httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <n...@webthing.com>
Subject Re: CVE-2003-1418 - still affects apache 2 current
Date Fri, 02 Sep 2011 08:07:55 GMT

On 2 Sep 2011, at 08:49, Reindl Harald wrote:

> 
> 
> Am 02.09.2011 09:39, schrieb Florian Weimer:
>> * Reindl Harald:
>> 
>>> mtime -> well, is directly in the header -> Last-Modified
>>> size -> well, directly in the header -> Content-Length
>>> inode -> well, where is there any security implication?
>> 
>> I guess you could use it to form an NFS handle, and use that to bypass
>> intended access restrictions.  But that's the fault of NFS, and systems
>> which do not use cryptographic NFS handles probably use non-random or
>> 32-bit inodes, which are open to guessing anyway
> 
> independend of the fact that i can guess it, it is really really not the problem
> of httpd if some stupid guy has nFS opened on the internet

Indeed, how many webservers this century are sharing stuff over NFS?
And, erm, if you have an ETag then you have web access!

But it's a technical violation of "need to know" principle.  Potential
use of that information through NFS is just a demo-of-concept for
how such information might hypothetically be of use to an attacker.

As for vulnerability in real life, the information that is intentionally
and necessarily shared through HTTP is far more obviously useful
to an attacker.  Want your attack bot to check whether it's found
${some-php-upload-exploit}?  A test file will tell you its content-length
and last-modified for very good reasons!

-- 
Nick Kew
Mime
View raw message