You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2003/01/23 16:18:48 UTC

DO NOT REPLY [Bug 16366] New: - Apache 2.0.43 File disclosure

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16366>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16366

Apache 2.0.43 File disclosure

           Summary: Apache 2.0.43 File disclosure
           Product: Apache httpd-2.0
           Version: 2.0.43
          Platform: Other
        OS/Version: Windows NT/2K
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: bernard.margelin@vigilante.com


Hi support,

I tested an reproduced the CAN-2003-0017 vulnerability : "On Windows platforms 
Apache could be forced to serve unexpected files by appending illegal 
characters such as '<' to the request URL" fixed in 2.0.44.
I made a 2.0.43 default installation on a Win2K SP2 box. By appending "<<" at 
the end of a request, I can list and view files on a directory. Here is how I 
proceed: I first try "http://target/directory/a<<". Is there is one or more 
files starting by character "a", then I get one of these files ( always the 
same but I do not know which one ). If I get an error back, then I try with the 
next letter and so on until I get a file back, say "f". To get the exact 
filename, I restart the process but with 2 letter this time 
i.e. "http://target/directory/fa<<". If a filename starts with "fa", I get it, 
otherwise I get an error. And so on until I get the filename let 
say "fat.html". Note that to be sure you do not miss any file in the directory, 
you need to try one character more than filename length 
(fat.htmla", "fat.htmlb"... ).
Using this algorithm, I can list and view the all files on a directory. This 
goes beyond the unexpected file disclosure described in the release note of 
2.0.44 and I thought you needed to be aware of it.
I tested version 2.0.44 and as expected, it is not vulnerable.
Regards.

Bernard Margelin, Security Watch Manager at Vigilante, Toulouse
Telephone (33) 5 62 57 70 16
email bernard.margelin@vigilante.com

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org