www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stipe Tolj <t...@wapme-systems.de>
Subject os-windows/7944: Security hole for <Directory> restrictions for Cygwin 1.x
Date Wed, 27 Jun 2001 09:37:20 GMT

>Number:         7944
>Category:       os-windows
>Synopsis:       Security hole for <Directory> restrictions for Cygwin 1.x
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Wed Jun 27 02:40:01 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     tolj@wapme-systems.de
>Release:        1.3.20
>Organization:
apache
>Environment:
$ uname-a
CYGWIN_NT-4.0 WAPME-244 1.1.8(0.34/3/2) 2001-01-31 10:08 i686 unknown

Cygwin 1.1.8 running on WinNT4sp6.
>Description:
Bill Stoddard has suggested to check this and it produced a SECURITY whole for the Cygwin
1.x platform!

On WinNT and Win2000 operating systems running Apache for Cygwin requesting users may circumvent
any <Directory> restrictions using Windows canonical (shorten) filenames (based on 8.3
format). This problem arises from the underlying Cygwin 1.x layer which seems to make no differences
how the file/dir is addressed.
>How-To-Repeat:
restrict a specific directory under DocumentRoot, i.e.
 
  # httpd.conf
  <Directory /usr/local/apache/htdocs/foobardir>
    Order deny, allow
    Deny from all
    Allow from 10.0.0.2
  </Directory>

Requesting /foobardir from 10.0.0.1 gets 403 Forbidden.
Requesting /foobar~1 from 10.0.0.1 gets whatever the dir contains (indexing, etc.)



>Fix:
I'll check the sources to see if there is an implementation within the Windows specific parts
and incorporate that for the Cygwin platform within the Unix based sources.

Patch will be posted to new-httpd@apache.org.
>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <apbugs@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]
 
 


Mime
View raw message