You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "Dirk.vanGulik" <Di...@jrc.it> on 1997/09/04 11:15:12 UTC
Re: [linux-security] Security Hole. Appache. (fwd)
Flush, blush ; I knew this; there is even some old patch for pre 1 ?
which gave a protocol error :-( It came in after the limit extension.
Dw.
> Sorry! Unknown (for me) behaviour of Apache was discovered. Suddenly.
>
> Configuration detail:
> Linux: 2.0.30
> Apache: 1.x.x
>
> srm.conf:
> ...
> Action text/html /cgi-bin/exefile
> ...
>
> /www-root/sec-dir/.htaccess:
> AuthType Basic
> AuthName authname
> AuthUserFile /itc/passwd
> <LIMIT GET POST>
> require valid-user
> </LIMIT>
>
>
>
>
>
> Trying to "GET" and "get" some file from /www-root/sec-dir/ ...
> ----------------------------------------
> Example #1:
>
> $telnet www.host 80
> GET /sec-dir/index.html http/1.1
>
> HTTP/1.1 401 Authorization Required
> ..............
>
> It's OK!
> -----------------------------------------
> Example #2:
>
> $telnet www.host 80
> get /sec-dir/index.html http/1.1
>
> HTTP/1.1 200 OK
> ...........
>
> It's quite OK for browser which doesn't know lower case "get".
> -----------------------------------------
>
> This feature disappears if you comment 'Action' or '<LIMIT>' lines.
>
> Sorry again! Kir.
>
>
>
Re: [linux-security] Security Hole. Appache. (fwd)
Posted by Marc Slemko <ma...@worldgate.com>.
On Thu, 4 Sep 1997, Dirk.vanGulik wrote:
> Flush, blush ; I knew this; there is even some old patch for pre 1 ?
> which gave a protocol error :-( It came in after the limit extension.
But it isn't a bug, and the script is doing exactly what they told it to.
It is obviously not checking the method correctly, so even something like
PUT would probably behave the same. Since the method, by definition, is
case sensitive and passing unknown methods to CGI scripts is done on
purpose, this comes down to two things:
- the user is using Limit directives for no reason
- the user's script is not properly checking the method it is
called with
>
> Dw.
>
>
> > Sorry! Unknown (for me) behaviour of Apache was discovered. Suddenly.
> >
> > Configuration detail:
> > Linux: 2.0.30
> > Apache: 1.x.x
> >
> > srm.conf:
> > ...
> > Action text/html /cgi-bin/exefile
> > ...
> >
> > /www-root/sec-dir/.htaccess:
> > AuthType Basic
> > AuthName authname
> > AuthUserFile /itc/passwd
> > <LIMIT GET POST>
> > require valid-user
> > </LIMIT>
> >
> >
> >
> >
> >
> > Trying to "GET" and "get" some file from /www-root/sec-dir/ ...
> > ----------------------------------------
> > Example #1:
> >
> > $telnet www.host 80
> > GET /sec-dir/index.html http/1.1
> >
> > HTTP/1.1 401 Authorization Required
> > ..............
> >
> > It's OK!
> > -----------------------------------------
> > Example #2:
> >
> > $telnet www.host 80
> > get /sec-dir/index.html http/1.1
> >
> > HTTP/1.1 200 OK
> > ...........
> >
> > It's quite OK for browser which doesn't know lower case "get".
> > -----------------------------------------
> >
> > This feature disappears if you comment 'Action' or '<LIMIT>' lines.
> >
> > Sorry again! Kir.
> >
> >
> >
>