<<< Date Index >>>     <<< Thread Index >>>

Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)



In-Reply-To: <20040131211851.30391.qmail@xxxxxxxxxxxxxxxxxxxxx>

Note : of course it affected also in the current version 2.0.48 ( tested) 

Vietnamese Security Group
www.security.com.vn


>Received: (qmail 2149 invoked from network); 3 Feb 2004 02:12:35 -0000
>Received: from outgoing3.securityfocus.com (205.206.231.27)
>  by mail.securityfocus.com with SMTP; 3 Feb 2004 02:12:35 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com 
>[205.206.231.20])
>       by outgoing3.securityfocus.com (Postfix) with QMQP
>       id 9667FA3153; Mon,  2 Feb 2004 18:23:17 -0700 (MST)
>Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
>List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
>List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
>Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
>Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
>Received: (qmail 31275 invoked from network); 31 Jan 2004 21:08:29 -0000
>Date: 31 Jan 2004 21:18:51 -0000
>Message-ID: <20040131211851.30391.qmail@xxxxxxxxxxxxxxxxxxxxx>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: Vietnamese Security Group <security@xxxxxxxxxxxxxxx>
>To: bugtraq@xxxxxxxxxxxxxxxxx
>Subject: BUG IN APACHE HTTPD SERVER (current version 2.0.47)
>
>
>
>APACHE HTTPD SERVER (current version 2.0.47):
>##########################################################
>How to return files in a Apache Deny All directory.
>The Directives controlling host access may be bypassed even 
>if they have not permission to be override.
>
>11 Jan 2004
>
>
>DESCRIPTION
>
>Apache Web Server allows manage configurations via the main 
>httpd.conf file, and via the other configuration files placed 
>inside the children web trees, may owned by the user accounts, 
>named .htaccess by default. The server administrator further 
>controls what Directives may be placed in .htaccess files by 
>configuring the AllowOverride Directive in the main httpd.conf 
>files.
>
>If the server admin sets the Deny Directive to All (for example), 
>and does not allow the user accounts to modify this Directive in 
>their .htaccess file by setting the AllowOverride values without 
>the Limit type, his/her users are still able to bypass the Deny 
>option by using the ErrorDocument Directive.
>
>Tested in Apache 2.0.47/RH-Linux/WinXP.
>
>
>EXAMPLE
>
>##########################################################
># In the main httpd.conf file:
>#
><Directory />
>    AllowOverride FileInfo
>    Deny From All
></Directory> 
>##########################################################
>
>##########################################################
># In the user's .htaccess file placed in a child directory:
> 
>ErrorDocument 403 /child/dir/fetch.php
>
>##########################################################
>
>/********************************************************/
><?php
>// In the fetch.php placed in the same directory:
>
>$url = parse_url( $_SERVER['REQUEST_URI'] );
>@include basename( $url['path'] );
> 
>?>
>/********************************************************/
>
>
>In this example, assuming the web server can execute PHP script 
>or some scripts/server-includes. By modifying some codes you can 
>return other mime file types such as image/gif etc.
>
>Event if the server does not allow any file parsed (Deny From All), 
>the script file fetch.php will still be executed, and it includes 
>again and parses any other files in a same directory, which 
>indecated by the query variables, to the web client. 
>
>Looking in the source code, I think the missing auth checking is in 
>the function ap_process_request_internal() in the file request.c. 
>One of the major changes in Apache 2.0 is to the internal redirect 
>mechanism. To prevent the code from falling out of sync again in the
>current directory, the configuration comparing between two config 
>directories may bypass the authentication checking again. That 
>explains why this vulnerability (if any?) can only done if the 
>redirect ErrorDocument file is placed in the same request directory.
>
>
>
>FIX
>
>Do not skip auth checker even if the per_dir_config member value 
>doesn't change in the ap_process_request_internal() function.
>
>
>NOTE 
>
>I post this issue in the public mailing list, because I think this 
>vuln is not exploitable by a remote attacker. If something were 
>wrong, drop a line to me.
>
>
>Vietnamese Security Group
>Trung - caothuvolam - trungonly@xxxxxxxxx
>http://www.security.com.vn
>
>31 Nui Truc st. Ba Dinh dist. Ha Noi . Vietnamese
>Phone : 84.4.8465701 / Fax: 84.4.8465701
>