You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Peter Bieringer <pb...@bieringer.de> on 2001/11/25 22:41:03 UTC

general/8857: "listen
" without corresponding "virtual host" and also no "default virtual host" was routed to compiled-in docroot

>Number:         8857
>Category:       general
>Synopsis:       "listen <address>" without corresponding "virtual host" and also no "default virtual host" was routed to compiled-in docroot
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Sun Nov 25 13:50:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     pb@bieringer.de
>Release:        1.3.14 and 2.0.28
>Organization:
apache
>Environment:
Red Hat Linux 6.2
>Description:
Looks like this is a historic behavior which can be become a security hole, if Apache config is not really reviewed or proper defined.

Config: upper lines do not contain any listen or docroot

Listen 192.168.1.17:80
Listen 192.168.1.18:80
<VirtualHost 192.168.1.17:80>
    DocumentRoot /home/internet/testserver3/pub
</VirtualHost>
<VirtualHost 192.168.1.18:80>
    DocumentRoot /home/internet/testserver3/pub
</VirtualHost>

If second virtual host is disabled, a request to 192.168.1.18:80 is routed to compiled-in docroot (in my case "/usr/htdocs/").

Means: if someone forgot to setup a "default virtual host" but has one listen address with no correspondending "virtual host", compiled-in configuration is used.
>How-To-Repeat:
See description
>Fix:
Hmm, best way would be if any "virtual host" is active, the main will go inactive (e.g. report an error 501 on connect) and must be explicitly reenabled as "default virtual host". Unfortunately, this break many examples and rolled-out configurations.
>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <ap...@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]