Apache for Cygwin '..%5C' Input Validation Flaw Discloses Files to Remote Users
|
|
SecurityTracker Alert ID: 1009182
|
|
CVE Reference: CAN-2004-0173
(Links to External Site)
|
Updated: Mar 17 2004
|
Original Entry Date: Feb 24 2004
|
Impact: Disclosure of system information, Disclosure of user information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Advisory: STG Security
|
Version(s): 1.3.29 and prior versions; 2.0.48 and prior versions
|
Description: STG Security reported a vulnerability in Apache for the cygwin environment. A remote user can traverse the directory to view files on the target system.
It is reported that a remote user can supply the following type of URL to view files on the target system:
http://[server]/..%5C..%5C..%5C..%5C..%5C..%5C/boot.ini
Th
e vendor was reportedly notified on January 15, 2004.
Jeremy Bae is credited with discovering the flaw.
|
Impact: A remote user can view files on the system.
|
Solution: A patch for Apache 1.3.29 is available at:
http://nagoya.apache.org/bugzilla/showattachment.cgi?attach_id=10222
No solution was available at the time of this entry for Apache version 2.
|
Vendor URL: nagoya.apache.org/bugzilla/show_bug.cgi?id=26152 (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Windows (Any)
|
Underlying OS Comments: Cygwin Environment Only
|
Reported By: SSR Team <advisory@stgsecurity.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 24 Feb 2004 10:17:33 +0900
From: SSR Team <advisory@stgsecurity.com>
Subject: STG Security Advisory: [SSA-20040217-06] Apache for cygwin directory
|
This is a multi-part message in MIME format.
--------------050700010106040907000404
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
STG Security Advisory: [SSA-20040217-06] Apache for cygwin directory
traversal vulnerability
Revision 1.0
Date Published: 2004-02-17 (KST)
Last Update: 2004-02-17
Disclosed by SSR Team (advisory@stgsecurity.com)
Abstract
========
Apache on cygwin environment has a directory traversal vulnerability.
Vulnerability Class
===================
Implementation Error: Input validation flaw
Details
=======
Apache httpd on cygwin environment has a directory traversal vulnerability
similar to a reported bug in
http://cert.uni-stuttgart.de/archive/bugtraq/2002/08/msg00241.html
Using the following code, a malicious user can retrieve any file.
http://[server]/..%5C..%5C..%5C..%5C..%5C..%5C/boot.ini
Impact
======
File disclosure
Solution
=========
Stipe Tolj, Apache for cygwin maintainer, released a patch file to fix this
vulnerability on Apache 1.3.29 as shown in the following URL.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=26152
Apache 2 on the cygwin, however, is still vulnerable and is recommended not
to use it for a production server.
Affected Products
================
Apache 1.3.29 and below
Apache 2.0.48 and below
Vendor Status: FIXED
=======================
2004-01-13 Jeremy Bae found the vulnerabilities.
2004-01-15 Apache project notified.
2004-02-03 Cygwin platform maintainer confirmed.
2004-02-04 A patch file released.
2004-02-17 Official release.
Credits
======
Jeremy Bae at STG Security
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBQDql3z9dVHd/hpsuEQJ5uQCfUtOfSY0qIjzRF9LUim1xB3XAFcwAn0lI
I23p9Inl69oUYZDs3ixFH7dU
=dLyl
-----END PGP SIGNATURE-----
--------------050700010106040907000404
Content-Type: text/plain;
name="apache-eng.txt"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
filename="apache-eng.txt"
U1RHIFNlY3VyaXR5IEFkdmlzb3J5OiBbU1NBLTIwMDQwMjE3LTA2XSBBcGFjaGUgZm9yIGN5
Z3dpbiBkaXJlY3RvcnkNCnRyYXZlcnNhbCB2dWxuZXJhYmlsaXR5DQoNClJldmlzaW9uIDEu
MA0KRGF0ZSBQdWJsaXNoZWQ6IDIwMDQtMDItMTcgKEtTVCkNCkxhc3QgVXBkYXRlOiAyMDA0
LTAyLTE3DQpEaXNjbG9zZWQgYnkgU1NSIFRlYW0gKGFkdmlzb3J5QHN0Z3NlY3VyaXR5LmNv
bSkNCg0KDQpBYnN0cmFjdA0KPT09PT09PT0NCkFwYWNoZSBvbiBjeWd3aW4gZW52aXJvbm1l
bnQgaGFzIGEgZGlyZWN0b3J5IHRyYXZlcnNhbCB2dWxuZXJhYmlsaXR5Lg0KDQpWdWxuZXJh
YmlsaXR5IENsYXNzDQo9PT09PT09PT09PT09PT09PT09DQpJbXBsZW1lbnRhdGlvbiBFcnJv
cjogSW5wdXQgdmFsaWRhdGlvbiBmbGF3DQoNCkRldGFpbHMNCj09PT09PT0NCkFwYWNoZSBo
dHRwZCBvbiBjeWd3aW4gZW52aXJvbm1lbnQgaGFzIGEgZGlyZWN0b3J5IHRyYXZlcnNhbCB2
dWxuZXJhYmlsaXR5DQpzaW1pbGFyIHRvIGEgcmVwb3J0ZWQgYnVnIGluDQpodHRwOi8vY2Vy
dC51bmktc3R1dHRnYXJ0LmRlL2FyY2hpdmUvYnVndHJhcS8yMDAyLzA4L21zZzAwMjQxLmh0
bWwNCg0KVXNpbmcgdGhlIGZvbGxvd2luZyBjb2RlLCBhIG1hbGljaW91cyB1c2VyIGNhbiBy
ZXRyaWV2ZSBhbnkgZmlsZS4NCmh0dHA6Ly9bc2VydmVyXS8uLiU1Qy4uJTVDLi4lNUMuLiU1
Qy4uJTVDLi4lNUMvYm9vdC5pbmkNCg0KSW1wYWN0DQo9PT09PT0NCkZpbGUgZGlzY2xvc3Vy
ZQ0KDQpTb2x1dGlvbg0KPT09PT09PT09DQpTdGlwZSBUb2xqLCBBcGFjaGUgZm9yIGN5Z3dp
biBtYWludGFpbmVyLCByZWxlYXNlZCBhIHBhdGNoIGZpbGUgdG8gZml4IHRoaXMNCnZ1bG5l
cmFiaWxpdHkgb24gQXBhY2hlIDEuMy4yOSBhcyBzaG93biBpbiB0aGUgZm9sbG93aW5nIFVS
TC4NCg0KaHR0cDovL25hZ295YS5hcGFjaGUub3JnL2J1Z3ppbGxhL3Nob3dfYnVnLmNnaT9p
ZD0yNjE1Mg0KDQpBcGFjaGUgMiBvbiB0aGUgY3lnd2luLCBob3dldmVyLCBpcyBzdGlsbCB2
dWxuZXJhYmxlIGFuZCBpcyByZWNvbW1lbmRlZCBub3QNCnRvIHVzZSBpdCBmb3IgYSBwcm9k
dWN0aW9uIHNlcnZlci4NCg0KQWZmZWN0ZWQgUHJvZHVjdHMNCj09PT09PT09PT09PT09PT0N
CkFwYWNoZSAxLjMuMjkgYW5kIGJlbG93DQpBcGFjaGUgMi4wLjQ4IGFuZCBiZWxvdw0KDQpW
ZW5kb3IgU3RhdHVzOiBGSVhFRA0KPT09PT09PT09PT09PT09PT09PT09PT0NCjIwMDQtMDEt
MTMgSmVyZW15IEJhZSBmb3VuZCB0aGUgdnVsbmVyYWJpbGl0aWVzLg0KMjAwNC0wMS0xNSBB
cGFjaGUgcHJvamVjdCBub3RpZmllZC4NCjIwMDQtMDItMDMgQ3lnd2luIHBsYXRmb3JtIG1h
aW50YWluZXIgY29uZmlybWVkLg0KMjAwNC0wMi0wNCBBIHBhdGNoIGZpbGUgcmVsZWFzZWQu
DQoyMDA0LTAyLTE3IE9mZmljaWFsIHJlbGVhc2UuDQoNCkNyZWRpdHMNCj09PT09PQ0KSmVy
ZW15IEJhZSBhdCBTVEcgU2VjdXJpdHkNCg==
--------------050700010106040907000404--
|
|
