CERN httpd server authorization bypass

Summary
Description:You can bypass password authorization by adding extra forward slashes in the URL. ie: http://www.server.com//secret.html.
Author:Peter Lord <plord@perrin.demon.co.uk>
Compromise:Unauthorized viewing of passworded html files
Vulnerable Systems:Systems running CERN httpd, apparently up to their last version.
Date:30 April 1997
Details


Date: Wed, 30 Apr 1997 19:50:39 +0000
From: Peter Lord <plord@perrin.demon.co.uk>
To: BUGTRAQ@NETSPACE.ORG
Subject: Access control on W3C httpd server

I came accross this problem recently when using the CERN server.  I
couldn't find any referrences to it ... but I guess this *must* be
well known.  Still, better to speak up than to keep quiet.

My server has the following in the config file :-

Protection secret {
        AuthType        Basic
        ServerID        mine
        PasswdFile      /httpd/config/passwd
        GroupFile       /httpd/config/group
        POST-Mask       secret_group
        GET-Mask        secret_group
        PUT-Mask        webmaster
}

Protect /secret/*           secret

Which works fine.  When the client tries to access
http://www.site.co.uk/secret/index.html, for example, the password
box pops up.

However, if the client tries to access
http://www.site.co.uk//secret/index.html (note the double slash), the
server happily serves the document out.

Until I manage to have a dig around the sources, my tempory
workaround is to add :-

Protect //secret/*    secret

Whick seems to work (regardless of how many extra slashes are slotted
in).

BTW, my source tree is the last available from CERN with a couple of
local mods (syslog logging + BROWSE support for AOLPress) - I havn't
touched anying which would effect this.

Comments?

Thanks,

Pete

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]