[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040203134853.24661.qmail@www.securityfocus.com>
Date: 3 Feb 2004 13:48:53 -0000
From: Vietnamese Security Group <security@...urity.com.vn>
To: bugtraq@...urityfocus.com
Subject: Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)
In-Reply-To: <20040131211851.30391.qmail@....securityfocus.com>
Note : of course it affected also in the current version 2.0.48 ( tested)
Vietnamese Security Group
www.security.com.vn
>Received: (qmail 2149 invoked from network); 3 Feb 2004 02:12:35 -0000
>Received: from outgoing3.securityfocus.com (205.206.231.27)
> by mail.securityfocus.com with SMTP; 3 Feb 2004 02:12:35 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id 9667FA3153; Mon, 2 Feb 2004 18:23:17 -0700 (MST)
>Mailing-List: contact bugtraq-help@...urityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@...urityfocus.com>
>List-Help: <mailto:bugtraq-help@...urityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@...urityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@...urityfocus.com>
>Delivered-To: mailing list bugtraq@...urityfocus.com
>Delivered-To: moderator for bugtraq@...urityfocus.com
>Received: (qmail 31275 invoked from network); 31 Jan 2004 21:08:29 -0000
>Date: 31 Jan 2004 21:18:51 -0000
>Message-ID: <20040131211851.30391.qmail@....securityfocus.com>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: Vietnamese Security Group <security@...urity.com.vn>
>To: bugtraq@...urityfocus.com
>Subject: BUG IN APACHE HTTPD SERVER (current version 2.0.47)
>
>
>
>APACHE HTTPD SERVER (current version 2.0.47):
>##########################################################
>How to return files in a Apache Deny All directory.
>The Directives controlling host access may be bypassed even
>if they have not permission to be override.
>
>11 Jan 2004
>
>
>DESCRIPTION
>
>Apache Web Server allows manage configurations via the main
>httpd.conf file, and via the other configuration files placed
>inside the children web trees, may owned by the user accounts,
>named .htaccess by default. The server administrator further
>controls what Directives may be placed in .htaccess files by
>configuring the AllowOverride Directive in the main httpd.conf
>files.
>
>If the server admin sets the Deny Directive to All (for example),
>and does not allow the user accounts to modify this Directive in
>their .htaccess file by setting the AllowOverride values without
>the Limit type, his/her users are still able to bypass the Deny
>option by using the ErrorDocument Directive.
>
>Tested in Apache 2.0.47/RH-Linux/WinXP.
>
>
>EXAMPLE
>
>##########################################################
># In the main httpd.conf file:
>#
><Directory />
> AllowOverride FileInfo
> Deny From All
></Directory>
>##########################################################
>
>##########################################################
># In the user's .htaccess file placed in a child directory:
>
>ErrorDocument 403 /child/dir/fetch.php
>
>##########################################################
>
>/********************************************************/
><?php
>// In the fetch.php placed in the same directory:
>
>$url = parse_url( $_SERVER['REQUEST_URI'] );
>@include basename( $url['path'] );
>
>?>
>/********************************************************/
>
>
>In this example, assuming the web server can execute PHP script
>or some scripts/server-includes. By modifying some codes you can
>return other mime file types such as image/gif etc.
>
>Event if the server does not allow any file parsed (Deny From All),
>the script file fetch.php will still be executed, and it includes
>again and parses any other files in a same directory, which
>indecated by the query variables, to the web client.
>
>Looking in the source code, I think the missing auth checking is in
>the function ap_process_request_internal() in the file request.c.
>One of the major changes in Apache 2.0 is to the internal redirect
>mechanism. To prevent the code from falling out of sync again in the
>current directory, the configuration comparing between two config
>directories may bypass the authentication checking again. That
>explains why this vulnerability (if any?) can only done if the
>redirect ErrorDocument file is placed in the same request directory.
>
>
>
>FIX
>
>Do not skip auth checker even if the per_dir_config member value
>doesn't change in the ap_process_request_internal() function.
>
>
>NOTE
>
>I post this issue in the public mailing list, because I think this
>vuln is not exploitable by a remote attacker. If something were
>wrong, drop a line to me.
>
>
>Vietnamese Security Group
>Trung - caothuvolam - trungonly@...oo.com
>http://www.security.com.vn
>
>31 Nui Truc st. Ba Dinh dist. Ha Noi . Vietnamese
>Phone : 84.4.8465701 / Fax: 84.4.8465701
>
Powered by blists - more mailing lists