You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Andreas Heilwagen <ho...@netguru.org> on 1998/03/09 19:14:03 UTC

config/1927: Get full access to apache installation path by misusing https

>Number:         1927
>Category:       config
>Synopsis:       Get full access to apache installation path by misusing https
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Mar  9 10:20:01 PST 1998
>Last-Modified:
>Originator:     hostmaster@netguru.org
>Organization:
apache
>Release:        1.2.5
>Environment:
Linux 2.0.3x, gcc 2.7.1
>Description:
Here a copy from my previous mail:

> Hello,
> 
> after checking the apache Bug database plus ftp server and remembering 
> the past mails on BugTraq I couldn't find information on the following
> problem:
> 
>   Setup  : apache 1.2.5, linux 2.0.x, Intel, SSLeay 0.8.0, PGSQL 6.2.1,
>            php-1.2b12
> 
>   Config : About 80 virtual webservers (http only, eth0 aliased) and
>            five https servers configuredd
> 
>   Problem: https://www.<domain only configured for http>.<tld>
>            reveales the installation path of apache as configured
>            in httpd.h if there's no index.html or something which
>            stop people from reading the directory structure.
> 
>   Hint   : The installation directory was not mentioned in any
>            config file except some sub directories (they are not
>            interesting here).
>   
>   Conclusion: Just use https if support is available for any domain
>               which does not use https and get configs and probably
>               password stuff.
> 
> I cannot believe that this problem has not been found before, so
> I would like to know if you can reproduce this problem or if I
> have simply missed some information. I don't think that I misconfigured
> apache. I can provide more details if they are not published anywhere.
> The information in this mail can be published if needed.
> 
> Bye,
>   Andreas Heilwagen.
>How-To-Repeat:
I cannot tell any URLs for security reasons, but just include SSLeay into
apache 1.2.5, configure no default server, just create one virtual server
for https and another one (second IP) without https. If you ask for the second
domain using https you should get access to the install path. If you have
problems repeating this problems, I can set up a server and give you access
through my firewall.
>Fix:
Just update the install procedure to include an index.html file with some
text saying "Go away" into the installation path
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]