On Sat, Feb 6, 2016 at 5:20 AM, Bartłomiej Żogała <[email protected]> wrote:
> 5. Some day he wanted the blog to be visible from example.com/ root but > with mod_alias instead mod_rewrite. So he changed line "Alias /wp > /usr/share/wordpress" to "Alias / /usr/share/wordpress". Instead wordpress > he received 403 forbidden on example.com/. He introduced more than one > change so wasn't sure what caused the error immediately. > > During the time of user researching issue the attacker: > 1. Enters http://example.com/.old/ and gets > /usr/share/wordpress.old/index.php > This is precisely as-documented, and not a vulnerability; http://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias "Note that if you include a trailing / on the URL-path then the server will require a trailing / in order to expand the alias." That *includes* the simple "Alias / /foo/" case, this singular "/" alias path is an example of an alias with a trailing "/". Note that the actual execution of content within /usr/share/wordpress.old is disturbing and indicates some other serious misconfiguration... <Directory /usr/share/wordpress> did not grant permissions for .../wordpress.old - therefore something else permitted content/scripts outside of the /usr/share/wordpress/ directory path. Perhaps <Directory /> was never configured correctly to prevent access to content outside of the intended directories, or perhaps there are <Files > or <Location > directives overriding the <Directory > blocks.
