Return-Path: Delivered-To: apmail-apache-bugdb-archive@apache.org Received: (qmail 48135 invoked by uid 500); 16 Jul 2001 23:40:01 -0000 Mailing-List: contact apache-bugdb-help@apache.org; run by ezmlm Precedence: bulk Reply-To: apache-bugdb@apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list apache-bugdb@apache.org Received: (qmail 48116 invoked by uid 501); 16 Jul 2001 23:40:00 -0000 Resent-Date: 16 Jul 2001 23:40:00 -0000 Resent-Message-ID: <20010716234000.48114.qmail@apache.org> Resent-From: submit@bugz.apache.org (GNATS Filer) Resent-To: apache-bugdb@apache.org Resent-Cc: apache-bugdb@apache.org Resent-Reply-To: submit@bugz.apache.org, ast@domdv.de Received: (qmail 41518 invoked by uid 501); 16 Jul 2001 23:30:12 -0000 Message-Id: <20010716233012.41517.qmail@apache.org> Date: 16 Jul 2001 23:30:12 -0000 From: A.Steinmetz Reply-To: ast@domdv.de To: submit@bugz.apache.org X-Send-Pr-Version: 3.110 Subject: general/8036: DELETE method reveals name of directory index file and executes scripts >Number: 8036 >Category: general >Synopsis: DELETE method reveals name of directory index file and executes scripts >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Mon Jul 16 16:40:00 PDT 2001 >Closed-Date: >Last-Modified: >Originator: ast@domdv.de >Release: 1.3.20 >Organization: apache >Environment: linux 2.2.19 i686 glibc 2.2.3 gcc 2.95.3 >Description: If the DELETE method is access-limited by a Limit directive the returned 405 error message for DELETE / shows the name of the directory index file. This might give an attacker hints how to try to compromise a server. Furthermore, if the requested URL refers to an active element, e.g. a PHP script the script is executed which may cause all sorts of problems as scripts are usually not designed to handle a DELETE request. In the best case, DELETE is then processed as a GET request which is not the intended behaviour (this may be a PHP problem but I'm not in the position to decide that). >How-To-Repeat: Create the file /tmp/test/index.html containing the following line: hi Create the following server configuration: Listen localhost:8080 CustomLog /dev/null common ErrorLog /dev/null DocumentRoot /tmp/test DirectoryIndex index.html Alias / /tmp/test/ Deny from all Order Deny,Allow Allow from all AllowOverride None Options None Execute the following commands (output included below): # telnet localhost 8080 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET / hi Connection closed by foreign host. # telnet localhost 8080 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. DELETE / 405 Method Not Allowed

Method Not Allowed

The requested method DELETE is not allowed for the URL /index.html.

Connection closed by foreign host. # >Fix: Use the originally requested URL in error messages, not one that was already modified internally. If processing scripts with the request method DELETE is done by design please document this in a prominent enough place (e.g. footnote for the Limit command). >Release-Note: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]