You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Volker <gm...@schwicking.de> on 2010/06/11 14:39:02 UTC
server-status-handler information leak
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
while playing around with handlers, i noticed, that any user can
register the 'server-status'-handler by putting
SetHandler server-status
in an htacces-File. This can not be prevented by using a alternating
AllowOverride-directives, since 'SetHandler' is part of 'FileInfo' which
also holds ErrorDocuments, mod_rewrite, etc.
Since the server-status-handler offers information one might not want
others to have access to (for example a massive shared hosting
environment), i created a small patch that enables a custom handlername
for the server-status-module. Just thought someone else might have use
for it.
What this patch does:
- - reserves memory for directive with parameter (AP_INIT_TAKE1)
- - adds a function for creating config-records (create_modstatus_config)
- - adds a function to set the handlername (set_serverstatus_handler_name)
If the handlername is not set using the directive, it defaults to the
old 'server-status' and continues to work with the old setting.
How to test:
1. build and install the module with apxs2
2. create a new directive like the following in the root-configuration
of the server
ServerStatusHandlerName statusteststring
3. set a handler somewhere like the following:
SetHandler statusteststring
attached files:
mod_status.c - the complete module
mod_status-diff.patch - the patch with all changes made
Any comments, suggestions, improvements and/or critical comments are
welcome.
best regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkwSLmIACgkQHaTGAGocg2KOXACfYmRIj0TTTT8gOU5F6If2EFAw
oSMAnRO914zl5gqnggpqcXgOmdyVA37j
=diTB
-----END PGP SIGNATURE-----
Re: server-status-handler information leak
Posted by Volker <gm...@schwicking.de>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> attached files:
> mod_status.c - the complete module
> mod_status-diff.patch - the patch with all changes made
and of course, the files... :-)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkwSLtoACgkQHaTGAGocg2LgLgCgo3NBP4+RSFgAaC+gOKGUyrcY
xzEAnRLL3bcOVRl0F9lMuEyNYQHIsXug
=zYvg
-----END PGP SIGNATURE-----
Re: server-status-handler information leak
Posted by Dan Poirier <po...@pobox.com>.
On 2010-06-11 at 08:39, Volker <gm...@schwicking.de> wrote:
> Hi,
>
> while playing around with handlers, i noticed, that any user can
> register the 'server-status'-handler by putting
>
>
> SetHandler server-status
>
>
> in an htacces-File. This can not be prevented by using a alternating
> AllowOverride-directives, since 'SetHandler' is part of 'FileInfo' which
> also holds ErrorDocuments, mod_rewrite, etc.
>
> Since the server-status-handler offers information one might not want
> others to have access to (for example a massive shared hosting
> environment), i created a small patch that enables a custom handlername
> for the server-status-module. Just thought someone else might have use
> for it.
>
> What this patch does:
> - reserves memory for directive with parameter (AP_INIT_TAKE1)
> - adds a function for creating config-records (create_modstatus_config)
> - adds a function to set the handlername (set_serverstatus_handler_name)
>
> If the handlername is not set using the directive, it defaults to the
> old 'server-status' and continues to work with the old setting.
...
> Any comments, suggestions, improvements and/or critical comments are
> welcome.
Thanks for the problem report and patch. Since it doesn't seem that
anyone has responded yet (unless I missed it), I suggest that you open a
bug report and attach your patch there so it's not forgotten.
I keep thinking there ought to be a better solution for this, but I
can't think of one so far.
Dan