Vulnerability

    Apache

Affected

    Mac OS X 10.0.3 / Darwin 1.3.3, Apache 1.3.14

Description

    Stefan Arentz  found following.   This is  the the  default setup,
    out of the box, with available software updates installed.  Please
    note, this is OS X *Client*.

    Affected are those  who used Apache  on Mac OS  X Client with  the
    following conditions:

        + Documents are on a HFS+ volume
        + Directory protection is used

    The preferred  filesystem for  Mac OS  X is  Apple's HFS+ and most
    setups use it.  HFS+  is a case insensitive filesystem.   Apache's
    directory protection (and other methods that depend on  filesystem
    object names) cannot  handle this and  breaks.  For  example, both
    Directory and Location configuration options break.

    This is a real security risk because most people do not know this.
    It can easily be used to bypass protected directories.

    Consider the following file:

        /Library/WebServer/Documents/test/index.html

    And the following configuration:

        <Location /test>
          Order deny,allow
          Deny from all
        </Location>

    Or, using a Directory option:

        <Directory /Library/WebServer/Documents/test>
          Order deny,allow
          Deny from all
        </Directory>

    The following request will result in a 403 Forbidden as excpected:

        GET /test/index.html

    But the following request will happily serve the file:

        GET /TeSt/index.html

Solution

    Though it causes a bit of a performance penalty, a .htaccess  file
    in a  protected directory  will resolve  that problem.   Make sure
    that the web server directory in the config file is set to:

        AllowOverride Limit AuthConfig

    Or

        AllowOverride All

    Then         in         the          protected          directory,
    /Library/WebServer/Documents/test, add a .htaccess file containing:

        Order deny,allow
        Deny from all

    Of course, upon  further reflection, the  following also needs  to
    be added to the httpd.conf file:

        <Files ~ "^\.(ht|HT|Ht|hT)">
            Order allow,deny
            Deny from all
        </Files>

    To prevent users from viewing the encrypted form of your  password
    by passing a request like:

        http://somesever/somedir/.Htaccess

    The above is untested but it should work.

    Using UFS solves this problem because it is case sensitive and  it
    behaves  as  expected.   Also,  Mac  OS  X  Server  ships  with  a
    mod_hfs_apple.so Apache module that solves this problem.  However,
    the module  is only  available as  part of  OS X  Server, and  not
    available as source or part of the Apache distribution.

    Modification to  Apache so  that it  does a  check for  the 'real'
    filename.  This  probably needs some  support from the  underlying
    operating system.

    Or Apple should submit their  HFS+ patches to the Apache  Software
    Foundation or install the mod_hfs_apple.so module on OS X Client.