lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 13 Feb 2004 19:40:57 +0100
From: Axel Beckert - ecos gmbh <>
Subject: Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/")


Am Wed, Feb 11, 2004 at 01:49:30PM +0100, Peter J. Holzer wrote:
> Right. On Unix "WEB-INF" and "WEB-INF.." are two different, legal file
> names. On Windows, trailing dots seem to be ignored, so "WEB-INF" and
> "WEB-INF.." are just two names for the same file. This also works if the
> filename already has an extension, so for example "foo.html" and
> "foo.html....." are the same file, too.

Yes and no. At least on my W2K box here it seems to work only for one
and two additional dots on the cmd commandline, but not three. (Just
to be picky. :-)

Another (some kind of obvious) way to exploit the two-dot directory
"feature" of Windows under Apache is to bypass <Location ...> based
restrictions on directories.

e.g. if you have a directory foo in your DocumentRoot and restrict
access by

<Location "/foo/">
  Order deny,allow
  Deny from all

you can easily access it by requesting http://host/foo../ instead of
http://host/foo/, which results in a 403 Forbidden. (It must be a real
directory to work, aliasses won't do the trick.)

Of course you usually won't lock up directories with <Location ...>,
but a there other cases, where you would use <Location ...> in favor
of <Directory ...> or <Files ...>.

            Kind regards, Axel Beckert
Axel Beckert      ecos electronic communication services gmbh
it security solutions * web applications with apache and perl

Mail:       Tulpenstrasse 5       D-55276 Dienheim near Mainz
E-Mail:       Voice:     +49 6133 939-220
WWW:   Fax:       +49 6133 939-333

          Visit us at CeBIT (18. - 24. March 2004)
                    Halle 6 Stand B38-452


Powered by blists - more mailing lists