Re: [Full-Disclosure] Path Parsing Errata in Apache HTTP Server

Wed, 22 Jan 2003 07:34:46 -0800 

On Wed, 22 Jan 2003 09:00:58 -0500
"[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote:

> Issue 3 (VU#384033):
> 
> Exploitation of this condition could lead to bypass of default script 
> mapping behavior.  This flaw impacts Apache on all platforms.  This 
> issue is best described with an example:
> 
> http://localhost/folder.php/file
> 
> Apache should parse 'file' as plain text -- that is, simply returning
> it to the browser.  However, an incorrect check in Apache's mapping 
> algorithms, causes the 'php' extension to be associated with this 
> request.  Rather than checking only the file's extension, Apache
> checks for extensions in any path member, stopping at the first.
> 
> This is more of a weakness than a vulnerability, as exploitation only 
> yields UID nobody if you allow uploading under the docroot *and*
> filter by filename only, in which case you have far more serious
> concerns than the exploitation of this issue.
> 
> DETECTION
> 
> These issues are believed to be specific to the 2.0 branch; Apache 
> 1.3.27 (and all other 1.x versions) are believed immune from these 
> issues.  Apache 2.0.43 and prior should be upgraded to the 2.0.44 
> release, which will be available from 
> <http://httpd.apache.org/dist/httpd>.

This issue doesn't run on a RH 8.O httpd server:

# cat /etc/issue
Red Hat Linux release 8.0 (Psyche)
Kernel \r on an \m

# rpm -qa | grep httpd
httpd-2.0.40-11
# rpm -qa | grep php
php-mysql-4.2.2-8.0.5
php-4.2.2-8.0.5

# lynx -source http://localhost/folder.php/text
<?php
phpinfo();
?>

# lynx -source http://localhost/folder.php/text.php
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head><style type="text/css"><!--
a { text-decoration: none; }
...
...
...
<p>If you did not receive a copy of the PHP license, or have any
questions about PHP licensing, please contact [EMAIL PROTECTED]</p>
</td></tr>
</table><br />
</body></html>

-- 
Gilles Cuesta
Netimedias - http://www.netimedias.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Reply via email to