Apache web server performs case sensitive filtering on Mac OS X HFS+ case insensitive filesystem

Overview

The Apache (1.3.14) web server’s file access protection scheme can be bypassed for the Mac OS X HFS+ filesystem.

Description

The Apache web server’s file access protection scheme (i.e., file request “filtering”) assumes that the filesystem being protected is case sensitve. For example, in a case sensitive file system, such as UFS (the UNIX file system), the file name “ANY_file” and “any_FILE” refer to different files. The Mac’s HFS+ filesystem is case insensitve (e.g., the names “ANY_file”, “any_FILE”, and “any_file” all refer to the same file) . Under the Apache file access protection scheme you specify the directory (e.g., /ANY_directory) or filename (e.g., “/ANY_directory/ANY_file”) to be protected, but only directories or pathnames matchings the exact case you specify will be protected.

Under the Apache scheme, you specify whether to deny or allow access to a filesystem object (which can be a directory, filename, or URL). The specifications are called “directives”, which include <Directory>, <Files> and <Location> directives. See <http://httpd.apache.org/docs/mod/core.html#directory&gt; for further information on directives. When you use a directive to deny access to a file or directory using the Apache web server under Mac OS X HFS+, the directive will NOT deny access to any other upper and lover case variation on the filename or directory.

---

Impact

Can bypass Apache file access protection, allowing remote unprivileged users to read privileged files.

---

Solution

Solution 1 - By default, Apache will allow access to any file mapped from a URL You should change the default to deny all access, and then use directives to override and allow access for only those directories and files that you want to be readable. Use regular expressions with directives such as <FilesMatch> and <DirectoryMatch> to cover upper and lover case variations. Be sure to thoroughly test your directives to ensure that Apache is properly allowing or denying access. The follwing advice is from the Apache web site (<http://httpd.apache.org/docs/mod/core.html#directory&gt;):

**Note that the default Apache access for <Directory /> is**``**Allow from All**``**. This means that Apache will serve any file mapped from an URL. It is recommended that you change this with a block such as**`` `` <Directory /> Order Deny,Allow Deny from All </Directory> `` ``**and then override this for directories you**``**_want_**``** accessible. See the**``**_Security Tips_**``** (**``**<http://httpd.apache.org/docs/misc/security_tips.html>**``**) page for more details.**

Solution 2 - At least a partial fix (a shared object file “mod_hfs_apple.so”) is available on the Apple web site as part of thr Web Sharing version 1.0 released on 7-23-2001 – <http://www.apple.com/downloads/macosx/apple/websharingupdate.html&gt; . This update fixes the problem when you specify protected directories (using the <Directory> and <Location> directives), but the fix may not work when you specify individual file names to be protected (using the <Files> directive. (See the 13-July-2001 message from Jacques Distler on the following web page: <http://www.macintouch.com/mosxreaderreports43.html&gt;.) To overcome the case problem for individual filenames, you need to use the <FilesMatch> directive, and specify the filename using regular expressions that cover all upper and lower case variations. Even after applying this patch, it is recommended that you set the Apache default to deny all access, as described in solution 1 above.

Solution 3 - Use the UFS (Unix File System) instead of HFS+. UFS is case sensitive, so everything works as expected. Even if you use UFS, we still recommended that you set the Apache default to deny all access, as described in solution 1 above.

---

Vendor Information

439395

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apache Software Foundation Affected

Updated: September 28, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23439395 Feedback>).

Apple Computer Inc. __ Affected

Updated: September 28, 2001

Status

Affected

Vendor Statement

**Web Sharing Update**`` -- <http://www.apple.com/downloads/macosx/apple/websharingupdate.html&gt; . (Post date: 7/23/2001) ``The Web Sharing Update delivers enhancements and security improvements to Apache, including support for the case-insensitive Mac OS Extended file system (HFS+), and the latest version of OpenSSH.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23439395 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.securityfocus.com/bid/2852&gt;
• <http://www.apple.com/downloads/macosx/apple/websharingupdate.html&gt;
• <http://www.macintouch.com/mosxreaderreports43&gt;
• <http://www.securityfocus.com/bid/3316&gt;
• <http://httpd.apache.org/docs/mod/core.html#directory&gt;
• <http://httpd.apache.org/docs/misc/security_tips.html&gt;

Acknowledgements

This vulnerability was initially posted to the bugtraq mailing list (bugtraq ID 2852) by Stefan Arentz.

This document was written by Howard Lipson.

Other Information

CVE IDs:	CVE-2001-0766
Severity Metric:	3.60 Date Public: