Bugtraq mailing list archives
Re: IBM HTTP SERVER / APACHE
From: marcs () ZNEP COM (Marc Slemko)
Date: Sat, 3 Jun 2000 19:43:33 -0600
On Wed, 31 May 2000, Marek Roy wrote:
I haven't seen any advisories for IBM HTTP SERVER running Apache. There is a crucial number of "/" (forward slash) you can use to retrieve the contents of the root directory of this particular Web Server. Using this vulnerability, you can retrieve any files or scripts running from that directory and sub-directories.
First, let me note that I am not very knowledgeable about the Win32 platform and have not investigated this issue in depth. What is below is a combination of what I know with what the people who have looked into the issue more and produced the fix have said. I'm not exactly sure what you mean by "retrieve any files or scripts". Certainly, if you know a URL and it isn't protected then you can access it. If that URL is for a CGI, and it isn't protected, you can access that URL and run the CGI. You should not, however be relying on people not being able to guess a URL as a form of security. In general, URLs are not treated as confidential information by browsers, proxies, etc. In any case, back to the issue at hand. There is a bug in Apache 1.3.x on the Win32 platform. This does NOT impact Apache running on Unix. This is NOT particular to IBM's product, but is a bug in the Apache HTTP server included in IBM's bundle. This bug allows people to get a directory listing of a directory, if it is enabled in the config, even if an index file is present that would normally be displayed instead. While normally this is of little consequence, in some situations this can be problematic. Obviously, a temporary workaround is to disable the Indexes option (see the docs for the "Option" directive for details). What is happening is that when Apache calls stat() to check if the index.html (or whatever name it has) exists, Windows will return an error if the path is too long. Apache incorrectly treated this as if the file does not exist. The included patch has been applied to the Apache CVS tree and corrects this issue by correcting an existing pathname length check. Different numbers of '/'s are required based on the length of the path to the DocumentRoot. This is just speculation, but my guess as to why there is an exact number of '/'s necessary is that if the stat() of ".htaccess" fails in an unexpected way, then the request will be refused. "index.html" is only one character longer, hence the one character window between the stat() of "index.html" failing and the stat() of ".htaccess" failing. That is just speculation, however, I haven't actually looked into it. There are other places in the code that also call stat() to check for more important things (eg. .htaccess files), however these do not seem to be impacted. On Unix, there are places where the code explicitly checks the error returned from stat(), and refuses access if it is anything other than a known "file doesn't exist, really" error. I have requested that those familiar with the code look into if something similar is appropriate here; ie. don't just check if stat() succeeds or fails, but check what the reason for failing is. As for the person that mentioned they could crash the server with particular requests, I have not been able to reproduce that and have not heard from anyone else who could reproduce it, so there isn't much I can say about that.... There is a rough plan to release a 1.3.13 version of Apache sometime this coming week, with various changes including this security fix, however this is subject to change. I would presume IBM would release a fix for their product that integrates that fix, however that is obviously in their hands and I know no details. As always, anyone who has found or thinks that they have found a security bug in the Apache HTTP server or other Apache Software Foundation software should get in touch with us at security () apache org so we can investigate and, if necessary, fix the issue. Thanks. The patch applied to the Apache CVS tree, as shown at http://www.apache.org/websrc/cvsweb.cgi/apache-1.3/src/os/win32/util_win32.c.diff?r1=1.33&r2=1.34 follows. =================================================================== RCS file: /home/cvs/apache-1.3/src/os/win32/util_win32.c,v retrieving revision 1.33 retrieving revision 1.34 diff -u -r1.33 -r1.34 --- apache-1.3/src/os/win32/util_win32.c 1999/02/18 11:07:14 1.33 +++ apache-1.3/src/os/win32/util_win32.c 2000/06/02 16:30:27 1.34 @@ -580,7 +580,7 @@ }; /* Test 1 */ - if (strlen(file) > MAX_PATH) { + if (strlen(file) >= MAX_PATH) { /* Path too long for Windows. Note that this test is not valid * if the path starts with //?/ or \\?\. */ return 0; -- Marc Slemko | Apache Software Foundation member marcs () znep com | marc () apache org
Current thread:
- Security Administration comes to LISA 2000, (continued)
- Security Administration comes to LISA 2000 Cat Okita (Jun 01)
- Remote DoS attack in RealServer: USSR-2000043 David Cotter (Jun 01)
- ipx storm Jacek Lipkowski (Jun 02)
- Microsoft Security Bulletin (MS00-032) Microsoft Product Security (Jun 02)
- Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability Ussr Labs (Aug 02)
- Piranha password file frostman () SECUREACCESS INTRANETS COM (Jun 02)
- Re: Piranha password file arkth (Jun 08)
- Re: Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability Alfred Perlstein (Jun 02)
- New Allaire Security Zone Bulletins Aleph One (Jun 08)
- Re: IBM HTTP SERVER / APACHE . Hecix (Jun 02)
- Re: IBM HTTP SERVER / APACHE Marc Slemko (Jun 03)