You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Beth Frank <ef...@ncsa.uiuc.edu> on 1995/11/06 16:53:39 UTC

Report of bugs in httpd 1.4.2 (INFO#95.26894) (fwd)

FYI

Since you have been discussing // on the Apache mailing list, I thought
I would forward this information to you. 

Background:  CERT in Holland forwarded this to the USA CERT who
forwarded it to NCSA.

Forwarded message:
> From jte@cert.org Tue Oct 31 11:13:48 1995
> To: efrank@ncsa.uiuc.edu, kerowe@ncsa.uiuc.edu
> Subject: Report of bugs in httpd 1.4.2 (INFO#95.26894)
> Cc: cert@cert.org
> Organization: CERT Coordination Center : +1 (412) 268-7090
> Date: Tue, 31 Oct 1995 12:14:07 EST
> From: James Ellis <jt...@cert.org>
> 
<bunches snipped>
> Problem description.
> 	The NCSA httpd daemon (up to/including version 1.4.2) can be
> 	tricked into bypassing access restrictions and symbolic link
> 	policies that are defined in its configuration files.
> 
> Impact.
> 	Potentially much more information than intended or desired
> 	can be disclosed.
> 
> Exploitation methods.
> 	o  Suppose there are access restrictions to ``foo/bar'' which
> 	should make this directory unaccessible, or invisible via an
> 	index list.
> 	o  The restrictions can be circumvented by specifying instead
> 	``foo///bar'' ``foo/./bar'' ``./foo/bar'' ``foo/bar/.'' or
> 	combinations thereof.
> 	o  Furthermore, if such name refers to an executable or shell
> 	script that is supposed to be executed, the contents of the
> 	executable or shell script are retrieved and revealed instead.
> 	o  If symbolic links are allowed, and the owner of the link
> 	must be the same as the owner of the file the link points to,
> 	the trick is to let the link point to another link with the
> 	same ownership, and let that second link point to the desired
> 	file (e.g. /etc/passwd).
> 
> Fixes.
> 	o  The module no2slash() in util.c replaces two consecutive
> 	slashes by a single one. It should recognize any number of
> 	consecutive slashes.
> 	o  The module no2slash() in util.c should also recognize
> 	and replace the ``/./'' ``./'' ``/.'' constructs.
> 	o  The module getparents() in util.c should call no2slash()
> 	before proceeding.
> 	o  The module evaluate_access() in http_access.c does an
> 	lstat() on a link and another lstat() on the resulting file
> 	to compare their owners. It should do a stat() on the
> 	resulting file instead. It also does not check whether the
> 	lstat() fails or succeeds.
> 
> Workarounds.
> 	Don't allow the following of symbolic links at all.
> 	I cannot think of a workaround for the bogus pathnames.
> 
> Reported by
> 	Eric Wassenaar <e0...@nikhef.nl>
> Organization: Dutch National Institute for Nuclear and High-Energy Physics
> Address: Kruislaan 409, P.O. Box 41882, 1009 DB Amsterdam, the Netherlands
> Phone: +31 20 592 5012, Home: +31 20 6909449, Telefax: +31 20 592 5155


-- 
		Elizabeth(Beth) Frank
		NCSA Server Development Team
		efrank@ncsa.uiuc.edu