httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 49623] New: CVE-2003-1418 - all httpd versions seem to expose inode values in FileEtag
Date Tue, 20 Jul 2010 15:37:01 GMT

           Summary: CVE-2003-1418 - all httpd versions seem to expose
                    inode values in FileEtag
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Core

Apache seems to simply hex-encodes inodes retrieved by fstat() directly into
etags through simple encoding.

Apache 2.2.3 in httpd-2.2.3/modules/http/http_etag.c:
    next = etag_ulong_to_hex(next, (unsigned long)r->finfo.inode);

    if (fstat(thefile->filedes, &info) == 0) {
    finfo->inode = info->st_ino;

This shows up as a security vulnerability through exposure of inode information
for files hosted by httpd:

An example solution to the problem was posted on OpenBSD, which is to use a
hash of the inode instead of directly presenting an encoded inode into the etag

I propose that future versions of Apache would either have FileEtag -Inode
turned on or have the inode be hashed by default.  (Preferably the original
behavior could be optional instead i.e.  FileEtag -noInodehash )

This would prevent security scanners from flagging all apache implementations
as vulnerable.


Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message