Mac OS X Apache and Case Insensitive Filesystem Vulnerability
13 Jun. 2001
Summary
The preferred filesystem for Mac OS X is Apple's HFS+ and most setups use it. HFS+ is a case insensitive filesystem.
Apache's directory protection (and other methods that depend on filesystem object names) cannot handle this and breaks. For example, both Directory and Location configuration options break.
This is a real security risk because most people do not know this. It can easily be used to bypass protected directories.
Vulnerable systems:
Mac OS X 10.0.3 / Darwin 1.3.3 with Apache 1.3.14
Who is affected:
Everybody who used Apache on Mac OS X Client with the following conditions:
+ Documents are on a HFS+ volume
+ Directory protection is used
Details:
Consider the following file:
/Library/WebServer/Documents/test/index.html
And the following configuration:
<Location /test>
Order deny,allow
Deny from all
</Location>
Alternatively, using a Directory option:
<Directory /Library/WebServer/Documents/test>
Order deny,allow
Deny from all
</Directory>
The following request will result in a 403 Forbidden as excepted:
GET /test/index.html
However, the following request will happily serve the file:
GET /TeSt/index.html
Solution:
Using UFS solves this problem because it is case sensitive and it behaves as expected.
In addition, Mac OS X Server ships with a mod_hfs_apple.so Apache module that solves this problem. However, the module is only available as part of OS X Server, and not available as source or part of the Apache distribution.
Workaround:
Though it causes a bit of a performance penalty, a .htaccess file in a protected directory will resolve that problem.
Make sure that the web server directory in the configuration file is set to:
AllowOverride Limit AuthConfig
Or
AllowOverride All
And that the following lines can be found in httpd.conf:
<Files ~ "^\.(ht|HT|Ht|hT)">
Order allow,deny
Deny from all
</Files>
Then in the protected directory, /Library/WebServer/Documents/test, add a .htaccess file containing:
