[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3E2EDF39.80405@algroup.co.uk>
From: ben at algroup.co.uk (Ben Laurie)
Subject: Path Parsing Errata in Apache HTTP Server
Gilles Cuesta wrote:
> On Wed, 22 Jan 2003 09:00:58 -0500
> "mattmurphy@...rr.com" <mattmurphy@...rr.com> wrote:
>
>
>>Issue 3 (VU#384033):
>>
>>Exploitation of this condition could lead to bypass of default script
>>mapping behavior. This flaw impacts Apache on all platforms. This
>>issue is best described with an example:
>>
>>http://localhost/folder.php/file
>>
>>Apache should parse 'file' as plain text -- that is, simply returning
>>it to the browser. However, an incorrect check in Apache's mapping
>>algorithms, causes the 'php' extension to be associated with this
>>request. Rather than checking only the file's extension, Apache
>>checks for extensions in any path member, stopping at the first.
>>
>>This is more of a weakness than a vulnerability, as exploitation only
>>yields UID nobody if you allow uploading under the docroot *and*
>>filter by filename only, in which case you have far more serious
>>concerns than the exploitation of this issue.
>>
>>DETECTION
>>
>>These issues are believed to be specific to the 2.0 branch; Apache
>>1.3.27 (and all other 1.x versions) are believed immune from these
>>issues. Apache 2.0.43 and prior should be upgraded to the 2.0.44
>>release, which will be available from
>><http://httpd.apache.org/dist/httpd>.
>
>
> This issue doesn't run on a RH 8.O httpd server:
>
> # cat /etc/issue
> Red Hat Linux release 8.0 (Psyche)
> Kernel \r on an \m
>
> # rpm -qa | grep httpd
> httpd-2.0.40-11
Redhat backport fixes, so there's no way to relate their version number
to an Apache advisory. I believe I've already sent my rant about this
particular kind of brain death, so I'll leave it as an exercise for the
reader.
The short version is: very interesting, but that adds no information to
the status of Apache 2.0.40.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
Powered by blists - more mailing lists