httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: Improper string concatenation in mod_alias allows code execution out of bounds defined in apache config file.
Date Mon, 08 Feb 2016 16:09:25 GMT
On Sat, Feb 6, 2016 at 5:20 AM, Bartłomiej Żogała <nusch88@gmail.com> wrote:

> 5. Some day he wanted the blog to be visible from example.com/ root  but
> with mod_alias instead mod_rewrite. So he changed line "Alias /wp
> /usr/share/wordpress" to "Alias / /usr/share/wordpress". Instead wordpress
> he received 403 forbidden on example.com/. He introduced more than one
> change so wasn't sure what caused the error immediately.
>
> During the time of user researching issue the attacker:
> 1. Enters http://example.com/.old/ and gets
> /usr/share/wordpress.old/index.php
>

This is precisely as-documented, and not a vulnerability;
http://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias
"Note that if you include a trailing / on the URL-path then the server will
require a trailing / in order to expand the alias."
That *includes* the simple "Alias / /foo/" case, this singular "/"
alias path is an example of an alias with a trailing "/".

Note that the actual execution of content within /usr/share/wordpress.old
is disturbing and indicates some other serious misconfiguration...
<Directory /usr/share/wordpress>
did not grant permissions for .../wordpress.old - therefore something else
permitted content/scripts outside of the /usr/share/wordpress/ directory
path.

Perhaps <Directory /> was never configured correctly to prevent access
to content outside of the intended directories, or perhaps there are
<Files > or <Location > directives overriding the <Directory > blocks.

Mime
View raw message