httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adrian Herscu <bmf1...@axentra.net>
Subject [users@httpd] Re: Multiple dots in path vulnerability
Date Mon, 10 Jan 2005 17:42:02 GMT
Leif,

Thanks for your effort.

My question was actually whether *hardened* Apache HTTP Servers 
will filter out multi-dot URLs.

I should emphasize that there are two types of vulnerabilities:
1. Parent paths, like "../" - my question was not about that.
2. Multi-dot URLs which are not containing parent paths - those 
can be used to confuse the Web server about the real file type. 
For example: "/foo.php/goo.exe" - what type of file is requested 
by this URL? According to Microsoft, if you would like to filter 
out requests for ".exe" files then this URL would be considered 
invalid by the UrlScan server module and dropped, even if was a 
legitimate ".php" request. That is because the Web server cannot 
decide whether "foo.php" is a file or a directory without 
querying to underlying file system - so to make their lives 
easier they decided that UrlScan should filter out any multi-dot 
URL. *astards!

Do you know about a corresponding "UrlScan" module for Apache 
HTTP Servers that will filter out multi-dot URLs?

Thanks a lot,
Adrian.

Leif W wrote:
>> Adrian Herscu; 2005 January 09 Sunday 07:09
>> Hi all,
>>
>> I have an Web application that uses URLs which contain multiple dots, 
>> such as "/dir.ext1.ext2.extn/file.ext1.ext2.extm".
> 
> 
> With Apache you could use a typemap and hide the file extension from the 
> URL entirely.  It could be .html, .cfm or anything.  Based upon how you 
> configure Apache, it will handle it appropriately.  I have only a 
> rudimentary understanding of this feature, and thus can not explain it 
> further, but I can appreciate the power that it gives.
> 
>> Here is why Microsoft considers multi-dots URLs "dangerous":
> 
> 
> IMO maliciously and carefully crafted URL strings such as multi-dots or 
> double escapes are only dangerous if the authors of the web server OR 
> any library upon which the server blindly relies upon have seriously 
> screwed up their code.
> 
>> I am interested to know if the vulnerabilities enumerated by the 
>> aforementioned thread apply to the Apache HTTP Server also.
> 
> 
> I have not ever witnessed any successful directory traversal attacks 
> against Apache 2 on Linux since I have been using it, which was 
> somewhere around 2.0.3x.  However my personal test/development server is 
> not a big target.  I have seen Apache 1.3 used heavily, but it was 3 
> years ago, and we never had a successful directory traversal attack on 
> FreeBSD and Linux.
> 
> However, on Windows on my personal machine, Apache 2 relied upon some 
> insecurely written Microsoft code, about 2.5 years ago.  At the time, 
> someone I knew personally had a grudge against me and used the directory 
> traversal exploit to look at some of my files.  But after considering 
> their conscience the person in question notified me, and sure enough I 
> saw several files outside of the DocumentRoot had been served to the 
> person's IP address.  They could pick any file on the same drive as the 
> DocumentRoot, I believe, as long as the ACLs allowed.  I learned that 
> you need to more strictly control what user Apache runs as, and what 
> permissions you give to people in all your files across the entire 
> filesystem (default on Windows is read-write by Everyone).
> 
> It also reinforced my (some might say "misguided") impression that 
> Microsoft is "dangerous" because it consistently creates insecure code. 
> ;-)  But Apache has had a few vulnerabilities all of it's own.  In total 
> 30 are listed on that page (see below) since Apache 2.0.37.  Most 
> vulnerabilities only affect very specific configurations.  I do not know 
> the exact cause of the problem I experienced (CAN-2002-0661), so I can't 
> point a finger at Apache devs or the non-unix platform devs.
> 
> You can read more about Apache 2 security vulnerabilities at 
> ApacheWeek.com.  I found the URL on Apache's httpd website.
> 
> http://www.apacheweek.com/features/security-20
> 
> This is the problem I experienced and described above:
> 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0661
> 
> Leif
> 
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message