You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Jeff Carr <jc...@linuxppc.org> on 1997/04/02 00:50:01 UTC

mod_proxy/297: Allow/Deny proxy module inconsistant behavior

	The contract type is `' with a response time of 3 business hours.
	A first analysis should be sent before: Wed Apr 02 09:00:00 PST 1997


>Number:         297
>Category:       mod_proxy
>Synopsis:       Allow/Deny proxy module inconsistant behavior
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Tue Apr  1 14:50:00 1997
>Originator:     jcarr@linuxppc.org
>Organization:
apache
>Release:        1.2b7
>Environment:
Linux/i386 Redhat 4.0
>Description:
The Allow and Deny part of the proxy module does not work correctly as far as I
can tell. I have used the syntax as recommended in the docs:

<Directory proxy:*>
order deny,allow
deny from all
allow from 128.104.30.130 128.104.20.10
</Directory>

But, this does not work correctly. It does deny everyone to things like
GET http://www.linux.org/
or
GET http://www.ssc.org/

But allows everyone access to:
GET http://www.linux.org/index.html
or 
GET http://www.linux.org/help/index.html

Basically, it lets everyone through if the URL they request doesn't end with /
>How-To-Repeat:
Just setup apache as a proxy and try and limit access.
>Fix:
I tried to dig through the code but no luck yet. This is a big security hole 
for anyone running apache as a proxy. 

Maybe my <Directory proxy:*> syntax is wrong in the access.conf file%3
>Audit-Trail:
>Unformatted:

Re: mod_proxy/297: Allow/Deny proxy module inconsistant behavior

Posted by Chuck Murcko <ch...@topsail.org>.

Hi Jeff. This *does* work:

<Directory proxy:*>
<Limit GET>
order deny,allow
deny from all
allow from 128.104.30.130 128.104.20.10
</Limit>
</Directory>

Jeff Carr wrote:
> 
>         The contract type is `' with a response time of 3 business hours.
>         A first analysis should be sent before: Wed Apr 02 09:00:00 PST 1997
> 
> >Number:         297
> >Category:       mod_proxy
> >Synopsis:       Allow/Deny proxy module inconsistant behavior
> >Confidential:   no
> >Severity:       critical
> >Priority:       medium
> >Responsible:    apache (Apache HTTP Project)
> >State:          open
> >Class:          sw-bug
> >Submitter-Id:   apache
> >Arrival-Date:   Tue Apr  1 14:50:00 1997
> >Originator:     jcarr@linuxppc.org
> >Organization:
> apache
> >Release:        1.2b7
> >Environment:
> Linux/i386 Redhat 4.0
> >Description:
> The Allow and Deny part of the proxy module does not work correctly as far as I
> can tell. I have used the syntax as recommended in the docs:
> 
> <Directory proxy:*>
> order deny,allow
> deny from all
> allow from 128.104.30.130 128.104.20.10
> </Directory>
> 
> But, this does not work correctly. It does deny everyone to things like
> GET http://www.linux.org/
> or
> GET http://www.ssc.org/
> 
> But allows everyone access to:
> GET http://www.linux.org/index.html
> or
> GET http://www.linux.org/help/index.html
> 
> Basically, it lets everyone through if the URL they request doesn't end with /
> >How-To-Repeat:
> Just setup apache as a proxy and try and limit access.
> >Fix:
> I tried to dig through the code but no luck yet. This is a big security hole
> for anyone running apache as a proxy.
> 
> Maybe my <Directory proxy:*> syntax is wrong in the access.conf file%3
> >Audit-Trail:
> >Unformatted:

-- 
chuck
Chuck Murcko
The Topsail Group, West Chester PA USA
chuck@topsail.org

Re: mod_proxy/297: Allow/Deny proxy module inconsistant behavior

Posted by Chuck Murcko <ch...@topsail.org>.

It sure is. I'm working on this for the next beta, due out within a
week.

Thanks for using Apache.

Jeff Carr wrote:
> 
>         The contract type is `' with a response time of 3 business hours.
>         A first analysis should be sent before: Wed Apr 02 09:00:00 PST 1997
> 
> >Number:         297
> >Category:       mod_proxy
> >Synopsis:       Allow/Deny proxy module inconsistant behavior
> >Confidential:   no
> >Severity:       critical
> >Priority:       medium
> >Responsible:    apache (Apache HTTP Project)
> >State:          open
> >Class:          sw-bug
> >Submitter-Id:   apache
> >Arrival-Date:   Tue Apr  1 14:50:00 1997
> >Originator:     jcarr@linuxppc.org
> >Organization:
> apache
> >Release:        1.2b7
> >Environment:
> Linux/i386 Redhat 4.0
> >Description:
> The Allow and Deny part of the proxy module does not work correctly as far as I
> can tell. I have used the syntax as recommended in the docs:
> 
> <Directory proxy:*>
> order deny,allow
> deny from all
> allow from 128.104.30.130 128.104.20.10
> </Directory>
> 
> But, this does not work correctly. It does deny everyone to things like
> GET http://www.linux.org/
> or
> GET http://www.ssc.org/
> 
> But allows everyone access to:
> GET http://www.linux.org/index.html
> or
> GET http://www.linux.org/help/index.html
> 
> Basically, it lets everyone through if the URL they request doesn't end with /
> >How-To-Repeat:
> Just setup apache as a proxy and try and limit access.
> >Fix:
> I tried to dig through the code but no luck yet. This is a big security hole
> for anyone running apache as a proxy.
> 
> Maybe my <Directory proxy:*> syntax is wrong in the access.conf file%3
> >Audit-Trail:
> >Unformatted:

-- 
chuck
Chuck Murcko
The Topsail Group, West Chester PA USA
chuck@topsail.org

Re: mod_proxy/297: Allow/Deny proxy module inconsistant behavior

Posted by Chuck Murcko <ch...@topsail.org>.

Hi Jeff. Sorry, this was a typo in the docs. In your case, changing to

<Directory proxy:*>
<Limit>
order deny,allow
deny from all
allow from 128.104.30.130 128.104.20.10
</Limit>
</Directory>

will cause things to work as you expected.

Jeff Carr wrote:
> 
>         The contract type is `' with a response time of 3 business hours.
>         A first analysis should be sent before: Wed Apr 02 09:00:00 PST 1997
> 
> >Number:         297
> >Category:       mod_proxy
> >Synopsis:       Allow/Deny proxy module inconsistant behavior
> >Confidential:   no
> >Severity:       critical
> >Priority:       medium
> >Responsible:    apache (Apache HTTP Project)
> >State:          open
> >Class:          sw-bug
> >Submitter-Id:   apache
> >Arrival-Date:   Tue Apr  1 14:50:00 1997
> >Originator:     jcarr@linuxppc.org
> >Organization:
> apache
> >Release:        1.2b7
> >Environment:
> Linux/i386 Redhat 4.0
> >Description:
> The Allow and Deny part of the proxy module does not work correctly as far as I
> can tell. I have used the syntax as recommended in the docs:
> 
> <Directory proxy:*>
> order deny,allow
> deny from all
> allow from 128.104.30.130 128.104.20.10
> </Directory>
> 
> But, this does not work correctly. It does deny everyone to things like
> GET http://www.linux.org/
> or
> GET http://www.ssc.org/
> 
> But allows everyone access to:
> GET http://www.linux.org/index.html
> or
> GET http://www.linux.org/help/index.html
> 
> Basically, it lets everyone through if the URL they request doesn't end with /
> >How-To-Repeat:
> Just setup apache as a proxy and try and limit access.
> >Fix:
> I tried to dig through the code but no luck yet. This is a big security hole
> for anyone running apache as a proxy.
> 
> Maybe my <Directory proxy:*> syntax is wrong in the access.conf file%3
> >Audit-Trail:
> >Unformatted:

-- 
chuck
Chuck Murcko
The Topsail Group, West Chester PA USA
chuck@topsail.org