FYI
Since you have been discussing // on the Apache mailing list, I thought
I would forward this information to you.
Background: CERT in Holland forwarded this to the USA CERT who
forwarded it to NCSA.
Forwarded message:
> From jte@cert.org Tue Oct 31 11:13:48 1995
> To: efrank@ncsa.uiuc.edu, kerowe@ncsa.uiuc.edu
> Subject: Report of bugs in httpd 1.4.2 (INFO#95.26894)
> Cc: cert@cert.org
> Organization: CERT Coordination Center : +1 (412) 268-7090
> Date: Tue, 31 Oct 1995 12:14:07 EST
> From: James Ellis <jte@cert.org>
>
<bunches snipped>
> Problem description.
> The NCSA httpd daemon (up to/including version 1.4.2) can be
> tricked into bypassing access restrictions and symbolic link
> policies that are defined in its configuration files.
>
> Impact.
> Potentially much more information than intended or desired
> can be disclosed.
>
> Exploitation methods.
> o Suppose there are access restrictions to ``foo/bar'' which
> should make this directory unaccessible, or invisible via an
> index list.
> o The restrictions can be circumvented by specifying instead
> ``foo///bar'' ``foo/./bar'' ``./foo/bar'' ``foo/bar/.'' or
> combinations thereof.
> o Furthermore, if such name refers to an executable or shell
> script that is supposed to be executed, the contents of the
> executable or shell script are retrieved and revealed instead.
> o If symbolic links are allowed, and the owner of the link
> must be the same as the owner of the file the link points to,
> the trick is to let the link point to another link with the
> same ownership, and let that second link point to the desired
> file (e.g. /etc/passwd).
>
> Fixes.
> o The module no2slash() in util.c replaces two consecutive
> slashes by a single one. It should recognize any number of
> consecutive slashes.
> o The module no2slash() in util.c should also recognize
> and replace the ``/./'' ``./'' ``/.'' constructs.
> o The module getparents() in util.c should call no2slash()
> before proceeding.
> o The module evaluate_access() in http_access.c does an
> lstat() on a link and another lstat() on the resulting file
> to compare their owners. It should do a stat() on the
> resulting file instead. It also does not check whether the
> lstat() fails or succeeds.
>
> Workarounds.
> Don't allow the following of symbolic links at all.
> I cannot think of a workaround for the bogus pathnames.
>
> Reported by
> Eric Wassenaar <e07@nikhef.nl>
> Organization: Dutch National Institute for Nuclear and High-Energy Physics
> Address: Kruislaan 409, P.O. Box 41882, 1009 DB Amsterdam, the Netherlands
> Phone: +31 20 592 5012, Home: +31 20 6909449, Telefax: +31 20 592 5155
--
Elizabeth(Beth) Frank
NCSA Server Development Team
efrank@ncsa.uiuc.edu
Since you have been discussing // on the Apache mailing list, I thought
I would forward this information to you.
Background: CERT in Holland forwarded this to the USA CERT who
forwarded it to NCSA.
Forwarded message:
> From jte@cert.org Tue Oct 31 11:13:48 1995
> To: efrank@ncsa.uiuc.edu, kerowe@ncsa.uiuc.edu
> Subject: Report of bugs in httpd 1.4.2 (INFO#95.26894)
> Cc: cert@cert.org
> Organization: CERT Coordination Center : +1 (412) 268-7090
> Date: Tue, 31 Oct 1995 12:14:07 EST
> From: James Ellis <jte@cert.org>
>
<bunches snipped>
> Problem description.
> The NCSA httpd daemon (up to/including version 1.4.2) can be
> tricked into bypassing access restrictions and symbolic link
> policies that are defined in its configuration files.
>
> Impact.
> Potentially much more information than intended or desired
> can be disclosed.
>
> Exploitation methods.
> o Suppose there are access restrictions to ``foo/bar'' which
> should make this directory unaccessible, or invisible via an
> index list.
> o The restrictions can be circumvented by specifying instead
> ``foo///bar'' ``foo/./bar'' ``./foo/bar'' ``foo/bar/.'' or
> combinations thereof.
> o Furthermore, if such name refers to an executable or shell
> script that is supposed to be executed, the contents of the
> executable or shell script are retrieved and revealed instead.
> o If symbolic links are allowed, and the owner of the link
> must be the same as the owner of the file the link points to,
> the trick is to let the link point to another link with the
> same ownership, and let that second link point to the desired
> file (e.g. /etc/passwd).
>
> Fixes.
> o The module no2slash() in util.c replaces two consecutive
> slashes by a single one. It should recognize any number of
> consecutive slashes.
> o The module no2slash() in util.c should also recognize
> and replace the ``/./'' ``./'' ``/.'' constructs.
> o The module getparents() in util.c should call no2slash()
> before proceeding.
> o The module evaluate_access() in http_access.c does an
> lstat() on a link and another lstat() on the resulting file
> to compare their owners. It should do a stat() on the
> resulting file instead. It also does not check whether the
> lstat() fails or succeeds.
>
> Workarounds.
> Don't allow the following of symbolic links at all.
> I cannot think of a workaround for the bogus pathnames.
>
> Reported by
> Eric Wassenaar <e07@nikhef.nl>
> Organization: Dutch National Institute for Nuclear and High-Energy Physics
> Address: Kruislaan 409, P.O. Box 41882, 1009 DB Amsterdam, the Netherlands
> Phone: +31 20 592 5012, Home: +31 20 6909449, Telefax: +31 20 592 5155
--
Elizabeth(Beth) Frank
NCSA Server Development Team
efrank@ncsa.uiuc.edu