>Number: 859
>Category: config
>Synopsis: space in URL garbles script environment vars
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: apache (Apache HTTP Project)
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Sat Jul 12 02:50:01 1997
>Originator: [EMAIL PROTECTED]
>Organization:
apache
>Release: 1.2.0
>Environment:
$ uname -a
BSD/OS maple.oeko.net 2.1 BSDI BSD/OS 2.1 Kernel #0: Sun Feb 16 20:09:06 MET
1997
[EMAIL PROTECTED]:/usr/src/sys/compile/OEKONET.maple i386
almost fully patched
client side: Netscape Navigator 3.0 Gold
>Description:
I have a setup with a vhost that defines
ErrorDocument 404 /cgi-bin/notthere.cgi
inside the vhost section. When asking this vhost for a nonexistend URL that
contains a space, the first part up to the space is placed in REDIRECT_URL
and the part after the space comes out in front of SERVER_PROTOCOL. I didn't
test with variants that contain more spaces, more non-contiguous sections of
spaces, or different kinds of spaces.
I posted this to comp.infosystems.www.servers.unix
message id <[EMAIL PROTECTED]>,
and got back that this is likely an Apache bug. This could have security
implications since smashing the stack by producing unpredicted environment
contents and possibly executing it afterwards could therefore be embedded
in the URL if properly designed, or so I read on bugtraq.
Imho the right thing would be that all the illegal URL lands in the
REDIRECT_URL variable and also that it be limited to some harmless size.
The right thing must be known somewhere in Apache since the access log
contains the correct URI (the one originally requested, together with a 404
status code).
>How-To-Repeat:
If you have a mail address I can mail you a sample code section + server
setup, but you should be able to repeat the problem with your stock CGI pieces.
>Fix:
Disallow spaces in URLs (if at all legal) and have them length checked if not
already
>Audit-Trail:
>Unformatted:
