httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: [RFC] further proxy/rewrite URL validation security issue (CVE-2011-4317)
Date Tue, 17 Jan 2012 21:47:01 GMT
On Thu, Jan 12, 2012 at 4:54 AM, Tomas Hoger <thoger@redhat.com> wrote:
> Jeff Trawick <trawick <at> gmail.com> writes:
>
>> >> Tomas Hoger tracked this down to a change to apr_uri_parse(), see here:
>> >>
>> >> https://bugzilla.redhat.com/show_bug.cgi?id=756483#c8
>> >>
>> >> The referenced change is in APR-util version 1.2.13, so httpd is not
>> >> vulnerable if using APR-util 1.2.12 or older versions.
>> >
>> > Can we determine this to be errant behavior in apr_uri_parse?
>>
>> I think we can for at least a couple of these.  In fact I assumed
>> based on the httpd 2.0 assessment pointed to earlier that the two URIs
>> already were rejected, and so I expected these two URIs to fail to
>> parse with apr-util 0.9.
>
> These URIs do not fail to parse in older apr-util, but they are parsed in
> a different way.  In recent versions, you get:
>
> scheme: @localhost, path: :8880

not a valid scheme; apr_uri_parse should have failed it for that
reason (needs to start with lower case, continue with lower case or
digit or +.-)

> scheme: qualys, path: @qqq.qq.qualys.com

valid scheme, valid path

--/--

so: does fixing apr_uri_parse() resolve these?  not generally (but I
opened bug 52479 to track the bogus scheme issue)

some checking of acceptable URIs has to be added on top of that

> This does have path not starting with / (required for the attack) and
> also non-NULL scheme (required to bypass "does uri start with /?" check
> added in r1179239).
>
> In older versions, you get:
>
> scheme: (null), path: @localhost::8880
> scheme: (null), path: qualys:@qqq.qq.qualys.com
>
> With NULL scheme, there's no bypass of r1179239.  AFAICS, when older
> apr_uri_parse() returns non-NULL scheme, path is either NULL or it
> starts with a /.
>
> HTH

yes, thanks a bunch!

>
> --
> Tomas Hoger
>



-- 
Born in Roswell... married an alien...

Mime
View raw message