TUCoPS :: Web :: Apache :: hack0144.htm

BUG IN APACHE HTTPD SERVER (current version 2.0.47)
BUG IN APACHE HTTPD SERVER (current version 2.0.47)



APACHE HTTPD SERVER (current version 2.0.47):

##########################################################

How to return files in a Apache Deny All directory.

The Directives controlling host access may be bypassed even 

if they have not permission to be override.



11 Jan 2004





DESCRIPTION



Apache Web Server allows manage configurations via the main 

httpd.conf file, and via the other configuration files placed 

inside the children web trees, may owned by the user accounts, 

named .htaccess by default. The server administrator further 

controls what Directives may be placed in .htaccess files by 

configuring the AllowOverride Directive in the main httpd.conf 

files.



If the server admin sets the Deny Directive to All (for example), 

and does not allow the user accounts to modify this Directive in 

their .htaccess file by setting the AllowOverride values without 

the Limit type, his/her users are still able to bypass the Deny 

option by using the ErrorDocument Directive.



Tested in Apache 2.0.47/RH-Linux/WinXP.





EXAMPLE



##########################################################

# In the main httpd.conf file:

#



    AllowOverride FileInfo

    Deny From All

 

##########################################################



##########################################################

# In the user's .htaccess file placed in a child directory:

 

ErrorDocument 403 /child/dir/fetch.php



##########################################################



/********************************************************/



/********************************************************/





In this example, assuming the web server can execute PHP script 

or some scripts/server-includes. By modifying some codes you can 

return other mime file types such as image/gif etc.



Event if the server does not allow any file parsed (Deny From All), 

the script file fetch.php will still be executed, and it includes 

again and parses any other files in a same directory, which 

indecated by the query variables, to the web client. 



Looking in the source code, I think the missing auth checking is in 

the function ap_process_request_internal() in the file request.c. 

One of the major changes in Apache 2.0 is to the internal redirect 

mechanism. To prevent the code from falling out of sync again in the

current directory, the configuration comparing between two config 

directories may bypass the authentication checking again. That 

explains why this vulnerability (if any?) can only done if the 

redirect ErrorDocument file is placed in the same request directory.







FIX



Do not skip auth checker even if the per_dir_config member value 

doesn't change in the ap_process_request_internal() function.





NOTE 



I post this issue in the public mailing list, because I think this 

vuln is not exploitable by a remote attacker. If something were 

wrong, drop a line to me.





Vietnamese Security Group

Trung - caothuvolam - trungonly@yahoo.com 

http://www.security.com.vn 



31 Nui Truc st. Ba Dinh dist. Ha Noi . Vietnamese

Phone : 84.4.8465701 / Fax: 84.4.8465701

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH