Vulnerability Development mailing list archives

Re: Apache HTTPD's magical behavior

From: Doru Petrescu <pdoru () kappa ro>
Date: Fri, 30 Nov 2001 22:02:21 +0200 (EET)


ok, so ? ... I don't see the problem ...

at least with your example you get exactly the same thing, that is the '/'
but DO have access to it without the '/../' trick ... so you are actualy
stilling your own hat ... :-)

it seems to me that apache will FIRST rewrite the URL
from http://host/dir1/dir2/../ to http://host/dir1/
and THEN lookup the result into the disk ...

so, if you try http://dtp.kappa.ro/x/../ you will get the
http://dtp.kappa.ro/ even if 'x' dir doesn't exists ...

it seems to me like a feature: apache first cleans up the URI ...

as I said ... I don't see the problem ...

Best regards,
------
Doru Petrescu
KappaNet - Senior Software Engineer
E-mail: pdoru () kappa ro                LINUX - the choice of the GNU generation



On Fri, 30 Nov 2001, Russell Handorf wrote:

Today I was browsing the Internet when I came across a server that would
not let me view the contents of the root dir.

However, it did let me view the contents of a dir within it's root dir. So
I tried the following:

http://<server>/<dir i can browse>../

And for some reason it allowed me to view the root dir and all of its contents.

Anyone else have this problem?

I submit the following example.

First, go to

http://backbone.sourceforge.com

now, go to

http://backbone.sourceforge.net/mrtg-2.8.12/..                (Don't forget the '..'s)

I know the server log's it as viewing the readable dir plus the /..   and
that files within the root dir, once exposed via the '..', may have a
problem with being downloaded. That is easily circumvented via adding in
the file name after .. (ex: http://<Server>/<dir>/../<file>


russ
==================================
Russell Handorf
oooo, shiney ::Wanders after it::

www.russells-world.com
www.inside-aol.com
www.terrorists.net
www.bad-mother-fucker.org
www.philly2600.net

"Computer games don't affect kids, I mean if Pacman affected us as kids,
we'd all be running around in darkened rooms, munching pills and listening
to repetitive music." ~unknown
==================================

Current thread:

Apache HTTPD's magical behavior Russell Handorf (Nov 30)
- Re: Apache HTTPD's magical behavior Ryan Yagatich (Nov 30)
- Re: Apache HTTPD's magical behavior Doru Petrescu (Nov 30)
- RE: Apache HTTPD's magical behavior Golden_Eternity (Nov 30)
- Message not available
  - Re: Apache HTTPD's magical behavior Russell Handorf (Nov 30)