httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Includes vs IncludesNoExec security issue - help needed
Date Thu, 23 Apr 2009 12:31:58 GMT
A security issue in the handling of the Includes and IncludesNoExec 
directives was reported recently, and I'm after some help.

The security issues are as follows:

a) If "AllowOverride Options=IncludesNoEXEC" is configured in 
   httpd.conf, a user can put "Options Includes" in an .htaccess
   file and SSI will be enabled *with* exec= permitted

b) If "AllowOverride Options=IncludesNoEXEC" is configured in 
   httpd.conf, and "Options IncludesNoExec" is enabled in the same 
   <Directory> context, then merely placing "Options +IncludesNoExec" in
   an .htaccess file also results in SSI enabled with exec= permitted

These are fixable but one question is left on how a particular 
combination of Includes and IncludesNoExec is interpreted:

- if httpd.conf has "Options Includes", and an .htaccess file has
   "Options +IncludesNoExec" - should exec= be permitted in an SSI?

I can argue this either way but am tending towards "no"; I'd very much 
welcome further opinions on this.

I've attached the patch I'm using for testing; results are up here:

  http://people.apache.org/~jorton/ssi-exec/

vanilla-2.2.x.txt and jorton-v1.txt each have four columns

(1) httpd.conf Options used
(2) httpd.conf AllowOverride used
(3) .htaccess Options used
(4) result of interpreting an SSI with an exec= statement in this 
context; readme.txt describes

vanilla-2.2.x.txt is results with vanilla 2.2.x, jorton-v1.txt is with 
the attached patch applied.

Thanks to Jonathan for reporting the original security issue, and to 
Vincent for his very thorough analysis which found the additional 
problems.

Regards, Joe

Mime
View raw message