Possible Apache directory rules bypass / override

From: Lorenzo Hernandez Garcia-Hierro (novappc_at_novappc.com)
Date: 09/29/03

  • Next message: Peter Geissler: "MPlayer buffer overflow" 
    To: <vuln-dev@securityfocus.com>
Date: Mon, 29 Sep 2003 21:01:42 +0200

    forwarded from Bugtraq :
    > > Hi ,
    > > I'm testing somethings in Apache about the url parsing of the server
    > > ,
    > > i don't now if the Apache server parse completely provided urls when
    > > those urls are in this format:
    > >
    > > [PROTOCOL HTTP / HTTPS ][SITE]/[DIR TO OVERRIDE RULES]/../[DIR TO
    > > OVERRIDE RULES]/../[DIR TO OVERRIDE RULES]/../[DIR TO OVERRIDE
    > > RULES]/../[DIR TO OVERRIDE RULES]/../../[DIR TO OVERRIDE
    > > RULES]/../../../[DIR WITH NO RULES OR ACCESS CONTROL]/../[THE SAME NO
    > > CONTROLLED DIR OR OTHER NOT CONTROLLED]/../../../../[DIR WITH NO
    > > CONTROL RULES]/../
    > >
    > > If this can be possible , it can't affect ip based access controls
    > > but other controls can be affected , or not ?
    > >
    > > This is not a vulnerability because i can't confirm it but i want to
    > > check the source code , i'm open for
    > > suggestions .
    > >
    > > i'm posting this because i'm a little confused , and other
    > > possibilities , if the url is encoded ? does Apache check
    > > correctly this when it is encoded ?
    > >
    > > One thing is sure: this can not affect ip based rules such as deny
    > > or allow
    > >
    > > PS: can be this related with the mod_write vulnerabilities ?
    > >
    > > Regards,
    > >
    > > - ------------------------------------------------------
    > > Lorenzo Hernandez Garcia-Hierro
    > > - --- Security Consultant ---
    > > - ------------------NSRGroup-------------------
    > > PGP: Keyfingerprint
    > > B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
    > > ID: 0x9C38E1D7
    > > **********************************
    > > NSRGroup
    > > ( No Secure Root Group Security Research Team ) /
    > > ( NovaPPC Security Research Group )
    > > http://security.novappc.com
    > > ______________________
    > >
    > > -----BEGIN PGP SIGNATURE-----
    > > Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
    > >
    > > iQA/AwUBP3hU8PKXc1fYDvGLEQLw/ACfUvIWyT86kiKZyctrzCwRiuuZTU0AoOyG
    > > KWV9sdRESwgz1pQbenNAoDhb
    > > =NjBX
    > > -----END PGP SIGNATURE-----

  • Next message: Peter Geissler: "MPlayer buffer overflow"