httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Carsten Wiedmann" <carsten_st...@gmx.de>
Subject Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows
Date Sat, 19 Aug 2006 17:20:36 GMT
Joshua Slive schrieb:

> On 8/19/06, Carsten Wiedmann <carsten_sttgt@gmx.de> wrote:
> > Why is it really bad to have a ScriptAlias inside the DocumentRoot? It's
> > only another file system location. And it's only one line in the
> > config file instead of four. You have only a problem because of the 
> > "unexpected"
> > behavior of httpd with case-insensitive/case-preserved file systems
> > ;-) And on Windows, the simplest way to make a consistent behavior
> > with URI's is to have a alias match case-insensitive.
>
> You seemed to miss the second part of my message, where I pointed out
> that there are multiple ways to "skip around" aliases if they point to
> directories that are otherwise accessible from the filesystem.  For
> example, a request for //cgi-bin/file.cgi might work (I haven't tested
> it)

The abs_path part of a HTTP URI can't start with a "//".


> or using one of the other "funny" characteristics of the windows
> filesystem that make multiple URLs point to the same filesystem
> location.

Thus I can say, the source code is too simple... ;-) It's not the problem of 
Windows (OS X, ...) that httpd don't compare the real case of a file with 
the case of the resource given in a HTTP request.

BTW: With symlinks we have a similar "funny" thing on *nix, to point 
multiple URIs to the same filesystem location.


> That is why if you want to restrict access to a filesystem
> location, you need to use <Directory>, which knows about all these
> funny things.

Don't forget, we are not talking about:
<Directory c:/apache2/htdocs> ... </Directory>
ScriptAlias /cgi-bin/ c:/apache2/htdocs/cgi-bin/
vs.
<Directory c:/apache2/htdocs> ... </Directory>
ScriptAlias /cgi-bin/ //server/share/htdocs/cgi-bin/
(different filesystem/network paths for Directory and ScriptAlias target. 
OK, they can point to the same resource, but that's another problem.)


We are talking about:
<Directory c:/apache2/htdocs> ... </Directory>
ScriptAlias /cgi-bin/ c:/apache2/htdocs/cgi-bin/
and
http://example.com/cgi-bin/foo.cgi
vs.
http://example.com/CGI-BIN/foo.cgi

And why are sometimes (part of) the URI is case-sensitive and somtimes not 
and what happens in consequence because of this behavior. And this behavior 
is the only reason why it can be (on some systems) a problem to have the 
ScriptAlias inside the DirectoryRoot.

Unfortunately there is for the moment no setting in the configuration, in 
order to achieve with such a system a real RFC conformal behavior (e.g.like 
"lower_case_table_names" in MySQL). But you can achieve a consistent 
behavior.

Regards,
Carsten



Mime
View raw message