httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dirk.vanGulik" <Dirk.vanGu...@jrc.it>
Subject Re: [linux-security] Security Hole. Appache. (fwd)
Date Thu, 04 Sep 1997 13:58:38 GMT
> On Thu, 4 Sep 1997, Dirk.vanGulik wrote:
> 
> > Flush, blush ; I knew this; there is even some old patch for pre 1 ?
> > which gave a protocol error :-( It came in after the limit extension.
> 
> But it isn't a bug, and the script is doing exactly what they told it to.

Hmm, I'd strongly argue the case that anything other than PUT/GET/POST/HEAD
etc in eactly that case; should be flagged as a protocol error (especially
as the reqeust comes in with HTTP/1.0 and HTTP/1.1; so it should stick
to that); Though I have to admit that I locally do use INFO and META for
just that extra dimension.

Still I can see your point too.

> It is obviously not checking the method correctly, so even something like
> PUT would probably behave the same.  Since the method, by definition, is
> case sensitive and passing unknown methods to CGI scripts is done on
> purpose, this comes down to two things:
> 
> 	- the user is using Limit directives for no reason
> 	- the user's script is not properly checking the method it is
> 	  called with
> 
> > 
> > Dw.
> > 
> > 
> > > Sorry! Unknown (for me) behaviour of Apache was discovered. Suddenly.
> > > 
> > > Configuration detail:
> > > Linux:  2.0.30
> > > Apache: 1.x.x
> > > 
> > > srm.conf:
> > >         ...
> > >         Action text/html /cgi-bin/exefile
> > >         ...
> > > 
> > > /www-root/sec-dir/.htaccess:
> > >         AuthType        Basic
> > >         AuthName        authname
> > >         AuthUserFile /itc/passwd
> > >         <LIMIT GET POST>
> > >         require valid-user
> > >         </LIMIT>
> > > 
> > > 
> > > 
> > > 
> > > 
> > > Trying to "GET" and "get" some file from /www-root/sec-dir/ ...
> > > ----------------------------------------
> > > Example #1:
> > > 
> > > $telnet www.host 80
> > > GET /sec-dir/index.html http/1.1
> > > 
> > > HTTP/1.1 401 Authorization Required
> > > ..............
> > > 
> > >         It's OK!
> > > -----------------------------------------
> > > Example #2:
> > > 
> > > $telnet www.host 80
> > > get /sec-dir/index.html http/1.1
> > > 
> > > HTTP/1.1 200 OK
> > > ...........
> > > 
> > >         It's quite OK for browser which doesn't know lower case "get".
> > > -----------------------------------------
> > > 
> > > This feature disappears if you comment 'Action' or '<LIMIT>' lines.
> > > 
> > >         Sorry again! Kir.
> > > 
> > > 
> > > 
> > 
> 
> 


Mime
View raw message