Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)

From: Vietnamese Security Group (security_at_security.com.vn)
Date: 02/03/04

  • Next message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: Cisco 6000/6500/7600 Crafted Layer 2 Frame Vulnerability"
    Date: 3 Feb 2004 13:48:53 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <20040131211851.30391.qmail@www.securityfocus.com>

    Note : of course it affected also in the current version 2.0.48 ( tested)

    Vietnamese Security Group
    www.security.com.vn

    >Received: (qmail 2149 invoked from network); 3 Feb 2004 02:12:35 -0000
    >Received: from outgoing3.securityfocus.com (205.206.231.27)
    > by mail.securityfocus.com with SMTP; 3 Feb 2004 02:12:35 -0000
    >Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
    > by outgoing3.securityfocus.com (Postfix) with QMQP
    > id 9667FA3153; Mon, 2 Feb 2004 18:23:17 -0700 (MST)
    >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
    >Precedence: bulk
    >List-Id: <bugtraq.list-id.securityfocus.com>
    >List-Post: <mailto:bugtraq@securityfocus.com>
    >List-Help: <mailto:bugtraq-help@securityfocus.com>
    >List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
    >List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
    >Delivered-To: mailing list bugtraq@securityfocus.com
    >Delivered-To: moderator for bugtraq@securityfocus.com
    >Received: (qmail 31275 invoked from network); 31 Jan 2004 21:08:29 -0000
    >Date: 31 Jan 2004 21:18:51 -0000
    >Message-ID: <20040131211851.30391.qmail@www.securityfocus.com>
    >Content-Type: text/plain
    >Content-Disposition: inline
    >Content-Transfer-Encoding: binary
    >MIME-Version: 1.0
    >X-Mailer: MIME-tools 5.411 (Entity 5.404)
    >From: Vietnamese Security Group <security@security.com.vn>
    >To: bugtraq@securityfocus.com
    >Subject: BUG IN APACHE HTTPD SERVER (current version 2.0.47)
    >
    >
    >
    >APACHE HTTPD SERVER (current version 2.0.47):
    >##########################################################
    >How to return files in a Apache Deny All directory.
    >The Directives controlling host access may be bypassed even
    >if they have not permission to be override.
    >
    >11 Jan 2004
    >
    >
    >DESCRIPTION
    >
    >Apache Web Server allows manage configurations via the main
    >httpd.conf file, and via the other configuration files placed
    >inside the children web trees, may owned by the user accounts,
    >named .htaccess by default. The server administrator further
    >controls what Directives may be placed in .htaccess files by
    >configuring the AllowOverride Directive in the main httpd.conf
    >files.
    >
    >If the server admin sets the Deny Directive to All (for example),
    >and does not allow the user accounts to modify this Directive in
    >their .htaccess file by setting the AllowOverride values without
    >the Limit type, his/her users are still able to bypass the Deny
    >option by using the ErrorDocument Directive.
    >
    >Tested in Apache 2.0.47/RH-Linux/WinXP.
    >
    >
    >EXAMPLE
    >
    >##########################################################
    ># In the main httpd.conf file:
    >#
    ><Directory />
    > AllowOverride FileInfo
    > Deny From All
    ></Directory>
    >##########################################################
    >
    >##########################################################
    ># In the user's .htaccess file placed in a child directory:
    >
    >ErrorDocument 403 /child/dir/fetch.php
    >
    >##########################################################
    >
    >/********************************************************/
    ><?php
    >// In the fetch.php placed in the same directory:
    >
    >$url = parse_url( $_SERVER['REQUEST_URI'] );
    >@include basename( $url['path'] );
    >
    >?>
    >/********************************************************/
    >
    >
    >In this example, assuming the web server can execute PHP script
    >or some scripts/server-includes. By modifying some codes you can
    >return other mime file types such as image/gif etc.
    >
    >Event if the server does not allow any file parsed (Deny From All),
    >the script file fetch.php will still be executed, and it includes
    >again and parses any other files in a same directory, which
    >indecated by the query variables, to the web client.
    >
    >Looking in the source code, I think the missing auth checking is in
    >the function ap_process_request_internal() in the file request.c.
    >One of the major changes in Apache 2.0 is to the internal redirect
    >mechanism. To prevent the code from falling out of sync again in the
    >current directory, the configuration comparing between two config
    >directories may bypass the authentication checking again. That
    >explains why this vulnerability (if any?) can only done if the
    >redirect ErrorDocument file is placed in the same request directory.
    >
    >
    >
    >FIX
    >
    >Do not skip auth checker even if the per_dir_config member value
    >doesn't change in the ap_process_request_internal() function.
    >
    >
    >NOTE
    >
    >I post this issue in the public mailing list, because I think this
    >vuln is not exploitable by a remote attacker. If something were
    >wrong, drop a line to me.
    >
    >
    >Vietnamese Security Group
    >Trung - caothuvolam - trungonly@yahoo.com
    >http://www.security.com.vn
    >
    >31 Nui Truc st. Ba Dinh dist. Ha Noi . Vietnamese
    >Phone : 84.4.8465701 / Fax: 84.4.8465701
    >


  • Next message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: Cisco 6000/6500/7600 Crafted Layer 2 Frame Vulnerability"

    Relevant Pages

    • Re: webalizer
      ... I'm trying to get webalizer and apache working together. ... # Based upon the NCSA server configuration files originally by Rob McCool. ... # configuration directives that give the server its instructions. ...
      (freebsd-questions)
    • Request exceeded the limit of 10 internal redirects
      ... I just installed mod_fastcgid for Apache 2.2 on Fedora Core 6 Linux ... I get an internal server error, and this appears in the error_log: ... # This is the main Apache HTTP server configuration file. ... # will make a new request for the document at its new location. ...
      (comp.infosystems.www.servers.unix)
    • Re: Apache and SSL
      ... # Based upon the NCSA server configuration files originally by Rob McCool. ... # This is the main Apache server configuration file. ... # configuration directives that give the server its instructions. ...
      (RedHat)
    • Setting up Apache 2 to use PHP
      ... I have just installed Apache 2 on my WinXP Pro computer but I cant get ... Apache/2.0.50 Server at localhost Port 80" ... # Based upon the NCSA server configuration files originally by Rob ... # configuration directives that give the server its instructions. ...
      (php.general)
    • Re: apache question
      ... # Based upon the NCSA server configuration files originally by Rob McCool. ... # configuration directives that give the server its instructions. ... Directives that control the operation of the Apache server process as ...
      (alt.php)