You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Adrian Herscu <bm...@axentra.net> on 2005/01/09 13:09:03 UTC
[users@httpd] Multiple dots in path vulnerability
Hi all,
I have an Web application that uses URLs which contain multiple
dots, such as "/dir.ext1.ext2.extn/file.ext1.ext2.extm".
Microsoft distributes an automatic security hardening tool for
their IIS, named IIS LockDown, and a part of the security
hardening process includes installing a server module, named
UrlScan, which filters out "dangerous" URLs according to a list
of predefined patterns.
After applying their IIS LockDown, I discovered that multi-dots
URLs are filtered out by the UrlScan module and that Web
application no longer works.
Here is why Microsoft considers multi-dots URLs "dangerous":
http://groups-beta.google.com/group/microsoft.public.inetserver.iis.security/browse_thread/thread/c1652ae38f5190a5/525ce7ca7322dc83?q=wadeh+allowdotinpath&_done=%2Fgroups%3Fq%3Dwadeh+allowdotinpath%26hl%3Den%26btnG%3DGoogle+Search%26&_doneTitle=Back+to+Search&&d#525ce7ca7322dc83
I am interested to know if the vulnerabilities enumerated by the
aforementioned thread apply to the Apache HTTP Server also.
Thanks for your time,
Adrian.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Multiple dots in path vulnerability
Posted by Leif W <wa...@usa.net>.
> Adrian Herscu; 2005 January 10 Monday 12:42
Ooohhh. *foot in mouth*
> I should emphasize that there are two types of vulnerabilities:
> 1. Parent paths, like "../" - my question was not about that.
> 2. Multi-dot URLs which are not containing parent paths - those can be
> used to confuse the Web server about the real file type. For example:
> "/foo.php/goo.exe" - what type of file is requested
I think I understand, specifically in this example if / is used instead
of ? to separate request URL from the query string, and if the query
string subsequently has a . in it followed by a recognized extension. I
haven't got too much of an idea how to use / instead of ? as the
separator so not in a good position to answer. I would guess that (with
proper configuration) Apache knows if a foo.php file exists and it's a
file not a directory, then to pass the goo.exe as the query string.
Otherwise if foo.php is a directory and goo.exe exists, and if so
configured (ExecCGI, suexec, +rx, etc), run goo.exe.
However I was just looking at something else that is perhaps equallylly
relevant, but for different reasons more likely to occur in Apache.
This is for the case where one file name (after a / and not part of a
query string) matches multiple extensions, and within that context you
have one or more matching mime-types and handlers for each extension.
I'm not too sure how to test, so a good "bad config" example might be
interesting to see, to be familiar with the error behavior and messages.
http://httpd.apache.org/docs-2.0/mod/mod_mime.html#multipleext
Leif
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Multiple dots in path vulnerability
Posted by Jeff White <jl...@earthlink.net>.
From: "Joshua Slive"
>
> Apache does not do this by
> default,
I believe there was some
Apache Windows code that
was added (IIRC).
> apache will not get confused
> about the file type unless it is
> badly misconfigured.
And this never happens! :)
FYI
And Windows web servers,
IIS6 and IIS7 now use the built-in
to all newer Windows OS systems
kernel mode httpd object Http.sys,
that handles these issues.
Jeff
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Multiple dots in path vulnerability
Posted by Joshua Slive <js...@gmail.com>.
On Mon, 10 Jan 2005 19:42:02 +0200, Adrian Herscu <bm...@axentra.net> wrote:
> Leif,
>
> Thanks for your effort.
>
> My question was actually whether *hardened* Apache HTTP Servers
> will filter out multi-dot URLs.
>
> I should emphasize that there are two types of vulnerabilities:
> 1. Parent paths, like "../" - my question was not about that.
> 2. Multi-dot URLs which are not containing parent paths - those
> can be used to confuse the Web server about the real file type.
> For example: "/foo.php/goo.exe" - what type of file is requested
> by this URL? According to Microsoft, if you would like to filter
> out requests for ".exe" files then this URL would be considered
> invalid by the UrlScan server module and dropped, even if was a
> legitimate ".php" request. That is because the Web server cannot
> decide whether "foo.php" is a file or a directory without
> querying to underlying file system - so to make their lives
> easier they decided that UrlScan should filter out any multi-dot
> URL. *astards!
>
> Do you know about a corresponding "UrlScan" module for Apache
> HTTP Servers that will filter out multi-dot URLs?
Apache does not do this by default, because there are plenty of
legitimate reasons for having multiple dots, and because apache will
not get confused about the file type unless it is badly misconfigured.
(Apache's AddType/AddHandler/etc directives act on the actual name of
the file being served, not on the URL.)
If you want to block requests like this, you could probably do it with
mod_security - a third-party module that specializes in this sort of
URL-filtering.
Alternatively, you could just use something like
<LocationMatch \..*\.>
Order allow,deny
Deny from all
</LocationMatch>
or something similar to that.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Multiple dots in path vulnerability
Posted by Adrian Herscu <bm...@axentra.net>.
Leif,
Thanks for your effort.
My question was actually whether *hardened* Apache HTTP Servers
will filter out multi-dot URLs.
I should emphasize that there are two types of vulnerabilities:
1. Parent paths, like "../" - my question was not about that.
2. Multi-dot URLs which are not containing parent paths - those
can be used to confuse the Web server about the real file type.
For example: "/foo.php/goo.exe" - what type of file is requested
by this URL? According to Microsoft, if you would like to filter
out requests for ".exe" files then this URL would be considered
invalid by the UrlScan server module and dropped, even if was a
legitimate ".php" request. That is because the Web server cannot
decide whether "foo.php" is a file or a directory without
querying to underlying file system - so to make their lives
easier they decided that UrlScan should filter out any multi-dot
URL. *astards!
Do you know about a corresponding "UrlScan" module for Apache
HTTP Servers that will filter out multi-dot URLs?
Thanks a lot,
Adrian.
Leif W wrote:
>> Adrian Herscu; 2005 January 09 Sunday 07:09
>> Hi all,
>>
>> I have an Web application that uses URLs which contain multiple dots,
>> such as "/dir.ext1.ext2.extn/file.ext1.ext2.extm".
>
>
> With Apache you could use a typemap and hide the file extension from the
> URL entirely. It could be .html, .cfm or anything. Based upon how you
> configure Apache, it will handle it appropriately. I have only a
> rudimentary understanding of this feature, and thus can not explain it
> further, but I can appreciate the power that it gives.
>
>> Here is why Microsoft considers multi-dots URLs "dangerous":
>
>
> IMO maliciously and carefully crafted URL strings such as multi-dots or
> double escapes are only dangerous if the authors of the web server OR
> any library upon which the server blindly relies upon have seriously
> screwed up their code.
>
>> I am interested to know if the vulnerabilities enumerated by the
>> aforementioned thread apply to the Apache HTTP Server also.
>
>
> I have not ever witnessed any successful directory traversal attacks
> against Apache 2 on Linux since I have been using it, which was
> somewhere around 2.0.3x. However my personal test/development server is
> not a big target. I have seen Apache 1.3 used heavily, but it was 3
> years ago, and we never had a successful directory traversal attack on
> FreeBSD and Linux.
>
> However, on Windows on my personal machine, Apache 2 relied upon some
> insecurely written Microsoft code, about 2.5 years ago. At the time,
> someone I knew personally had a grudge against me and used the directory
> traversal exploit to look at some of my files. But after considering
> their conscience the person in question notified me, and sure enough I
> saw several files outside of the DocumentRoot had been served to the
> person's IP address. They could pick any file on the same drive as the
> DocumentRoot, I believe, as long as the ACLs allowed. I learned that
> you need to more strictly control what user Apache runs as, and what
> permissions you give to people in all your files across the entire
> filesystem (default on Windows is read-write by Everyone).
>
> It also reinforced my (some might say "misguided") impression that
> Microsoft is "dangerous" because it consistently creates insecure code.
> ;-) But Apache has had a few vulnerabilities all of it's own. In total
> 30 are listed on that page (see below) since Apache 2.0.37. Most
> vulnerabilities only affect very specific configurations. I do not know
> the exact cause of the problem I experienced (CAN-2002-0661), so I can't
> point a finger at Apache devs or the non-unix platform devs.
>
> You can read more about Apache 2 security vulnerabilities at
> ApacheWeek.com. I found the URL on Apache's httpd website.
>
> http://www.apacheweek.com/features/security-20
>
> This is the problem I experienced and described above:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0661
>
> Leif
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Multiple dots in path vulnerability
Posted by Leif W <wa...@usa.net>.
> Adrian Herscu; 2005 January 09 Sunday 07:09
> Hi all,
>
> I have an Web application that uses URLs which contain multiple dots,
> such as "/dir.ext1.ext2.extn/file.ext1.ext2.extm".
With Apache you could use a typemap and hide the file extension from the
URL entirely. It could be .html, .cfm or anything. Based upon how you
configure Apache, it will handle it appropriately. I have only a
rudimentary understanding of this feature, and thus can not explain it
further, but I can appreciate the power that it gives.
> Here is why Microsoft considers multi-dots URLs "dangerous":
IMO maliciously and carefully crafted URL strings such as multi-dots or
double escapes are only dangerous if the authors of the web server OR
any library upon which the server blindly relies upon have seriously
screwed up their code.
> I am interested to know if the vulnerabilities enumerated by the
> aforementioned thread apply to the Apache HTTP Server also.
I have not ever witnessed any successful directory traversal attacks
against Apache 2 on Linux since I have been using it, which was
somewhere around 2.0.3x. However my personal test/development server is
not a big target. I have seen Apache 1.3 used heavily, but it was 3
years ago, and we never had a successful directory traversal attack on
FreeBSD and Linux.
However, on Windows on my personal machine, Apache 2 relied upon some
insecurely written Microsoft code, about 2.5 years ago. At the time,
someone I knew personally had a grudge against me and used the directory
traversal exploit to look at some of my files. But after considering
their conscience the person in question notified me, and sure enough I
saw several files outside of the DocumentRoot had been served to the
person's IP address. They could pick any file on the same drive as the
DocumentRoot, I believe, as long as the ACLs allowed. I learned that
you need to more strictly control what user Apache runs as, and what
permissions you give to people in all your files across the entire
filesystem (default on Windows is read-write by Everyone).
It also reinforced my (some might say "misguided") impression that
Microsoft is "dangerous" because it consistently creates insecure code.
;-) But Apache has had a few vulnerabilities all of it's own. In total
30 are listed on that page (see below) since Apache 2.0.37. Most
vulnerabilities only affect very specific configurations. I do not know
the exact cause of the problem I experienced (CAN-2002-0661), so I can't
point a finger at Apache devs or the non-unix platform devs.
You can read more about Apache 2 security vulnerabilities at
ApacheWeek.com. I found the URL on Apache's httpd website.
http://www.apacheweek.com/features/security-20
This is the problem I experienced and described above:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0661
Leif
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org