httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 44161] New: - Configuration disclosure in HTTP header when using static built-in and 3rd party shared modules
Date Wed, 02 Jan 2008 12:17:53 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=44161>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=44161

           Summary: Configuration disclosure in HTTP header when using
                    static built-in and 3rd party shared modules
           Product: Apache httpd-2
           Version: 2.2.6
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: critical
          Priority: P2
         Component: Core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: cuicui.oizo@free.fr


When apache is configured with static built-in modules (such as mod_rewrite) and
also 3rd party shared modules (such as mod_php), some parts of the httpd.conf
(and other included files) are disclosed in the "Server" part of the HTTP header.

Examples as follow, strings "<location" and "x\xb9\x1e\b":

Apache/2.2.6 (Unix) mod_ssl/2.2.6 <location DAV/2 PHP/5.2.5 mod_perl/2.0.3
Perl/v5.8.8

Apache/2.2.6 (Unix) mod_ssl/2.2.6 x\xb9\x1e\b DAV/2 PHP/5.2.5 mod_perl/2.0.3
Perl/v5.8.8

Note: the disclosed part may include commented lines from the configuration file
and seems to be lowercase (to be confirmed), sometimes it can "leak" hundred of
characters.

Note2: The disclosed part is not the same from a service reload to an another.

Note3: All configuration files are in plain ASCII format with Unix-style end of
line.

Note4: Nothing is disclosed if the 3rd party modules aren't loaded in
configuration but the presence of at least one of them is enough to have the
problem.

Prior to compilation, the configuration was the following:

./configure --enable-ldap --enable-so --with-ssl --enable-rewrite --enable-dav
--enable-dav-fs --enable-ssl --disable-cgid --disable-cgi --enable-authnz-ldap
--enable-ldap --with-ldap --enable-proxy --localstatedir=/opt/logs/apache
--prefix=/opt/apache-2.2.6

It was built on a stable Debian Etch with a 2.6.23.9 kernel.

Workaround: to avoid the problem, all modules must be built as shared instead of
static and have to be explicitly loaded in the configuration.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message