Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Path Parsing Errata in Apache HTTP Server

From: Gilles Cuesta <gcuesta () netimedias com>
Date: Wed, 22 Jan 2003 16:18:04 +0100
On Wed, 22 Jan 2003 09:00:58 -0500
"mattmurphy () kc rr com" <mattmurphy () kc rr com> wrote:


Issue 3 (VU#384033):

Exploitation of this condition could lead to bypass of default script 
mapping behavior.  This flaw impacts Apache on all platforms.  This 
issue is best described with an example:

http://localhost/folder.php/file

Apache should parse 'file' as plain text -- that is, simply returning
it to the browser.  However, an incorrect check in Apache's mapping 
algorithms, causes the 'php' extension to be associated with this 
request.  Rather than checking only the file's extension, Apache
checks for extensions in any path member, stopping at the first.

This is more of a weakness than a vulnerability, as exploitation only 
yields UID nobody if you allow uploading under the docroot *and*
filter by filename only, in which case you have far more serious
concerns than the exploitation of this issue.

DETECTION

These issues are believed to be specific to the 2.0 branch; Apache 
1.3.27 (and all other 1.x versions) are believed immune from these 
issues.  Apache 2.0.43 and prior should be upgraded to the 2.0.44 
release, which will be available from 
<http://httpd.apache.org/dist/httpd>.


This issue doesn't run on a RH 8.O httpd server:

# cat /etc/issue
Red Hat Linux release 8.0 (Psyche)
Kernel \r on an \m

# rpm -qa | grep httpd
httpd-2.0.40-11
# rpm -qa | grep php
php-mysql-4.2.2-8.0.5
php-4.2.2-8.0.5

# lynx -source http://localhost/folder.php/text
<?php
phpinfo();
?>

# lynx -source http://localhost/folder.php/text.php
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head><style type="text/css"><!--
a { text-decoration: none; }
...
...
...
<p>If you did not receive a copy of the PHP license, or have any
questions about PHP licensing, please contact license () php net.</p>
</td></tr>
</table><br />
</body></html>

-- 
Gilles Cuesta
Netimedias - http://www.netimedias.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: