apache2047.txt

2004-01-31T00:00:00
ID PACKETSTORM:32596
Type packetstorm
Reporter Trung - caothuvolam
Modified 2004-01-31T00:00:00

Description

                                        
                                            `  
  
APACHE HTTPD SERVER (current version 2.0.47):  
##########################################################  
How to return files in a Apache Deny All directory.  
The Directives controlling host access may be bypassed even   
if they have not permission to be override.  
  
11 Jan 2004  
  
  
DESCRIPTION  
  
Apache Web Server allows manage configurations via the main   
httpd.conf file, and via the other configuration files placed   
inside the children web trees, may owned by the user accounts,   
named .htaccess by default. The server administrator further   
controls what Directives may be placed in .htaccess files by   
configuring the AllowOverride Directive in the main httpd.conf   
files.  
  
If the server admin sets the Deny Directive to All (for example),   
and does not allow the user accounts to modify this Directive in   
their .htaccess file by setting the AllowOverride values without   
the Limit type, his/her users are still able to bypass the Deny   
option by using the ErrorDocument Directive.  
  
Tested in Apache 2.0.47/RH-Linux/WinXP.  
  
  
EXAMPLE  
  
##########################################################  
# In the main httpd.conf file:  
#  
<Directory />  
AllowOverride FileInfo  
Deny From All  
</Directory>   
##########################################################  
  
##########################################################  
# In the user's .htaccess file placed in a child directory:  
  
ErrorDocument 403 /child/dir/fetch.php  
  
##########################################################  
  
/********************************************************/  
<?php  
// In the fetch.php placed in the same directory:  
  
$url = parse_url( $_SERVER['REQUEST_URI'] );  
@include basename( $url['path'] );  
  
?>  
/********************************************************/  
  
  
In this example, assuming the web server can execute PHP script   
or some scripts/server-includes. By modifying some codes you can   
return other mime file types such as image/gif etc.  
  
Event if the server does not allow any file parsed (Deny From All),   
the script file fetch.php will still be executed, and it includes   
again and parses any other files in a same directory, which   
indecated by the query variables, to the web client.   
  
Looking in the source code, I think the missing auth checking is in   
the function ap_process_request_internal() in the file request.c.   
One of the major changes in Apache 2.0 is to the internal redirect   
mechanism. To prevent the code from falling out of sync again in the  
current directory, the configuration comparing between two config   
directories may bypass the authentication checking again. That   
explains why this vulnerability (if any?) can only done if the   
redirect ErrorDocument file is placed in the same request directory.  
  
  
  
FIX  
  
Do not skip auth checker even if the per_dir_config member value   
doesn't change in the ap_process_request_internal() function.  
  
  
NOTE   
  
I post this issue in the public mailing list, because I think this   
vuln is not exploitable by a remote attacker. If something were   
wrong, drop a line to me.  
  
  
Vietnamese Security Group  
Trung - caothuvolam - trungonly@yahoo.com  
http://www.security.com.vn  
  
31 Nui Truc st. Ba Dinh dist. Ha Noi . Vietnamese  
Phone : 84.4.8465701 / Fax: 84.4.8465701  
`