httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 49623] New: CVE-2003-1418 - all httpd versions seem to expose inode values in FileEtag
Date Tue, 20 Jul 2010 15:37:01 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=49623

           Summary: CVE-2003-1418 - all httpd versions seem to expose
                    inode values in FileEtag
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: a.nurwono@f5.com


Apache seems to simply hex-encodes inodes retrieved by fstat() directly into
etags through simple encoding.

Apache 2.2.3 in httpd-2.2.3/modules/http/http_etag.c:
    next = etag_ulong_to_hex(next, (unsigned long)r->finfo.inode);

httpd-2.2.3/srclib/apr/file_io/unix/filestat.c:
    if (fstat(thefile->filedes, &info) == 0) {
...
    finfo->inode = info->st_ino;


This shows up as a security vulnerability through exposure of inode information
for files hosted by httpd:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418

An example solution to the problem was posted on OpenBSD, which is to use a
hash of the inode instead of directly presenting an encoded inode into the etag
value:

http://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/008_httpd.patch


I propose that future versions of Apache would either have FileEtag -Inode
turned on or have the inode be hashed by default.  (Preferably the original
behavior could be optional instead i.e.  FileEtag -noInodehash )

This would prevent security scanners from flagging all apache implementations
as vulnerable.

Thanks!

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message