In-Reply-To: <20040131211851.30391.qmail@www.securityfocus.com> Note : of course it affected also in the current version 2.0.48 ( tested) Vietnamese Security Group www.security.com.vn >Received: (qmail 2149 invoked from network); 3 Feb 2004 02:12:35 -0000 >Received: from outgoing3.securityfocus.com (205.206.231.27) > by mail.securityfocus.com with SMTP; 3 Feb 2004 02:12:35 -0000 >Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20]) > by outgoing3.securityfocus.com (Postfix) with QMQP > id 9667FA3153; Mon, 2 Feb 2004 18:23:17 -0700 (MST) >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >Precedence: bulk >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraq@securityfocus.com> >List-Help: <mailto:bugtraq-help@securityfocus.com> >List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com> >List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com> >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Received: (qmail 31275 invoked from network); 31 Jan 2004 21:08:29 -0000 >Date: 31 Jan 2004 21:18:51 -0000 >Message-ID: <20040131211851.30391.qmail@www.securityfocus.com> >Content-Type: text/plain >Content-Disposition: inline >Content-Transfer-Encoding: binary >MIME-Version: 1.0 >X-Mailer: MIME-tools 5.411 (Entity 5.404) >From: Vietnamese Security Group <security@security.com.vn> >To: bugtraq@securityfocus.com >Subject: BUG IN APACHE HTTPD SERVER (current version 2.0.47) > > > >APACHE HTTPD SERVER (current version 2.0.47): >########################################################## >How to return files in a Apache Deny All directory. >The Directives controlling host access may be bypassed even >if they have not permission to be override. > >11 Jan 2004 > > >DESCRIPTION > >Apache Web Server allows manage configurations via the main >httpd.conf file, and via the other configuration files placed >inside the children web trees, may owned by the user accounts, >named .htaccess by default. The server administrator further >controls what Directives may be placed in .htaccess files by >configuring the AllowOverride Directive in the main httpd.conf >files. > >If the server admin sets the Deny Directive to All (for example), >and does not allow the user accounts to modify this Directive in >their .htaccess file by setting the AllowOverride values without >the Limit type, his/her users are still able to bypass the Deny >option by using the ErrorDocument Directive. > >Tested in Apache 2.0.47/RH-Linux/WinXP. > > >EXAMPLE > >########################################################## ># In the main httpd.conf file: ># ><Directory /> > AllowOverride FileInfo > Deny From All ></Directory> >########################################################## > >########################################################## ># In the user's .htaccess file placed in a child directory: > >ErrorDocument 403 /child/dir/fetch.php > >########################################################## > >/********************************************************/ ><?php >// In the fetch.php placed in the same directory: > >$url = parse_url( $_SERVER['REQUEST_URI'] ); >@include basename( $url['path'] ); > >?> >/********************************************************/ > > >In this example, assuming the web server can execute PHP script >or some scripts/server-includes. By modifying some codes you can >return other mime file types such as image/gif etc. > >Event if the server does not allow any file parsed (Deny From All), >the script file fetch.php will still be executed, and it includes >again and parses any other files in a same directory, which >indecated by the query variables, to the web client. > >Looking in the source code, I think the missing auth checking is in >the function ap_process_request_internal() in the file request.c. >One of the major changes in Apache 2.0 is to the internal redirect >mechanism. To prevent the code from falling out of sync again in the >current directory, the configuration comparing between two config >directories may bypass the authentication checking again. That >explains why this vulnerability (if any?) can only done if the >redirect ErrorDocument file is placed in the same request directory. > > > >FIX > >Do not skip auth checker even if the per_dir_config member value >doesn't change in the ap_process_request_internal() function. > > >NOTE > >I post this issue in the public mailing list, because I think this >vuln is not exploitable by a remote attacker. If something were >wrong, drop a line to me. > > >Vietnamese Security Group >Trung - caothuvolam - trungonly@yahoo.com >http://www.security.com.vn > >31 Nui Truc st. Ba Dinh dist. Ha Noi . Vietnamese >Phone : 84.4.8465701 / Fax: 84.4.8465701 >
