Bugtraq mailing list archives
Re: BUG IN APACHE HTTPD SERVER 2.0.47/48 (to who replied me)
From: Phan "Thái" Trung <trungonly () yahoo com>
Date: Thu, 5 Feb 2004 09:01:28 -0800 (PST)
Hi William A. Rowe, In my article, I supposed that the administrator permit AllowOverride FileInfo, and you, supposed that the admin restrict that. What happens if he permit AllowOverride FileInfo? The problem is, when I tested and looked at the source code, if the 403 or other Error document placed somewhere outside this current directory, it is not parsed in the Deny From All URL (normally, Apache wants). If the 403 doc placed in the current directory, it can be parsed (unnormally, Apache may not want). We don't want to prevent this by going round, re-configuring Apache in the other way, but by ensuring that Apache works well in both cases, the 403 doc placed outside or inside the restricted directory. Trung --- "William A. Rowe, Jr." <wrowe () rowe-clan net> wrote:
Finally the gist of a very effective question: Q. Should Apache require that the .htaccess-permitted web content allow the user to control the ErrorDocument directive? A. Yes, provided that AllowOverride FileInfo (or AllowOverride All) is given in the httpd.conf file for the web content's directory tree.
http://httpd.apache.org/docs-2.0/mod/core.html#allowoverride
"FileInfo Allow use of the directives controlling document types (...)" Any administrator who would permit untrusted content authors to use the .htaccess file in such an open manner would be foolish. The examples you are citing imply that the Administrator is taking steps to lock down the server. The very FIRST thing such an administrator would do would be to restrict AllowOverride and ensure Options FollowSymLinks is off. I validated this behavior in httpd-2.0 and apache-1.3 - and in both cases the ErrorDocument directive is restricted to AllowOverride FileInfo. The report is based on the assumption that the administrator went to only half the effort to lock down the server, therefore it's certainly not a bug or hole in the Apache server, but in the configuration you've proposed. Yours, Bill At 03:58 AM 2/5/2004, Phan "Thái" Trung wrote:Hi Reagan Blundell, Andre Malo, Rafael D'Avila... Thanks for your comment. But let's think a bit morecarefully and reply to me your opnion.Suppose that the root *user set* a directory toDeny From All, so in fact all web users should not be able to get its content. But a *reseller user* who has the right to modify the .htaccess file (ErrorDocument), could let other *web users* get its content via a 403 document, or at least get the 403 doc itself, which is placed in the same directory. In this case, we do not need PHP.Answer me, it's a Apache feature, or a mistake ofApache?Best Regards, Trung Reagan Blundell <Reagan.Blundell () Centradia com>wrote:I think it's a vuln, in fact I confirmed someonesfor that.Then I post it into a bug-tracker list instead ofin a usersupport forum. Thanks for your comment.The only reason it is a "vulnerability", is becausePHP allows a user toread files from the system. This is completelyregardless of whateverprotections you have set up in Apache. If you don'ttrust your users, thenallowing them to run PHP scripts is just plainstupid. This is not asecurity issue with apache. This is anadministrator not knowing theconsequences of giving users access to PHP. Rafael D'Avila <rooter () terra com br> wrote: IMHO, there's no vulnerability here... if you trustyour users, and let themexecute some codes from inside the server, you areonly using a feature ofApache, and have to be the responsibility ifsomeone execute dangerouscodes.... Only my 0.2 cents Rafael D'Ãvila (core_dumped () terra com br) ----- Original Message ----- From: "André Malo" To: "langtuhaohoa caothuvolam" Cc: ; Sent: Wednesday, February 04, 2004 4:07 PM Subject: Re: BUG IN APACHE HTTPD SERVER (currentversion 2.0.47)* langtuhaohoa caothuvolam wrote:Deny From All: In this way they can access fromoutside the server.You mean: An attacker needs to place such ascript on the server, whichincludes the requested uri. If he's able to do so, he can (a) read the file anyway (b) simply open it from inside the script usingnormal file operations.I cannot see a vuln here. If he's able to takethe actions describedabove,one has *real* trouble on the server. This seems to me the same topic as the mod_perlhijacking. If you don'ttrustyour users, don't let them execute code frominside the server.nd
__________________________________ Do you Yahoo!? Yahoo! Finance: Get your refund fast by filing online. http://taxes.yahoo.com/filing.html
Current thread:
- Re: BUG IN APACHE HTTPD SERVER 2.0.47/48 (to who replied me) langtuhaohoa caothuvolam (Feb 06)
- <Possible follow-ups>
- Re: BUG IN APACHE HTTPD SERVER 2.0.47/48 (to who replied me) William A. Rowe, Jr. (Feb 06)
- Re: BUG IN APACHE HTTPD SERVER 2.0.47/48 (to who replied me) Thái (Feb 07)
- Re: BUG IN APACHE HTTPD SERVER 2.0.47/48 (to who replied me) Guille -bisho- (Feb 09)
- Re: BUG IN APACHE HTTPD SERVER 2.0.47/48 (to who replied me) Thái (Feb 07)