https://issues.apache.org/bugzilla/show_bug.cgi?id=49623
Summary: CVE-2003-1418 - all httpd versions seem to expose
inode values in FileEtag
Product: Apache httpd-2
Version: 2.3-HEAD
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Core
AssignedTo: [email protected]
ReportedBy: [email protected]
Apache seems to simply hex-encodes inodes retrieved by fstat() directly into
etags through simple encoding.
Apache 2.2.3 in httpd-2.2.3/modules/http/http_etag.c:
next = etag_ulong_to_hex(next, (unsigned long)r->finfo.inode);
httpd-2.2.3/srclib/apr/file_io/unix/filestat.c:
if (fstat(thefile->filedes, &info) == 0) {
...
finfo->inode = info->st_ino;
This shows up as a security vulnerability through exposure of inode information
for files hosted by httpd:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
An example solution to the problem was posted on OpenBSD, which is to use a
hash of the inode instead of directly presenting an encoded inode into the etag
value:
http://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/008_httpd.patch
I propose that future versions of Apache would either have FileEtag -Inode
turned on or have the inode be hashed by default. (Preferably the original
behavior could be optional instead i.e. FileEtag -noInodehash )
This would prevent security scanners from flagging all apache implementations
as vulnerable.
Thanks!
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
