httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Carsten Wiedmann" <>
Subject Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows
Date Sun, 20 Aug 2006 11:22:31 GMT
Joshua Slive schrieb:

> On 8/19/06, Carsten Wiedmann <> wrote:
> [I don't agree with large chunks of what you wrote, but the crux of
> the matter is here:]

That's ok :-)

Nobody else has an opinion to this discussion? Perhaps all are in the 
weekend vacation. ;-)

> > And why are sometimes (part of) the URI is case-sensitive and
> > somtimes not and what happens in consequence because of this
> > behavior. And this behavior is the only reason why it can be (on some
> > systems) a problem to have the ScriptAlias inside the DirectoryRoot.
> That last sentence is simply not true.  Search the the bugtraq
> archives for all the other vulnerabilities in windows web servers
> caused by subtleties of the filesystem.

You have some examples? But see the current case. In easy words:
A HTTP server must process the abs_path from an URI in a case-sensitive 
manner. Thus with a case-sensitive filesystem it's enough to build a 
canonical / normalized path and ask the system: You have this file?. With a 
case-insensitive/preserving filesystem you must also compare the realpath of 
a file with the canonical / normalized path from the request. That's really 
basic understanding. And it's not new that some systems, like Windows, have 
a case-insensitive filesystem or other differences to a "normal" *nix 
filesystem. A software must respect this.

> It is not the job of *Alias* to deal with that; the *Alias* directives
> map a URL to the filesystem.  If you want to protect things in the
> filesystem, you have <Directory>.

That's ok. If I want to protect something or change the behavior how the 
content of a directory is processed, I should do this inside a container 
like <Directory>. But why is there the Directive "ScriptAlias"?
--> This Directive should then better be removed.

Next question...

>From the manual:
| The Alias directive allows documents to be stored in the
| local filesystem other than under the DocumentRoot.
Or the "httpd.conf":
| # Alias: Maps web paths into filesystem paths and is used to
| # access content that does not live under the DocumentRoot.

Now we assume that the DocumentRoot is only a special alias. Thus we can 
also say:
| # Alias: Maps web paths into filesystem paths and is used to
| # access content that does not live under another existing Alias.
--> Why is it allowed (or without a warning) to make an Alias, where the 
target is already accessible via another Alias?

> Yes, it would be nice if httpd could force the use of a canonical case
> on case-insensitive filesystems.  It can be partially done with
> mod_rewrite.  But that would not make it safe to use ScriptAlias in
> the way you want.

Ok. Then we can say: For some other reasons, it's not safe to make a 
ScriptAlias inside DirectoryRoot on *nix (it only looks as if it's safe).


View raw message