Full Disclosure mailing list archives
Re: Path Parsing Errata in Apache HTTP Server
From: Gilles Cuesta <gcuesta () netimedias com>
Date: Wed, 22 Jan 2003 16:18:04 +0100
On Wed, 22 Jan 2003 09:00:58 -0500 "mattmurphy () kc rr com" <mattmurphy () kc rr com> wrote:
Issue 3 (VU#384033): Exploitation of this condition could lead to bypass of default script mapping behavior. This flaw impacts Apache on all platforms. This issue is best described with an example: http://localhost/folder.php/file Apache should parse 'file' as plain text -- that is, simply returning it to the browser. However, an incorrect check in Apache's mapping algorithms, causes the 'php' extension to be associated with this request. Rather than checking only the file's extension, Apache checks for extensions in any path member, stopping at the first. This is more of a weakness than a vulnerability, as exploitation only yields UID nobody if you allow uploading under the docroot *and* filter by filename only, in which case you have far more serious concerns than the exploitation of this issue. DETECTION These issues are believed to be specific to the 2.0 branch; Apache 1.3.27 (and all other 1.x versions) are believed immune from these issues. Apache 2.0.43 and prior should be upgraded to the 2.0.44 release, which will be available from <http://httpd.apache.org/dist/httpd>.
This issue doesn't run on a RH 8.O httpd server: # cat /etc/issue Red Hat Linux release 8.0 (Psyche) Kernel \r on an \m # rpm -qa | grep httpd httpd-2.0.40-11 # rpm -qa | grep php php-mysql-4.2.2-8.0.5 php-4.2.2-8.0.5 # lynx -source http://localhost/folder.php/text <?php phpinfo(); ?> # lynx -source http://localhost/folder.php/text.php <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head><style type="text/css"><!-- a { text-decoration: none; } ... ... ... <p>If you did not receive a copy of the PHP license, or have any questions about PHP licensing, please contact license () php net.</p> </td></tr> </table><br /> </body></html> -- Gilles Cuesta Netimedias - http://www.netimedias.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Path Parsing Errata in Apache HTTP Server mattmurphy () kc rr com (Jan 22)
- Re: Path Parsing Errata in Apache HTTP Server Gilles Cuesta (Jan 22)
- Re: Path Parsing Errata in Apache HTTP Server Ben Laurie (Jan 22)
- Re: Path Parsing Errata in Apache HTTP Server Gilles Cuesta (Jan 22)