Bug 49623

Summary: CVE-2003-1418 - all httpd versions seem to expose inode values in FileEtag
Product: Apache httpd-2 Reporter: a.nurwono
Component: CoreAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED FIXED    
Severity: normal CC: covener, thoger
Priority: P2 Keywords: FixedInTrunk
Version: 2.5-HEAD   
Target Milestone: ---   
Hardware: All   
OS: All   

Description a.nurwono 2010-07-20 11:36:58 UTC
Apache seems to simply hex-encodes inodes retrieved by fstat() directly into etags through simple encoding.

Apache 2.2.3 in httpd-2.2.3/modules/http/http_etag.c:
    next = etag_ulong_to_hex(next, (unsigned long)r->finfo.inode);

httpd-2.2.3/srclib/apr/file_io/unix/filestat.c:
    if (fstat(thefile->filedes, &info) == 0) {
...
    finfo->inode = info->st_ino;


This shows up as a security vulnerability through exposure of inode information for files hosted by httpd:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418

An example solution to the problem was posted on OpenBSD, which is to use a hash of the inode instead of directly presenting an encoded inode into the etag value:

http://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/008_httpd.patch


I propose that future versions of Apache would either have FileEtag -Inode turned on or have the inode be hashed by default.  (Preferably the original behavior could be optional instead i.e.  FileEtag -noInodehash )

This would prevent security scanners from flagging all apache implementations as vulnerable.

Thanks!
Comment 1 William A. Rowe Jr. 2011-09-01 21:21:54 UTC
Please provide a citation of how possessing an arbitrary identifier, the inode, represents either a local or remote exploit?

No, not the respective validation test that is failing, but an actual citation 
w.r.t. the value of an inode to exploiting a machine.  Validation vendors are
famous for not actually probing for vulnerabilities, but regurgitating them
based on version numbers.
Comment 2 Joe Orton 2011-09-05 13:07:21 UTC
Tomas Hoger pointed out that CVE-2003-1418 also mentions a pid leak in the byterange filter; I fixed that part in r1165268 since it seems cheap and harmless.
Comment 3 Tomas Hoger 2011-09-05 13:21:08 UTC
Comment suggests this part is probably redundant now after the change:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http/byterange_filter.c?view=markup&pathrev=1165268#l22
Comment 4 Phil Dietz 2011-09-15 15:34:13 UTC
I proprose that 'FileETag MTime Size' become the default along with the fix for the hex problem.  why expose inode in the 1st place... unless you need it.
Comment 5 Stefan Fritsch 2012-01-23 22:22:55 UTC
fixed in r1199086
Comment 6 Stefan Fritsch 2012-02-26 17:07:13 UTC
fixed in 2.4.1
Comment 7 Takashi Sato 2015-04-14 06:14:44 UTC
r1165268 was backported to 2.2 in r1165607, this was released on 2.2.21.
r1199086 has not been backported to 2.2 yet.