httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject re: [linux-security] Security Hole. Appache.
Date Thu, 04 Sep 1997 15:20:04 GMT
This was forwarded to me. 

> Forwarded message:
> > From: Kirjushka <kir@fipc.ru>
> > 
> > Sorry! Unknown (for me) behaviour of Apache was discovered. Suddenly.
> > 
> > Configuration detail:
> > Linux:  2.0.30
> > Apache: 1.x.x
> > 
> > srm.conf:
> >         ...
> >         Action text/html /cgi-bin/exefile
> >         ...
> > 
> > /www-root/sec-dir/.htaccess:
> >         AuthType        Basic
> >         AuthName        authname
> >         AuthUserFile /itc/passwd
> >         <LIMIT GET POST>
> >         require valid-user
> >         </LIMIT>
> > 
> > 
> > 
> > 
> > 
> > Trying to "GET" and "get" some file from /www-root/sec-dir/ ...
> > ----------------------------------------
> > Example #1:
> > 
> > $telnet www.host 80
> > GET /sec-dir/index.html http/1.1
> > 
> > HTTP/1.1 401 Authorization Required
> > ..............
> > 
> >         It's OK!
> > -----------------------------------------
> > Example #2:
> > 
> > $telnet www.host 80
> > get /sec-dir/index.html http/1.1
> > 
> > HTTP/1.1 200 OK
> > ...........
> > 
> >         It's quite OK for browser which doesn't know lower case "get".

See RFC2068 section 5.1.1:

   The Method token indicates the method to be performed on the resource
   identified by the Request-URI. The method is case-sensitive.

So this is no bug. 

I'd like to take this opportunity to say that putting in <Limit> sections
is almost always the wrong thing to do.  It's unfortunate that hundreds of
examples and books include crud like <Limit GET POST> ... if you really
want to exclude all access, then you probably want to exclude it for all
methods, even those methods undefined in the standards.  So just put a
naked "require valid-user" and skip the <Limit> and </Limit>.

Furthermore I'd like to say that since the CGI is passed the
REQUEST_METHOD it is the CGI's responsibility to do the "right thing" in
this case.  By removing the Action you're just causing the default handler
to reject the request.  With the Action there you're passing control onto
your CGI which is not rejecting the invalid method "get".

Laters
Dean

> > -----------------------------------------
> > 
> > This feature disappears if you comment 'Action' or '<LIMIT>' lines.
> > 
> >         Sorry again! Kir.
> > 
> 
> 


Mime
View raw message