Bug 26153

Summary: Apache cygwin directory traversal vulnerability
Product: Apache httpd-2 Reporter: Jeremy Bae <swbae>
Component: CoreAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: REOPENED ---    
Severity: critical CC: szg0000
Priority: P1    
Version: 2.0.48   
Target Milestone: ---   
Hardware: PC   
OS: All   

Description Jeremy Bae 2004-01-15 04:12:13 UTC
on cygwin environment, any files can be retrieved by malicious users.

Apache 1.3.29 and 2.0.48 (source compile version) vulnerability
http://[server]/..%5C..%5C..%5C..%5C..%5C..%5C/boot.ini

cf.
http://cert.uni-stuttgart.de/archive/bugtraq/2002/08/msg00241.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0661
Comment 1 Paul Querna 2004-08-30 04:50:11 UTC
Can anyone on cgywin verify this issue?  This should likely goto security@ if it is a real issue!
Comment 2 Jeremy Bae 2004-08-30 05:17:09 UTC
Bug 26152 (Apache 1.3.29) has been fixed by Stipe Tolj.
http://issues.apache.org/bugzilla/show_bug.cgi?id=26152

Bug 26153 is not yet fixed.
http://issues.apache.org/bugzilla/show_bug.cgi?id=26153
Comment 3 Paul Querna 2004-08-30 05:51:23 UTC
According to the ChangeLog, CAN-2002-0661 this was fixed in the 2.0.40 release.
Comment 4 Jeremy Bae 2004-08-30 06:35:04 UTC
It is similar to CAN-2002-0661, but new bug of Apache (2.0.48 and below on 
Cygwin).

look at the difference between CAN-2002-0661 and this (%2e).
<CAN-2002-0661 attack signature>
http://[server]/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini 

<this bug attack signature>
http://[server]/..%5C..%5C..%5C..%5C..%5C..%5C/boot.ini

I've tested this on Apache 2.0.48 (cygwin), and it did work.

I guess CAN-2002-0661 patch didn't applied to Cygwin portion.