<<< Date Index >>>     <<< Thread Index >>>

Re: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/")



Hi!

Am Wed, Feb 11, 2004 at 01:49:30PM +0100, Peter J. Holzer wrote:
> Right. On Unix "WEB-INF" and "WEB-INF.." are two different, legal file
> names. On Windows, trailing dots seem to be ignored, so "WEB-INF" and
> "WEB-INF.." are just two names for the same file. This also works if the
> filename already has an extension, so for example "foo.html" and
> "foo.html....." are the same file, too.

Yes and no. At least on my W2K box here it seems to work only for one
and two additional dots on the cmd commandline, but not three. (Just
to be picky. :-)

Another (some kind of obvious) way to exploit the two-dot directory
"feature" of Windows under Apache is to bypass <Location ...> based
restrictions on directories.

e.g. if you have a directory foo in your DocumentRoot and restrict
access by

<Location "/foo/">
  Order deny,allow
  Deny from all
</Location>

you can easily access it by requesting http://host/foo../ instead of
http://host/foo/, which results in a 403 Forbidden. (It must be a real
directory to work, aliasses won't do the trick.)

Of course you usually won't lock up directories with <Location ...>,
but a there other cases, where you would use <Location ...> in favor
of <Directory ...> or <Files ...>.

            Kind regards, Axel Beckert
-- 
-------------------------------------------------------------
Axel Beckert      ecos electronic communication services gmbh
it security solutions * web applications with apache and perl

Mail:       Tulpenstrasse 5       D-55276 Dienheim near Mainz
E-Mail:     beckert@xxxxxxx       Voice:     +49 6133 939-220
WWW:        http://www.ecos.de/   Fax:       +49 6133 939-333
-------------------------------------------------------------

          Visit us at CeBIT (18. - 24. March 2004)
                    Halle 6 Stand B38-452

--------------------------------------------------------------