lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: novappc at novappc.com (Lorenzo Hernandez Garcia-Hierro) Subject: Possible Apache directory rules bypass / override -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi , I'm testing somethings in Apache about the url parsing of the server , i don't now if the Apache server parse completely provided urls when those urls are in this format: [PROTOCOL HTTP / HTTPS ][SITE]/[DIR TO OVERRIDE RULES]/../[DIR TO OVERRIDE RULES]/../[DIR TO OVERRIDE RULES]/../[DIR TO OVERRIDE RULES]/../[DIR TO OVERRIDE RULES]/../../[DIR TO OVERRIDE RULES]/../../../[DIR WITH NO RULES OR ACCESS CONTROL]/../[THE SAME NO CONTROLLED DIR OR OTHER NOT CONTROLLED]/../../../../[DIR WITH NO CONTROL RULES]/../ If this can be possible , it can't affect ip based access controls but other controls can be affected , or not ? This is not a vulnerability because i can't confirm it but i want to check the source code , i'm open for suggestions . i'm posting this because i'm a little confused , and other possibilities , if the url is encoded ? does Apache check correctly this when it is encoded ? One thing is sure: this can not affect ip based rules such as deny or allow PS: can be this related with the mod_write vulnerabilities ? Regards, - ------------------------------------------------------ Lorenzo Hernandez Garcia-Hierro - --- Security Consultant --- - ------------------NSRGroup------------------- PGP: Keyfingerprint B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2 ID: 0x9C38E1D7 ********************************** NSRGroup ( No Secure Root Group Security Research Team ) / ( NovaPPC Security Research Group ) http://security.novappc.com ______________________ -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBP3hU8PKXc1fYDvGLEQLw/ACfUvIWyT86kiKZyctrzCwRiuuZTU0AoOyG KWV9sdRESwgz1pQbenNAoDhb =NjBX -----END PGP SIGNATURE-----
Powered by blists - more mailing lists