[<prev] [next>] [day] [month] [year] [list]
Message-ID: <030c01c386a9$fc99aab0$050010ac@rootserver>
Date: Mon, 29 Sep 2003 18:51:47 +0200
From: "Lorenzo Hernandez Garcia-Hierro" <novappc@...appc.com>
To: "Bugtraq" <bugtraq@...urityfocus.com>
Cc: <full-disclosure@...ts.netsys.com>
Subject: Possible Apache directory rules bypass / override
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi ,
I'm testing somethings in Apache about the url parsing of the server
,
i don't now if the Apache server parse completely provided urls when
those urls are in this format:
[PROTOCOL HTTP / HTTPS ][SITE]/[DIR TO OVERRIDE RULES]/../[DIR TO
OVERRIDE RULES]/../[DIR TO OVERRIDE RULES]/../[DIR TO OVERRIDE
RULES]/../[DIR TO OVERRIDE RULES]/../../[DIR TO OVERRIDE
RULES]/../../../[DIR WITH NO RULES OR ACCESS CONTROL]/../[THE SAME NO
CONTROLLED DIR OR OTHER NOT CONTROLLED]/../../../../[DIR WITH NO
CONTROL RULES]/../
If this can be possible , it can't affect ip based access controls
but other controls can be affected , or not ?
This is not a vulnerability because i can't confirm it but i want to
check the source code , i'm open for
suggestions .
i'm posting this because i'm a little confused , and other
possibilities , if the url is encoded ? does Apache check
correctly this when it is encoded ?
One thing is sure: this can not affect ip based rules such as deny
or allow
PS: can be this related with the mod_write vulnerabilities ?
Regards,
- ------------------------------------------------------
Lorenzo Hernandez Garcia-Hierro
- --- Security Consultant ---
- ------------------NSRGroup-------------------
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
NSRGroup
( No Secure Root Group Security Research Team ) /
( NovaPPC Security Research Group )
http://security.novappc.com
______________________
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBP3hU8PKXc1fYDvGLEQLw/ACfUvIWyT86kiKZyctrzCwRiuuZTU0AoOyG
KWV9sdRESwgz1pQbenNAoDhb
=NjBX
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists