Fwd: Re: Apache 2.0.39 directory traversal and path disclosure bug

["William A. Rowe, Jr." <wr...@rowe-clan.net>]

>Date: Fri, 16 Aug 2002 11:39:04 -0500
>To: Auriemma Luigi <al...@pivx.com>
>From: "William A. Rowe, Jr." <wr...@rowe-clan.net>
>Subject: Re: Apache 2.0.39 directory traversal and path disclosure bug
>Cc: bugtraq@securityfocus.com
>
>At 12:01 PM 8/16/2002, Auriemma Luigi wrote:
>>B) CAN-2002-0661
>>----------------
>>
>>The problem is in the management of the bad chars that can be used to
>>launch some attacks, such as the directory traversal. In fact the
>>backslash char ('\' == %5c) is not checked as a bad char, so it can be
>>used for seeking the directories of systems that use it as a path
>>delimiter (Windows, Netware, OS2 and others).
>>
>>Then another problem is that the attacker can execute commands on the
>>remote host simply using the /cgi-bin/ path.
>>
>>The following are two simple examples.
>>
>>for view the file winnt\win.ini:
>>http://127.0.0.1/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini
>>
>>for run the wintty utility in the Apache2/bin folder:
>>http://127.0.0.1/cgi-bin/%5c%2e%2e%5cbin%5cwintty.exe?%2dt+HELLO
>>
>>In human readable form, they mean:
>>http://127.0.0.1/error/\..\..\..\..\winnt\win.ini
>>http://127.0.0.1/cgi-bin/\..\bin\wintty.exe?-t+HELLO
>>
>>So in the first example we go down to the root path with \..\..\..\..\
>>because we are in "c:\program files\Apache Group\Apache2\error".
>>Instead in the second example we use the /cgi-bin/ path and we pass
>>arguments with "file.exe?arg1+arg2+arg3+...".
>
>Note that neither of these examples leverage the DocumentRoot
>'container', which is a protected mapping.  Both rely on Alias redirection,
>although similar behavior could be forced via mod_rewrite.  In both cases,
>the path composition followed a different course.
>
>In Auriemma's the first example, a normal 'Alias' is used to bypass the
>document root, (the alias-to the error docs location), and in the second
>case, the 'ScriptAlias' is used, which also forces the cgi-script handler.
>
>In a properly secured server, the following will prevent the examples above;
>
>   <Directory />
>     Options FollowSymLinks
>     AllowOverride None
>     Order deny,allow
>     Deny from all
>   </Directory>
>
>This protection will refuse to serve any directories that are not explicitly
>permitted by their own overriding <Directory > blocks.  Of course, all
><Directory > blocks containing web content will require the following lines
>(or similar) to permit access as desired...
>
>   Order allow,deny
>   Allow from all
>
>However, ScriptAlias circumvents the Options ExecCGI, so the following
>would still work in the usual configuration;
>
>   http://127.0.0.1/cgi-bin/%5c%2e%2e%5chtdocs%5cindex.html.en
>
>which invokes htdocs\index.html.en as a script.  Not useful, certainly,
>but other more sinister purposes could be invented.
>
>As a further safety precaution, using the Alias directive in lieu of the
>ScriptAlias directive.  The following structure will close the third example
>vulnerability;
>
>   Alias /cgi-bin/ "/Path-to-Apache2/cgi-bin/"
>
>   <Directory "/Path-to-Apache2/cgi-bin/">
>     AllowOverride None
>     Options ExecCGI
>     Order allow,deny
>     Allow from all
>     SetHandler cgi-script
>   </Directory>
>
>which only enables script execution in the given directory,
>and not as a consequence of ScriptAlias translation.
>
>Finally, it may be desirable not to use the SetHandler directive, but
>instead call out each and every AddHandler cgi-script pl cgi ... and all
>other permitted cgi files or file types.
>
>A more complete report will be prepared and distributed by the Apache
>HTTP project.  Follow the project's guidance for all Win32, OS2, Netware
>and Cygwin Apache 2.0.x servers (prior to .40), and add the:
>
>   RedirectMatch 400 "\\\.\."
>
>escape in the global server context (right after the global DocumentRoot
>directive would the the safest place to assure it is the first evaluated
>RedirectMatch directive.)  Then upgrade to Apache 2.0.40 on any of
>those platforms.
>
>Bill