[15152] in bugtraq
Re: IBM HTTP SERVER / APACHE
daemon@ATHENA.MIT.EDU (typo@INFERNO.TUSCULUM.EDU)
Thu Jun 1 21:47:44 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000601120006.A22236@boehm.org>
Date: Thu, 1 Jun 2000 12:00:06 +0200
Reply-To: typo@INFERNO.TUSCULUM.EDU
From: typo@INFERNO.TUSCULUM.EDU
X-To: Marek Roy <marek_roy@HOTMAIL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000531183430.21100.qmail@securityfocus.com>
On Wed, May 31, 2000 at 06:34:30PM -0000, Marek Roy wrote:
> I haven't seen any advisories for IBM HTTP SERVER running
> Apache.
> There is a crucial number of "/" (forward slash) you can
> use to retrieve the contents of the root directory of this
> particular Web Server. Using this vulnerability, you can
> retrieve any files or scripts running from that directory
> and sub-directories.
I couldn't reproduce this with a generic copy of Apache,
but i can verify that there is at least minor security impact:
(quoting apache's errorlog):
--4052 /'s
[Thu Jun 1 11:46:47 2000] [error] [client 127.0.0.1] \
(36)File name too long: access to [4050 /]//index.html failed
[Thu Jun 1 11:46:47 2000] [error] [client 127.0.0.1] \
(36)File name too long: access to [4050 /]//index.shtml failed
--4053 /'s
[Thu Jun 1 11:47:24 2000] [error] [client 127.0.0.1] \
(36)File name too long: access to [4050 /]///index.html failed
[Thu Jun 1 11:47:24 2000] [error] [client 127.0.0.1] \
(36)File name too long: access to [4050 /]///index.shtml failed
[Thu Jun 1 11:47:24 2000] [error] [client 127.0.0.1] \
(36)File name too long: access to [4050 /]///index.cgi failed
As you can see, using 4052 /'s you can force usage of shorter
entries of the DirectoryIndex directive.
(in my case: 'DirectoryIndex index.html index.shtml index.cgi')
typo
--
so much entropy, so little time
