httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: [linux-security] Security Hole. Appache. (fwd)
Date Thu, 04 Sep 1997 09:32:02 GMT
On Thu, 4 Sep 1997, Dirk.vanGulik wrote:

> Flush, blush ; I knew this; there is even some old patch for pre 1 ?
> which gave a protocol error :-( It came in after the limit extension.

But it isn't a bug, and the script is doing exactly what they told it to.
It is obviously not checking the method correctly, so even something like
PUT would probably behave the same.  Since the method, by definition, is
case sensitive and passing unknown methods to CGI scripts is done on
purpose, this comes down to two things:

	- the user is using Limit directives for no reason
	- the user's script is not properly checking the method it is
	  called with

> 
> Dw.
> 
> 
> > Sorry! Unknown (for me) behaviour of Apache was discovered. Suddenly.
> > 
> > Configuration detail:
> > Linux:  2.0.30
> > Apache: 1.x.x
> > 
> > srm.conf:
> >         ...
> >         Action text/html /cgi-bin/exefile
> >         ...
> > 
> > /www-root/sec-dir/.htaccess:
> >         AuthType        Basic
> >         AuthName        authname
> >         AuthUserFile /itc/passwd
> >         <LIMIT GET POST>
> >         require valid-user
> >         </LIMIT>
> > 
> > 
> > 
> > 
> > 
> > Trying to "GET" and "get" some file from /www-root/sec-dir/ ...
> > ----------------------------------------
> > Example #1:
> > 
> > $telnet www.host 80
> > GET /sec-dir/index.html http/1.1
> > 
> > HTTP/1.1 401 Authorization Required
> > ..............
> > 
> >         It's OK!
> > -----------------------------------------
> > Example #2:
> > 
> > $telnet www.host 80
> > get /sec-dir/index.html http/1.1
> > 
> > HTTP/1.1 200 OK
> > ...........
> > 
> >         It's quite OK for browser which doesn't know lower case "get".
> > -----------------------------------------
> > 
> > This feature disappears if you comment 'Action' or '<LIMIT>' lines.
> > 
> >         Sorry again! Kir.
> > 
> > 
> > 
> 


Mime
View raw message