CERN httpd server authorization bypass
| Description: | You can bypass password authorization by adding extra forward slashes in the URL. ie: http://www.server.com//secret.html. |
| Author: | Peter Lord <plord@perrin.demon.co.uk> |
| Compromise: | Unauthorized viewing of passworded html files |
| Vulnerable Systems: | Systems running CERN httpd, apparently up to their last version. |
| Date: | 30 April 1997 |
Date: Wed, 30 Apr 1997 19:50:39 +0000
From: Peter Lord <plord@perrin.demon.co.uk>
To: BUGTRAQ@NETSPACE.ORG
Subject: Access control on W3C httpd server
I came accross this problem recently when using the CERN server. I
couldn't find any referrences to it ... but I guess this *must* be
well known. Still, better to speak up than to keep quiet.
My server has the following in the config file :-
Protection secret {
AuthType Basic
ServerID mine
PasswdFile /httpd/config/passwd
GroupFile /httpd/config/group
POST-Mask secret_group
GET-Mask secret_group
PUT-Mask webmaster
}
Protect /secret/* secret
Which works fine. When the client tries to access
http://www.site.co.uk/secret/index.html, for example, the password
box pops up.
However, if the client tries to access
http://www.site.co.uk//secret/index.html (note the double slash), the
server happily serves the document out.
Until I manage to have a dig around the sources, my tempory
workaround is to add :-
Protect //secret/* secret
Whick seems to work (regardless of how many extra slashes are slotted
in).
BTW, my source tree is the last available from CERN with a couple of
local mods (syslog logging + BROWSE support for AOLPress) - I havn't
touched anying which would effect this.
Comments?
Thanks,
Pete
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
