lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1076086059.4023c52bcc6d7@webmail.tlarson.com>
Date: Fri,  6 Feb 2004 10:47:39 -0600
From: Tyler Larson <noreply@...rson.com>
To: Dan Yefimov <dan@...egrate.com.ru>
Cc: André Malo <nd@...lig.de>,
	bugtraq@...urityfocus.com, security@...pd.apache.org
Subject: Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)


I can see how this could *possibly* be an issue.

In theory, a user on a shared system could use an ErrorDocument directive to 
view file that the apache user/group had access to, but the user didn't (such 
as another user's .htaccess file. The directive would look something like this:

ErrorDocument 404 /~otheruser/.htaccess

However, in my version of apache (2.0.48) it doesn't work:

Given a the set of files below:

-- /www/foo/.htaccess --
[see below] (no other files in this directory)
-- EOF --

-- /www/foo/bar/.htaccess --
Order Deny, Allow
Deny from all
-- EOF --

-- /www/foo/bar/secret --
you saw my secret!
-- EOF --

And I tried the following values in in /www/foo/.htaccess

----
ErrorDocument 404 /foo/bar/secret
----
ErrorDocument 404 /foo/.htaccess
----
#I knew this one had no chance
ErrorDocument 404 /etc/passwd
----

For the first two .htaccess files, I got this response:
-----------
Not Found
The requested URL /foo/baz was not found on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an 
ErrorDocument to handle the request.
Apache/2.0.48 (Fedora) Server at localhost Port 80
-----------

For the last .htaccess file, I got this response:
-----------
Not Found
The requested URL /foo/baz was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an 
ErrorDocument to handle the request.
Apache/2.0.48 (Fedora) Server at localhost Port 80
-----------

The reason why the last one didn't work was because ErrorDocument files are 
relative to the server's DocumentRoot, not the filesystem root.

The first request didn't work because of my "Deny From All" in 
foo/bar/.htacess, while the second request failed because of the restrictions 
placed by default on files starting with ".ht".


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ