httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@gonzo.ben.algroup.co.uk>
Subject Re: [Fwd: Apache Security Problem]
Date Mon, 08 Apr 1996 21:32:04 GMT
> 
> On Mon, 08 Apr 1996 11:36:26 -0600 you wrote:
> 
> >I am running the OS/2 port of Apache 1.0.1, and there is a security hole in
> >it.  A friend of mine tried to access http://my.server/cgi-bin/, and it 
> >gave him a Forbidden - you do not have permission to access /cgi-bin/ on
> >this server, which I believe is what it should have done.  Then he tried to
> >access http://my.server/.\cgi-bin\/, and it gave him a directory listing of
> >/cgi-bin/!  He then was able to read all of the files in that directory.
> >I tried to create an index.html file in the cgi-bin directory, and that
> >fixed the problem for that directory.  However, I then attempted to access
> >http://my.server/.\..\/ and it also gave the directory listing!  I was able
> >to access ALL of the files on my hard drive!!!  This is a serious security
> >flaw, and I'm wondering if there is any way to fix it.  Has this been fixed
> >in 1.0.2 or 1.0.3?
> 
> Does anyone know of a reason why all occurances of "..\" in a URL can't be
> translated to "../"? The security hole is caused by the fact that "..\" under
> OS/2 is equivalent to "../" under UNIX. If I translate them and let Apache do
> its regulary testing the proper response will be returned.
> 
> BTW http://my.server/.\cgi-bin\/ will not work, but
> http://my.server/..\cgi-bin\/ will.

Whilst it is highly unlikely that anyone would be daft enough to create a
directory called "..\a" under Unix, it is perfectly legal. I would strongly
suggest that you take whatever action you deem appropriate for OS/2 and
restrict it to OS/2 only.

Cheers,

Ben.

> 
> 
> Garey Smiley
> SoftLink Services
> garey@slink.com
> http://www.slink.com/
> (216)848-1312 FAX/Data(216)699-4474

-- 
Ben Laurie                  Phone: +44 (181) 994 6435
Freelance Consultant and    Fax:   +44 (181) 994 6472
Technical Director          Email: ben@algroup.co.uk
A.L. Digital Ltd,           URL: http://www.algroup.co.uk
London, England.

Mime
View raw message