Nmap logo

CERN httpd server authorization bypass

Description:You can bypass password authorization by adding extra forward slashes in the URL. ie: http://www.server.com//secret.html.
Author:Peter Lord <plord@perrin.demon.co.uk>
Compromise:Unauthorized viewing of passworded html files
Vulnerable Systems:Systems running CERN httpd, apparently up to their last version.
Date:30 April 1997

Date: Wed, 30 Apr 1997 19:50:39 +0000
From: Peter Lord <plord@perrin.demon.co.uk>
Subject: Access control on W3C httpd server

I came accross this problem recently when using the CERN server.  I
couldn't find any referrences to it ... but I guess this *must* be
well known.  Still, better to speak up than to keep quiet.

My server has the following in the config file :-

Protection secret {
        AuthType        Basic
        ServerID        mine
        PasswdFile      /httpd/config/passwd
        GroupFile       /httpd/config/group
        POST-Mask       secret_group
        GET-Mask        secret_group
        PUT-Mask        webmaster

Protect /secret/*           secret

Which works fine.  When the client tries to access
http://www.site.co.uk/secret/index.html, for example, the password
box pops up.

However, if the client tries to access
http://www.site.co.uk//secret/index.html (note the double slash), the
server happily serves the document out.

Until I manage to have a dig around the sources, my tempory
workaround is to add :-

Protect //secret/*    secret

Whick seems to work (regardless of how many extra slashes are slotted

BTW, my source tree is the last available from CERN with a couple of
local mods (syslog logging + BROWSE support for AOLPress) - I havn't
touched anying which would effect this.




More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]