You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "William A. Rowe, Jr." <wr...@rowe-clan.net> on 2002/08/16 19:00:06 UTC
Fwd: Re: Apache 2.0.39 directory traversal and path disclosure
bug
>Date: Fri, 16 Aug 2002 11:39:04 -0500
>To: Auriemma Luigi <al...@pivx.com>
>From: "William A. Rowe, Jr." <wr...@rowe-clan.net>
>Subject: Re: Apache 2.0.39 directory traversal and path disclosure bug
>Cc: bugtraq@securityfocus.com
>
>At 12:01 PM 8/16/2002, Auriemma Luigi wrote:
>>B) CAN-2002-0661
>>----------------
>>
>>The problem is in the management of the bad chars that can be used to
>>launch some attacks, such as the directory traversal. In fact the
>>backslash char ('\' == %5c) is not checked as a bad char, so it can be
>>used for seeking the directories of systems that use it as a path
>>delimiter (Windows, Netware, OS2 and others).
>>
>>Then another problem is that the attacker can execute commands on the
>>remote host simply using the /cgi-bin/ path.
>>
>>The following are two simple examples.
>>
>>for view the file winnt\win.ini:
>>http://127.0.0.1/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini
>>
>>for run the wintty utility in the Apache2/bin folder:
>>http://127.0.0.1/cgi-bin/%5c%2e%2e%5cbin%5cwintty.exe?%2dt+HELLO
>>
>>In human readable form, they mean:
>>http://127.0.0.1/error/\..\..\..\..\winnt\win.ini
>>http://127.0.0.1/cgi-bin/\..\bin\wintty.exe?-t+HELLO
>>
>>So in the first example we go down to the root path with \..\..\..\..\
>>because we are in "c:\program files\Apache Group\Apache2\error".
>>Instead in the second example we use the /cgi-bin/ path and we pass
>>arguments with "file.exe?arg1+arg2+arg3+...".
>
>Note that neither of these examples leverage the DocumentRoot
>'container', which is a protected mapping. Both rely on Alias redirection,
>although similar behavior could be forced via mod_rewrite. In both cases,
>the path composition followed a different course.
>
>In Auriemma's the first example, a normal 'Alias' is used to bypass the
>document root, (the alias-to the error docs location), and in the second
>case, the 'ScriptAlias' is used, which also forces the cgi-script handler.
>
>In a properly secured server, the following will prevent the examples above;
>
> <Directory />
> Options FollowSymLinks
> AllowOverride None
> Order deny,allow
> Deny from all
> </Directory>
>
>This protection will refuse to serve any directories that are not explicitly
>permitted by their own overriding <Directory > blocks. Of course, all
><Directory > blocks containing web content will require the following lines
>(or similar) to permit access as desired...
>
> Order allow,deny
> Allow from all
>
>However, ScriptAlias circumvents the Options ExecCGI, so the following
>would still work in the usual configuration;
>
> http://127.0.0.1/cgi-bin/%5c%2e%2e%5chtdocs%5cindex.html.en
>
>which invokes htdocs\index.html.en as a script. Not useful, certainly,
>but other more sinister purposes could be invented.
>
>As a further safety precaution, using the Alias directive in lieu of the
>ScriptAlias directive. The following structure will close the third example
>vulnerability;
>
> Alias /cgi-bin/ "/Path-to-Apache2/cgi-bin/"
>
> <Directory "/Path-to-Apache2/cgi-bin/">
> AllowOverride None
> Options ExecCGI
> Order allow,deny
> Allow from all
> SetHandler cgi-script
> </Directory>
>
>which only enables script execution in the given directory,
>and not as a consequence of ScriptAlias translation.
>
>Finally, it may be desirable not to use the SetHandler directive, but
>instead call out each and every AddHandler cgi-script pl cgi ... and all
>other permitted cgi files or file types.
>
>A more complete report will be prepared and distributed by the Apache
>HTTP project. Follow the project's guidance for all Win32, OS2, Netware
>and Cygwin Apache 2.0.x servers (prior to .40), and add the:
>
> RedirectMatch 400 "\\\.\."
>
>escape in the global server context (right after the global DocumentRoot
>directive would the the safest place to assure it is the first evaluated
>RedirectMatch directive.) Then upgrade to Apache 2.0.40 on any of
>those platforms.
>
>Bill