn't do anything to IE. I just created a directory "testdir" and
file "test.txt" and tried to access "testdir...." and "test.txt...."
from cmd, which worked. That's why I claimed that "On Windows, trailing
dots seem to be ignored". A web server on windows needs to take this
into account, just like it has to take into account that filenames are
case-insensitive.

This was on Windows 2000, SP2 (oops, rather old - but that box is going
to be reinstalled RSN anyway, says our Windows-Admin), so maybe it is
fixed in WinXP or some W2K SP.

        hp

-- 
   _  | Peter J. Holzer      | Shooting the users in the foot is bad. 
|_|_) | Sysadmin WSR / LUGA  | Giving them a gun isn't.
| |   | hjp () wsr ac at        |       -- Gordon Schumacher,
__/   | http://www.hjp.at/   |     mozilla bug #84128

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: