You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2008/01/02 13:17:53 UTC
DO NOT REPLY [Bug 44161] New: - Configuration disclosure in HTTP header when using static built-in and 3rd party shared modules
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=44161>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=44161
Summary: Configuration disclosure in HTTP header when using
static built-in and 3rd party shared modules
Product: Apache httpd-2
Version: 2.2.6
Platform: PC
OS/Version: Linux
Status: NEW
Severity: critical
Priority: P2
Component: Core
AssignedTo: bugs@httpd.apache.org
ReportedBy: cuicui.oizo@free.fr
When apache is configured with static built-in modules (such as mod_rewrite) and
also 3rd party shared modules (such as mod_php), some parts of the httpd.conf
(and other included files) are disclosed in the "Server" part of the HTTP header.
Examples as follow, strings "<location" and "x\xb9\x1e\b":
Apache/2.2.6 (Unix) mod_ssl/2.2.6 <location DAV/2 PHP/5.2.5 mod_perl/2.0.3
Perl/v5.8.8
Apache/2.2.6 (Unix) mod_ssl/2.2.6 x\xb9\x1e\b DAV/2 PHP/5.2.5 mod_perl/2.0.3
Perl/v5.8.8
Note: the disclosed part may include commented lines from the configuration file
and seems to be lowercase (to be confirmed), sometimes it can "leak" hundred of
characters.
Note2: The disclosed part is not the same from a service reload to an another.
Note3: All configuration files are in plain ASCII format with Unix-style end of
line.
Note4: Nothing is disclosed if the 3rd party modules aren't loaded in
configuration but the presence of at least one of them is enough to have the
problem.
Prior to compilation, the configuration was the following:
./configure --enable-ldap --enable-so --with-ssl --enable-rewrite --enable-dav
--enable-dav-fs --enable-ssl --disable-cgid --disable-cgi --enable-authnz-ldap
--enable-ldap --with-ldap --enable-proxy --localstatedir=/opt/logs/apache
--prefix=/opt/apache-2.2.6
It was built on a stable Debian Etch with a 2.6.23.9 kernel.
Workaround: to avoid the problem, all modules must be built as shared instead of
static and have to be explicitly loaded in the configuration.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 44161] - Configuration disclosure in HTTP header when using static built-in and 3rd party shared modules
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=44161>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=44161
rpluem@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |DUPLICATE
------- Additional Comments From rpluem@apache.org 2008-01-02 05:46 -------
*** This bug has been marked as a duplicate of 43334 ***
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org