More security problems in Apache on Mac OS X

From: Jacques Distler (distler@golem.ph.utexas.edu)
Date: 09/10/01


Date: Mon, 10 Sep 2001 09:02:07 -0500
From: Jacques Distler <distler@golem.ph.utexas.edu>
To: bugtraq@securityfocus.com
Subject: More security problems in Apache on Mac OS X
Message-ID: <20010910090207.A15706@golem.ph.utexas.edu>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[Originally posted to <http://www.macintouch.com/mosxreaderreports46.html>]

We've already seen the security problems (or potential problems) in Apache
on MacOSX associated to the case-insensitivity of HFS+. By exploiting the
case-insensitivity of HFS+, an attacker can evade Apache's access controls.

Using mod_hfs (which takes care of case-insensitivity in directory names)
and using <FilesMatch> (with well-chosen regular expressions) instead of
<Files> directives (to take care of case-insensitivity in filenames), we can
"cure" the case-insensitivity problem and restore Apache's access controls.

But there's another gotcha lurking.

You typically don't want people to be able to obtain a list of files in your
web directory. To allow them to obtain such a list, you explicitly have to

1) NOT have an index.html file in the directory
2) include an Options Indexes directive among the access controls for that
directory

Or you could just run MacOSX.

The Finder creates an invisible file, ".DS_Store" in each directory which
contains (among other binary gobledygook) a list of files in the directory.

So, if you have EVER viewed a web directory in the Finder, an attacker can
just retrieve

  http://your.mac.com/some_directory/.dS_store

to learn what files are in that directory.

The solution is, again, to use a <FilesMatch> directive in httpd.conf to
forbid retrieval of this file:

# The Finder creates an invisible .DS_Store file in each directory.
# For 'no-index' access controls to be effective, we had better forbid
# retrieval of that file as well. Note that we have to protect
# against the same case-insensitivity bug as above.
#
<FilesMatch "^\.[Dd][Ss]_[Ss]">
Order allow,deny
Deny from all
</FilesMatch>

Note the regular expression to take care of case-insensitivity :-). And, of
course, you need to

sudo apachectl restart

when you're done.

Of course, the real question is: why was this file created world-readable
in the first place?

But then, Apple has taken a REALLY lax attitude about file permissions
throughout all of MacOSX.

More on the security implications of that some other time . . .

Jacques Distler

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (Darwin)
Comment: PGP Key - http://golem.ph.utexas.edu/~distler/distler.asc

iD8DBQE7nMfSnyqPIXpYcjcRAlOvAJ9AVuC9L3AAdUfokFBrSlN113JfbgCeKoep
uORBZBGqMIR6VW3PVFO39P4=
=IG6Q
-----END PGP SIGNATURE-----



Relevant Pages

  • Re: More security problems in Apache on Mac OS X
    ... More security problems in Apache on Mac OS X ... > case-insensitivity of HFS+, an attacker can evade Apache's access controls. ...
    (Bugtraq)
  • Re: More security problems in Apache on Mac OS X
    ... More security problems in Apache on Mac OS X ... > case-insensitivity of HFS+, an attacker can evade Apache's access controls. ...
    (Bugtraq)
  • Re: What are the dangers of having a Webserver?
    ... > I keep reading about various security problems being found with Apache ... > pretty good about that port) and 80 for HTTP. ... Apache is vastly better than IIS for obvious reasons, ... there are very occasionally bugs in the servers themselves such that ...
    (comp.os.linux.security)
  • Re: What are the dangers of having a Webserver?
    ... >> I keep reading about various security problems being found with Apache ... >> system through the webserver port, ... there are very occasionally bugs in the servers themselves such ...
    (comp.os.linux.security)
  • Re: Apache server and Norton Firewall
    ... > radus wrote: ... > Apache 2.0.45 is available and fixes several security problems. ... > there a specific reason for you using 2.0.42. ...
    (comp.security.firewalls)