BUG IN APACHE HTTPD SERVER (current version 2.0.47)

From: Vietnamese Security Group (security_at_security.com.vn)
Date: 01/31/04

Next message: Donato Ferrante: "Denial Of Service in ChatterBox 2.0"

Previous message: John Fitzgibbon: "Re: RFC: virus handling"
Next in thread: André Malo: "Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)"
Reply: André Malo: "Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)"
Maybe reply: Vietnamese Security Group: "Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)"
Maybe reply: langtuhaohoa caothuvolam: "Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 31 Jan 2004 21:18:51 -0000
To: bugtraq@securityfocus.com

('binary' encoding is not supported, stored as-is)

APACHE HTTPD SERVER (current version 2.0.47):
##########################################################
How to return files in a Apache Deny All directory.
The Directives controlling host access may be bypassed even
if they have not permission to be override.

11 Jan 2004

DESCRIPTION

Apache Web Server allows manage configurations via the main
httpd.conf file, and via the other configuration files placed
inside the children web trees, may owned by the user accounts,
named .htaccess by default. The server administrator further
controls what Directives may be placed in .htaccess files by
configuring the AllowOverride Directive in the main httpd.conf
files.

If the server admin sets the Deny Directive to All (for example),
and does not allow the user accounts to modify this Directive in
their .htaccess file by setting the AllowOverride values without
the Limit type, his/her users are still able to bypass the Deny
option by using the ErrorDocument Directive.

Tested in Apache 2.0.47/RH-Linux/WinXP.

EXAMPLE

##########################################################
# In the main httpd.conf file:
#
<Directory />
AllowOverride FileInfo
Deny From All
</Directory>
##########################################################

##########################################################
# In the user's .htaccess file placed in a child directory:

ErrorDocument 403 /child/dir/fetch.php

##########################################################

/********************************************************/
<?php
// In the fetch.php placed in the same directory:

$url = parse_url( $_SERVER['REQUEST_URI'] );
@include basename( $url['path'] );

?>
/********************************************************/

In this example, assuming the web server can execute PHP script
or some scripts/server-includes. By modifying some codes you can
return other mime file types such as image/gif etc.

Event if the server does not allow any file parsed (Deny From All),
the script file fetch.php will still be executed, and it includes
again and parses any other files in a same directory, which
indecated by the query variables, to the web client.

Looking in the source code, I think the missing auth checking is in
the function ap_process_request_internal() in the file request.c.
One of the major changes in Apache 2.0 is to the internal redirect
mechanism. To prevent the code from falling out of sync again in the
current directory, the configuration comparing between two config
directories may bypass the authentication checking again. That
explains why this vulnerability (if any?) can only done if the
redirect ErrorDocument file is placed in the same request directory.

FIX

Do not skip auth checker even if the per_dir_config member value
doesn't change in the ap_process_request_internal() function.

NOTE

I post this issue in the public mailing list, because I think this
vuln is not exploitable by a remote attacker. If something were
wrong, drop a line to me.

Vietnamese Security Group
Trung - caothuvolam - trungonly@yahoo.com
http://www.security.com.vn

31 Nui Truc st. Ba Dinh dist. Ha Noi . Vietnamese
Phone : 84.4.8465701 / Fax: 84.4.8465701

Next message: Donato Ferrante: "Denial Of Service in ChatterBox 2.0"

Previous message: John Fitzgibbon: "Re: RFC: virus handling"
Next in thread: André Malo: "Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)"
Reply: André Malo: "Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)"
Maybe reply: Vietnamese Security Group: "Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)"
Maybe reply: langtuhaohoa caothuvolam: "Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: webalizer
... I'm trying to get webalizer and apache working together. ... # Based upon the NCSA server configuration files originally by Rob McCool. ... # configuration directives that give the server its instructions. ...
(freebsd-questions)
Request exceeded the limit of 10 internal redirects
... I just installed mod_fastcgid for Apache 2.2 on Fedora Core 6 Linux ... I get an internal server error, and this appears in the error_log: ... # This is the main Apache HTTP server configuration file. ... # will make a new request for the document at its new location. ...
(comp.infosystems.www.servers.unix)
Re: Apache and SSL
... # Based upon the NCSA server configuration files originally by Rob McCool. ... # This is the main Apache server configuration file. ... # configuration directives that give the server its instructions. ...
(RedHat)
Setting up Apache 2 to use PHP
... I have just installed Apache 2 on my WinXP Pro computer but I cant get ... Apache/2.0.50 Server at localhost Port 80" ... # Based upon the NCSA server configuration files originally by Rob ... # configuration directives that give the server its instructions. ...
(php.general)
Re: apache question
... # Based upon the NCSA server configuration files originally by Rob McCool. ... # configuration directives that give the server its instructions. ... Directives that control the operation of the Apache server process as ...
(alt.php)