You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2013/12/16 05:30:45 UTC

[Bug 55887] New: In Windows apache, when user access to /con, apache returns 403 instead of 404(not found)

https://issues.apache.org/bugzilla/show_bug.cgi?id=55887

            Bug ID: 55887
           Summary: In Windows apache, when user access to /con, apache
                    returns 403 instead of 404(not found)
           Product: Apache httpd-2
           Version: 2.4.7
          Hardware: PC
            Status: NEW
          Severity: major
          Priority: P2
         Component: Core
          Assignee: bugs@httpd.apache.org
          Reporter: anoooon@riseup.net

https://github.com/SpiderLabs/ModSecurity/issues/616
http://security.stackexchange.com/questions/47002/why-these-2-regexp-wont-work-as-expected-in-mod-security2

How to test:
1. Make an environment: Windows and Apache.
2. access to: https://127.0.0.1/con

Returned result:
Apache returns 403.
Write "doesn't point to a file or directory" to apache's error log.

If an admin make a .htaccess which include ErrorDocument statement,
apache ignore it. (doesn't show ErrorDocument's one)

ex.
/ (root of htdocs)
/.htacccess (*)
/index.html

(*)
-------------------
ErrorDocument 403 /error.template.php
ErrorDocument 401 /error.template.php

<files "error.template.php">
Require all granted
</files>
-------------------

Expected result:
Apache should return HTTP 404.

---
And also, attacker can determine whether the webserver OS is Windows or not
by accessing to /con.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org