You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2003/01/23 16:18:48 UTC
DO NOT REPLY [Bug 16366] New: -
Apache 2.0.43 File disclosure
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16366>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16366
Apache 2.0.43 File disclosure
Summary: Apache 2.0.43 File disclosure
Product: Apache httpd-2.0
Version: 2.0.43
Platform: Other
OS/Version: Windows NT/2K
Status: NEW
Severity: Normal
Priority: Other
Component: Core
AssignedTo: bugs@httpd.apache.org
ReportedBy: bernard.margelin@vigilante.com
Hi support,
I tested an reproduced the CAN-2003-0017 vulnerability : "On Windows platforms
Apache could be forced to serve unexpected files by appending illegal
characters such as '<' to the request URL" fixed in 2.0.44.
I made a 2.0.43 default installation on a Win2K SP2 box. By appending "<<" at
the end of a request, I can list and view files on a directory. Here is how I
proceed: I first try "http://target/directory/a<<". Is there is one or more
files starting by character "a", then I get one of these files ( always the
same but I do not know which one ). If I get an error back, then I try with the
next letter and so on until I get a file back, say "f". To get the exact
filename, I restart the process but with 2 letter this time
i.e. "http://target/directory/fa<<". If a filename starts with "fa", I get it,
otherwise I get an error. And so on until I get the filename let
say "fat.html". Note that to be sure you do not miss any file in the directory,
you need to try one character more than filename length
(fat.htmla", "fat.htmlb"... ).
Using this algorithm, I can list and view the all files on a directory. This
goes beyond the unexpected file disclosure described in the release note of
2.0.44 and I thought you needed to be aware of it.
I tested version 2.0.44 and as expected, it is not vulnerable.
Regards.
Bernard Margelin, Security Watch Manager at Vigilante, Toulouse
Telephone (33) 5 62 57 70 16
email bernard.margelin@vigilante.com
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org