lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: ben at algroup.co.uk (Ben Laurie)
Subject: Path Parsing Errata in Apache HTTP Server

Gilles Cuesta wrote:
> On Wed, 22 Jan 2003 09:00:58 -0500
> "mattmurphy@...rr.com" <mattmurphy@...rr.com> wrote:
> 
> 
>>Issue 3 (VU#384033):
>>
>>Exploitation of this condition could lead to bypass of default script 
>>mapping behavior.  This flaw impacts Apache on all platforms.  This 
>>issue is best described with an example:
>>
>>http://localhost/folder.php/file
>>
>>Apache should parse 'file' as plain text -- that is, simply returning
>>it to the browser.  However, an incorrect check in Apache's mapping 
>>algorithms, causes the 'php' extension to be associated with this 
>>request.  Rather than checking only the file's extension, Apache
>>checks for extensions in any path member, stopping at the first.
>>
>>This is more of a weakness than a vulnerability, as exploitation only 
>>yields UID nobody if you allow uploading under the docroot *and*
>>filter by filename only, in which case you have far more serious
>>concerns than the exploitation of this issue.
>>
>>DETECTION
>>
>>These issues are believed to be specific to the 2.0 branch; Apache 
>>1.3.27 (and all other 1.x versions) are believed immune from these 
>>issues.  Apache 2.0.43 and prior should be upgraded to the 2.0.44 
>>release, which will be available from 
>><http://httpd.apache.org/dist/httpd>.
> 
> 
> This issue doesn't run on a RH 8.O httpd server:
> 
> # cat /etc/issue
> Red Hat Linux release 8.0 (Psyche)
> Kernel \r on an \m
> 
> # rpm -qa | grep httpd
> httpd-2.0.40-11

Redhat backport fixes, so there's no way to relate their version number 
to an Apache advisory. I believe I've already sent my rant about this 
particular kind of brain death, so I'll leave it as an exercise for the 
reader.

The short version is: very interesting, but that adds no information to 
the status of Apache 2.0.40.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ