CERN httpd server authorization bypass

Description:You can bypass password authorization by adding extra forward slashes in the URL. ie:
Author:Peter Lord <>
Compromise:Unauthorized viewing of passworded html files
Vulnerable Systems:Systems running CERN httpd, apparently up to their last version.
Date:30 April 1997

Date: Wed, 30 Apr 1997 19:50:39 +0000
From: Peter Lord <>
Subject: Access control on W3C httpd server

I came accross this problem recently when using the CERN server.  I
couldn't find any referrences to it ... but I guess this *must* be
well known.  Still, better to speak up than to keep quiet.

My server has the following in the config file :-

Protection secret {
        AuthType        Basic
        ServerID        mine
        PasswdFile      /httpd/config/passwd
        GroupFile       /httpd/config/group
        POST-Mask       secret_group
        GET-Mask        secret_group
        PUT-Mask        webmaster

Protect /secret/*           secret

Which works fine.  When the client tries to access, for example, the password
box pops up.

However, if the client tries to access (note the double slash), the
server happily serves the document out.

Until I manage to have a dig around the sources, my tempory
workaround is to add :-

Protect //secret/*    secret

Whick seems to work (regardless of how many extra slashes are slotted

BTW, my source tree is the last available from CERN with a couple of
local mods (syslog logging + BROWSE support for AOLPress) - I havn't
touched anying which would effect this.




More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: