M-114: Apache 2.0 Path Disclosure Vulnerability

M-114: Apache 2.0 Path Disclosure Vulnerability Privacy and Legal Notice INFORMATION BULLETIN M-114: Apache 2.0 Path Disclosure Vulnerability August 19, 2002 21:00 GMT


PROBLEM:	A directory traversal vulnerability exists in Apache versions 2.0.39 and earlier on non-Unix platforms (potentially including Apache compiled with CYGWIN). Apache can disclose the absolute path to a script whenever the server fails to invoke the script.
PLATFORM:	Windows, OS2, and Netware.
DAMAGE:	Exploitation may result in the disclosure of sensitive information. Additionally, arbitrary local programs may be executed with attacker supplied parameters if directory traversal techniques are used to escape the cgi-bin directory.
SOLUTION:	Apply workaround or upgrade to Apache HTTP server version 2.0.40 contained in Apache's bulletin.

VULNERABILITY ASSESSMENT:	The risk is HIGH. Running Apache on Windows, OS2, or Netware is not a common configuration, however this exploit is easy and remote. Therefore it can result in administrator privileges.

LINKS:
CIAC BULLETIN:	http://www.ciac.org/ciac/bulletins/m-114.shtml
ORIGINAL BULLETIN:	http://httpd.apache.org/info/security_bulletin_20020809a.txt
RELEASES:	http://www.apache.org/dist/httpd/


[******  Start of Apache Bulletin ******]

For Immediate Disclosure

=============== SUMMARY ================

        Title: Apache 2.0 vulnerability affects non-Unix platforms
         Date: 9th August 2002
     Revision: 2
 Product Name: Apache HTTP server 2.0
  OS/Platform: Windows, OS2, Netware
Permanent URL: http://httpd.apache.org/info/security_bulletin_20020809a.txt
  Vendor Name: Apache Software Foundation
   Vendor URL: http://httpd.apache.org/
      Affects: All Released versions of 2.0 through 2.0.39
     Fixed in: 2.0.40
  Identifiers: CAN-2002-0661

=============== DESCRIPTION ================

Apache is a powerful, full-featured, efficient, and freely-available Web
server.  On the 7th August 2002, The Apache Software Foundation was
notified of the discovery of a significant vulnerability, identified by
Auriemma Luigi .

This vulnerability has the potential to allow an attacker to inflict
serious damage to a server, and reveal sensitive data.  This vulnerability
affects default installations of the Apache web server.

Unix and other variant platforms appear unaffected.  Cygwin users are
likely to be affected.

=============== SOLUTION ================

A simple one line workaround in the httpd.conf file will close the
vulnerability.  Prior to the first 'Alias' or 'Redirect' directive, add
the following directive to the global server configuration:

   RedirectMatch 400 "\\\.\."

Fixes for this vulnerability are also included in Apache HTTP server
version 2.0.40.  The 2.0.40 release also contains fixes for two minor
path-revealing exposures.  This release of Apache is available at
http://www.apache.org/dist/httpd/

More information will be made available by the Apache Software
Foundation and Auriemma Luigi  in the
coming weeks.

=============== REFERENCES ================

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0661 to this issue.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0661

[******  End of Apache Bulletin ******]

CIAC wishes to acknowledge the contributions of The Apache Software Foundation and SecurityFocus for the information contained in this bulletin.

CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.

UCRL-MI-119788
[Privacy and Legal Notice]