Bug 26152

Summary: Apache 1.3.29 and below directory traversal vulnerability
Product: Apache httpd-1.3 Reporter: Jeremy Bae <swbae>
Component: coreAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED WONTFIX    
Severity: normal CC: tolj
Priority: P3    
Version: 1.3.29   
Target Milestone: ---   
Hardware: PC   
OS: other   
URL: http://http://www.kogalym.ru
Attachments: patch to fix serious security hole in cygwin platform

Description Jeremy Bae 2004-01-15 04:10:03 UTC
on cygwin environment, any files can be retrieved by malicious users

Apache 1.3.24 (cygwin default version) vulnerability
http://[server]/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cboot.ini
http://[server]/..%5C..%5C..%5C..%5C..%5C..%5C/boot.ini

Apache 1.3.29 and 2.0.48 (source compile version) vulnerability
http://[server]/..%5C..%5C..%5C..%5C..%5C..%5C/boot.ini

cf.
http://cert.uni-stuttgart.de/archive/bugtraq/2002/08/msg00241.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0661
Comment 1 Stipe Tolj 2004-02-03 00:37:35 UTC
confirmed by the cygwin platform maintainer.
Analyzing code and sending patches to the dev@ list.

Please pull any "production level" servers running on the cygwin 1.x platform 
from operations.

Stipe
Comment 2 Stipe Tolj 2004-02-04 16:42:09 UTC
Created attachment 10222 [details]
patch to fix serious security hole in cygwin platform
Comment 3 Stipe Tolj 2004-02-04 16:44:03 UTC
the attched patch implements an cygwin specific as_os_canonical_filename() 
within src/os/cygwin/util_cygwin.c to map backslashes (that unfortunatly are 
interpreted by the cygwin os layer) to slashes. This allows the later security 
holders to grap within the directory_walk() and file_walk() routines.

Please review and apply. Update bug to fixed then.

stipe
Comment 4 Malte S. Stretz 2011-03-21 11:04:30 UTC
Apache HTTP Server 1.3.x is not supported anymore and no bugs will be fixed in the old codebase (cf. <http://mail-archives.apache.org/mod_mbox/httpd-announce/201002.mbox/%3C20100203000334.GA19021@infiltrator.stdlib.net%3E>). Since this bug seems to affect only 1.3.x, I'm closing it as WONTFIX.

If this bug still affects you in a recent version (version 2.2.x or the upcoming version 2.4), please open a new bug.

Thank you for reporting the bug.