BugTraq
Back to list
|
Post reply
Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)
Feb 03 2004 01:48PM
Vietnamese Security Group (security security com vn)
In-Reply-To: <20040131211851.30391.qmail (at) www.securityfocus (dot) com [email concealed]>
Note : of course it affected also in the current version 2.0.48 ( tested)
Vietnamese Security Group
www.security.com.vn
>Received: (qmail 2149 invoked from network); 3 Feb 2004 02:12:35 -0000
>Received: from outgoing3.securityfocus.com (205.206.231.27)
> by mail.securityfocus.com with SMTP; 3 Feb 2004 02:12:35 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id 9667FA3153; Mon, 2 Feb 2004 18:23:17 -0700 (MST)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 31275 invoked from network); 31 Jan 2004 21:08:29 -0000
>Date: 31 Jan 2004 21:18:51 -0000
>Message-ID: <20040131211851.30391.qmail (at) www.securityfocus (dot) com [email concealed]>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: Vietnamese Security Group <security (at) security.com (dot) vn [email concealed]>
>To: bugtraq (at) securityfocus (dot) com [email concealed]
>Subject: BUG IN APACHE HTTPD SERVER (current version 2.0.47)
>
>
>
>APACHE HTTPD SERVER (current version 2.0.47):
>##########################################################
>How to return files in a Apache Deny All directory.
>The Directives controlling host access may be bypassed even
>if they have not permission to be override.
>
>11 Jan 2004
>
>
>DESCRIPTION
>
>Apache Web Server allows manage configurations via the main
>httpd.conf file, and via the other configuration files placed
>inside the children web trees, may owned by the user accounts,
>named .htaccess by default. The server administrator further
>controls what Directives may be placed in .htaccess files by
>configuring the AllowOverride Directive in the main httpd.conf
>files.
>
>If the server admin sets the Deny Directive to All (for example),
>and does not allow the user accounts to modify this Directive in
>their .htaccess file by setting the AllowOverride values without
>the Limit type, his/her users are still able to bypass the Deny
>option by using the ErrorDocument Directive.
>
>Tested in Apache 2.0.47/RH-Linux/WinXP.
>
>
>EXAMPLE
>
>##########################################################
># In the main httpd.conf file:
>#
><Directory />
> AllowOverride FileInfo
> Deny From All
></Directory>
>##########################################################
>
>##########################################################
># In the user's .htaccess file placed in a child directory:
>
>ErrorDocument 403 /child/dir/fetch.php
>
>##########################################################
>
>/********************************************************/
><?php
>// In the fetch.php placed in the same directory:
>
>$url = parse_url( $_SERVER['REQUEST_URI'] );
>@include basename( $url['path'] );
>
>?>
>/********************************************************/
>
>
>In this example, assuming the web server can execute PHP script
>or some scripts/server-includes. By modifying some codes you can
>return other mime file types such as image/gif etc.
>
>Event if the server does not allow any file parsed (Deny From All),
>the script file fetch.php will still be executed, and it includes
>again and parses any other files in a same directory, which
>indecated by the query variables, to the web client.
>
>Looking in the source code, I think the missing auth checking is in
>the function ap_process_request_internal() in the file request.c.
>One of the major changes in Apache 2.0 is to the internal redirect
>mechanism. To prevent the code from falling out of sync again in the
>current directory, the configuration comparing between two config
>directories may bypass the authentication checking again. That
>explains why this vulnerability (if any?) can only done if the
>redirect ErrorDocument file is placed in the same request directory.
>
>
>
>FIX
>
>Do not skip auth checker even if the per_dir_config member value
>doesn't change in the ap_process_request_internal() function.
>
>
>NOTE
>
>I post this issue in the public mailing list, because I think this
>vuln is not exploitable by a remote attacker. If something were
>wrong, drop a line to me.
>
>
>Vietnamese Security Group
>Trung - caothuvolam - trungonly (at) yahoo (dot) com [email concealed]
>http://www.security.com.vn
>
>31 Nui Truc st. Ba Dinh dist. Ha Noi . Vietnamese
>Phone : 84.4.8465701 / Fax: 84.4.8465701
>
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Note : of course it affected also in the current version 2.0.48 ( tested)
Vietnamese Security Group
www.security.com.vn
>Received: (qmail 2149 invoked from network); 3 Feb 2004 02:12:35 -0000
>Received: from outgoing3.securityfocus.com (205.206.231.27)
> by mail.securityfocus.com with SMTP; 3 Feb 2004 02:12:35 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id 9667FA3153; Mon, 2 Feb 2004 18:23:17 -0700 (MST)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 31275 invoked from network); 31 Jan 2004 21:08:29 -0000
>Date: 31 Jan 2004 21:18:51 -0000
>Message-ID: <20040131211851.30391.qmail (at) www.securityfocus (dot) com [email concealed]>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: Vietnamese Security Group <security (at) security.com (dot) vn [email concealed]>
>To: bugtraq (at) securityfocus (dot) com [email concealed]
>Subject: BUG IN APACHE HTTPD SERVER (current version 2.0.47)
>
>
>
>APACHE HTTPD SERVER (current version 2.0.47):
>##########################################################
>How to return files in a Apache Deny All directory.
>The Directives controlling host access may be bypassed even
>if they have not permission to be override.
>
>11 Jan 2004
>
>
>DESCRIPTION
>
>Apache Web Server allows manage configurations via the main
>httpd.conf file, and via the other configuration files placed
>inside the children web trees, may owned by the user accounts,
>named .htaccess by default. The server administrator further
>controls what Directives may be placed in .htaccess files by
>configuring the AllowOverride Directive in the main httpd.conf
>files.
>
>If the server admin sets the Deny Directive to All (for example),
>and does not allow the user accounts to modify this Directive in
>their .htaccess file by setting the AllowOverride values without
>the Limit type, his/her users are still able to bypass the Deny
>option by using the ErrorDocument Directive.
>
>Tested in Apache 2.0.47/RH-Linux/WinXP.
>
>
>EXAMPLE
>
>##########################################################
># In the main httpd.conf file:
>#
><Directory />
> AllowOverride FileInfo
> Deny From All
></Directory>
>##########################################################
>
>##########################################################
># In the user's .htaccess file placed in a child directory:
>
>ErrorDocument 403 /child/dir/fetch.php
>
>##########################################################
>
>/********************************************************/
><?php
>// In the fetch.php placed in the same directory:
>
>$url = parse_url( $_SERVER['REQUEST_URI'] );
>@include basename( $url['path'] );
>
>?>
>/********************************************************/
>
>
>In this example, assuming the web server can execute PHP script
>or some scripts/server-includes. By modifying some codes you can
>return other mime file types such as image/gif etc.
>
>Event if the server does not allow any file parsed (Deny From All),
>the script file fetch.php will still be executed, and it includes
>again and parses any other files in a same directory, which
>indecated by the query variables, to the web client.
>
>Looking in the source code, I think the missing auth checking is in
>the function ap_process_request_internal() in the file request.c.
>One of the major changes in Apache 2.0 is to the internal redirect
>mechanism. To prevent the code from falling out of sync again in the
>current directory, the configuration comparing between two config
>directories may bypass the authentication checking again. That
>explains why this vulnerability (if any?) can only done if the
>redirect ErrorDocument file is placed in the same request directory.
>
>
>
>FIX
>
>Do not skip auth checker even if the per_dir_config member value
>doesn't change in the ap_process_request_internal() function.
>
>
>NOTE
>
>I post this issue in the public mailing list, because I think this
>vuln is not exploitable by a remote attacker. If something were
>wrong, drop a line to me.
>
>
>Vietnamese Security Group
>Trung - caothuvolam - trungonly (at) yahoo (dot) com [email concealed]
>http://www.security.com.vn
>
>31 Nui Truc st. Ba Dinh dist. Ha Noi . Vietnamese
>Phone : 84.4.8465701 / Fax: 84.4.8465701
>
[ reply ]