httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jsl...@gmail.com>
Subject Re: [users@httpd] Re: Multiple dots in path vulnerability
Date Mon, 10 Jan 2005 18:10:13 GMT
On Mon, 10 Jan 2005 19:42:02 +0200, Adrian Herscu <bmf1972@axentra.net> wrote:
> Leif,
> 
> Thanks for your effort.
> 
> My question was actually whether *hardened* Apache HTTP Servers
> will filter out multi-dot URLs.
> 
> I should emphasize that there are two types of vulnerabilities:
> 1. Parent paths, like "../" - my question was not about that.
> 2. Multi-dot URLs which are not containing parent paths - those
> can be used to confuse the Web server about the real file type.
> For example: "/foo.php/goo.exe" - what type of file is requested
> by this URL? According to Microsoft, if you would like to filter
> out requests for ".exe" files then this URL would be considered
> invalid by the UrlScan server module and dropped, even if was a
> legitimate ".php" request. That is because the Web server cannot
> decide whether "foo.php" is a file or a directory without
> querying to underlying file system - so to make their lives
> easier they decided that UrlScan should filter out any multi-dot
> URL. *astards!
> 
> Do you know about a corresponding "UrlScan" module for Apache
> HTTP Servers that will filter out multi-dot URLs?

Apache does not do this by default, because there are plenty of
legitimate reasons for having multiple dots, and because apache will
not get confused about the file type unless it is badly misconfigured.
 (Apache's AddType/AddHandler/etc directives act on the actual name of
the file being served, not on the URL.)

If you want to block requests like this, you could probably do it with
mod_security - a third-party module that specializes in this sort of
URL-filtering.

Alternatively, you could just use something like
<LocationMatch \..*\.>
Order allow,deny
Deny from all
</LocationMatch>
or something similar to that.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message