www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From A.Steinmetz <...@domdv.de>
Subject general/8036: DELETE method reveals name of directory index file and executes scripts
Date Mon, 16 Jul 2001 23:30:12 GMT

>Number:         8036
>Category:       general
>Synopsis:       DELETE method reveals name of directory index file and executes scripts
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Jul 16 16:40:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     ast@domdv.de
>Release:        1.3.20
>Organization:
apache
>Environment:
linux 2.2.19 i686 glibc 2.2.3 gcc 2.95.3
>Description:
If the DELETE method is access-limited by a Limit directive the returned 405 error message
for DELETE / shows the name of the directory index file. This might give an attacker hints
how to try to compromise a server.

Furthermore, if the requested URL refers to an active element, e.g. a PHP script the script
is executed which may cause all sorts of problems as scripts are usually not designed to handle
a DELETE request. In the best case, DELETE is then processed as a GET request which is not
the intended behaviour (this may be a PHP problem but I'm not in the position to decide that).
>How-To-Repeat:
Create the file /tmp/test/index.html containing the following line:
<html><head></head><body>hi</body></html>

Create the following server configuration:
Listen localhost:8080
<VirtualHost localhost:8080>
CustomLog /dev/null common
ErrorLog /dev/null
DocumentRoot /tmp/test
DirectoryIndex index.html
Alias / /tmp/test/
<Directory /tmp/test/>
    <Limit POST PUT DELETE CONNECT OPTIONS PATCH PROPFIND PROPPATCH MKCOL COPY MOVE LOCK
UNLOCK>
        Deny from all
    </Limit>
    Order Deny,Allow
    Allow from all
    AllowOverride None
    Options None
</Directory>
</VirtualHost>

Execute the following commands (output included below):
# telnet localhost 8080
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /
<html><head></head><body>hi</body></html>
Connection closed by foreign host.
# telnet localhost 8080
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
DELETE /
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>405 Method Not Allowed</TITLE>
</HEAD><BODY>
<H1>Method Not Allowed</H1>
The requested method DELETE is not allowed for the URL /index.html.<P>
</BODY></HTML>
Connection closed by foreign host.
#
>Fix:
Use the originally requested URL in error messages, not one that was already modified internally.
If processing scripts with the request method DELETE is done by design please document this
in a prominent enough place (e.g. footnote for the Limit command).
>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <apbugs@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]
 
 


Mime
View raw message