This is a multi-part message in MIME format.
--------------050700010106040907000404
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

STG Security Advisory: [SSA-20040217-06] Apache for cygwin directory
traversal vulnerability

Revision 1.0
Date Published: 2004-02-17 (KST)
Last Update: 2004-02-17
Disclosed by SSR Team (advisory@stgsecurity.com)


Abstract
========
Apache on cygwin environment has a directory traversal vulnerability.

Vulnerability Class
===================
Implementation Error: Input validation flaw

Details
=======
Apache httpd on cygwin environment has a directory traversal vulnerability
similar to a reported bug in
http://cert.uni-stuttgart.de/archive/bugtraq/2002/08/msg00241.html

Using the following code, a malicious user can retrieve any file.
http://[server]/..%5C..%5C..%5C..%5C..%5C..%5C/boot.ini

Impact
======
File disclosure

Solution
=========
Stipe Tolj, Apache for cygwin maintainer, released a patch file to fix this
vulnerability on Apache 1.3.29 as shown in the following URL.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=26152

Apache 2 on the cygwin, however, is still vulnerable and is recommended not
to use it for a production server.

Affected Products
================
Apache 1.3.29 and below
Apache 2.0.48 and below

Vendor Status: FIXED
=======================
2004-01-13 Jeremy Bae found the vulnerabilities.
2004-01-15 Apache project notified.
2004-02-03 Cygwin platform maintainer confirmed.
2004-02-04 A patch file released.
2004-02-17 Official release.

Credits
======
Jeremy Bae at STG Security

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBQDql3z9dVHd/hpsuEQJ5uQCfUtOfSY0qIjzRF9LUim1xB3XAFcwAn0lI
I23p9Inl69oUYZDs3ixFH7dU
=dLyl
-----END PGP SIGNATURE-----


--------------050700010106040907000404
Content-Type: text/plain;
 name="apache-eng.txt"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
 filename="apache-eng.txt"

U1RHIFNlY3VyaXR5IEFkdmlzb3J5OiBbU1NBLTIwMDQwMjE3LTA2XSBBcGFjaGUgZm9yIGN5
Z3dpbiBkaXJlY3RvcnkNCnRyYXZlcnNhbCB2dWxuZXJhYmlsaXR5DQoNClJldmlzaW9uIDEu
MA0KRGF0ZSBQdWJsaXNoZWQ6IDIwMDQtMDItMTcgKEtTVCkNCkxhc3QgVXBkYXRlOiAyMDA0
LTAyLTE3DQpEaXNjbG9zZWQgYnkgU1NSIFRlYW0gKGFkdmlzb3J5QHN0Z3NlY3VyaXR5LmNv
bSkNCg0KDQpBYnN0cmFjdA0KPT09PT09PT0NCkFwYWNoZSBvbiBjeWd3aW4gZW52aXJvbm1l
bnQgaGFzIGEgZGlyZWN0b3J5IHRyYXZlcnNhbCB2dWxuZXJhYmlsaXR5Lg0KDQpWdWxuZXJh
YmlsaXR5IENsYXNzDQo9PT09PT09PT09PT09PT09PT09DQpJbXBsZW1lbnRhdGlvbiBFcnJv
cjogSW5wdXQgdmFsaWRhdGlvbiBmbGF3DQoNCkRldGFpbHMNCj09PT09PT0NCkFwYWNoZSBo
dHRwZCBvbiBjeWd3aW4gZW52aXJvbm1lbnQgaGFzIGEgZGlyZWN0b3J5IHRyYXZlcnNhbCB2
dWxuZXJhYmlsaXR5DQpzaW1pbGFyIHRvIGEgcmVwb3J0ZWQgYnVnIGluDQpodHRwOi8vY2Vy
dC51bmktc3R1dHRnYXJ0LmRlL2FyY2hpdmUvYnVndHJhcS8yMDAyLzA4L21zZzAwMjQxLmh0
bWwNCg0KVXNpbmcgdGhlIGZvbGxvd2luZyBjb2RlLCBhIG1hbGljaW91cyB1c2VyIGNhbiBy
ZXRyaWV2ZSBhbnkgZmlsZS4NCmh0dHA6Ly9bc2VydmVyXS8uLiU1Qy4uJTVDLi4lNUMuLiU1
Qy4uJTVDLi4lNUMvYm9vdC5pbmkNCg0KSW1wYWN0DQo9PT09PT0NCkZpbGUgZGlzY2xvc3Vy
ZQ0KDQpTb2x1dGlvbg0KPT09PT09PT09DQpTdGlwZSBUb2xqLCBBcGFjaGUgZm9yIGN5Z3dp
biBtYWludGFpbmVyLCByZWxlYXNlZCBhIHBhdGNoIGZpbGUgdG8gZml4IHRoaXMNCnZ1bG5l
cmFiaWxpdHkgb24gQXBhY2hlIDEuMy4yOSBhcyBzaG93biBpbiB0aGUgZm9sbG93aW5nIFVS
TC4NCg0KaHR0cDovL25hZ295YS5hcGFjaGUub3JnL2J1Z3ppbGxhL3Nob3dfYnVnLmNnaT9p
ZD0yNjE1Mg0KDQpBcGFjaGUgMiBvbiB0aGUgY3lnd2luLCBob3dldmVyLCBpcyBzdGlsbCB2
dWxuZXJhYmxlIGFuZCBpcyByZWNvbW1lbmRlZCBub3QNCnRvIHVzZSBpdCBmb3IgYSBwcm9k
dWN0aW9uIHNlcnZlci4NCg0KQWZmZWN0ZWQgUHJvZHVjdHMNCj09PT09PT09PT09PT09PT0N
CkFwYWNoZSAxLjMuMjkgYW5kIGJlbG93DQpBcGFjaGUgMi4wLjQ4IGFuZCBiZWxvdw0KDQpW
ZW5kb3IgU3RhdHVzOiBGSVhFRA0KPT09PT09PT09PT09PT09PT09PT09PT0NCjIwMDQtMDEt
MTMgSmVyZW15IEJhZSBmb3VuZCB0aGUgdnVsbmVyYWJpbGl0aWVzLg0KMjAwNC0wMS0xNSBB
cGFjaGUgcHJvamVjdCBub3RpZmllZC4NCjIwMDQtMDItMDMgQ3lnd2luIHBsYXRmb3JtIG1h
aW50YWluZXIgY29uZmlybWVkLg0KMjAwNC0wMi0wNCBBIHBhdGNoIGZpbGUgcmVsZWFzZWQu
DQoyMDA0LTAyLTE3IE9mZmljaWFsIHJlbGVhc2UuDQoNCkNyZWRpdHMNCj09PT09PQ0KSmVy
ZW15IEJhZSBhdCBTVEcgU2VjdXJpdHkNCg==
--------------050700010106040907000404--