I have an apache server running on my PC. This is what I found in the log file : 80.15.34.172 - - [24/Aug/2002:12:31:53 +0100] "GET /scripts/..% 252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 263 Just before the full edition of my count in text edition. Every page was listed. I have no /scripts directory on my server, it seems that kind of attack was not risky for an Apache server... Or maybe was it just a bug, the page printed on screen ended down it his file? Does someone know what it is? Thanks DEN
You apparently don't subscribe to the announce@httpd.apache.org mailing list, or follow the other user lists. Please follow the link cited in the URL above, to immediately close the vulnerability. Then upgrade to 2.0.40. http://httpd.apache.org/info/security_bulletin_20020809a.txt
Using 2.0.40 is impossible as I use PHP and 40 is unable to launch PHP (known bug).
To have PHP 4.2.2 work under Apache 2.0.40, you have to change around 3 lines in PHP of code and recompile. Just follow the compiler error messages and it'll be easy to figure out what's going on. Also, check out PHP site, it could have someones previous experiences. Here is the diff between vanilla PHP and the working one on my system: ------------------------------------------------------------------- Only in /usr/src/php/sapi: .deps Only in /usr/src/php/sapi: Makefile Only in /usr/src/php/sapi/apache: .deps Only in /usr/src/php/sapi/apache2filter: .deps Only in /usr/src/php/sapi/apache2filter: .libs Only in /usr/src/php/sapi/apache2filter: Makefile Only in /usr/src/php/sapi/apache2filter: apache_config.lo Only in /usr/src/php/sapi/apache2filter: libsapi.la diff -u --recursive ./apache2filter/php_functions.c /usr/src/php/sapi/apache2fil ter/php_functions.c --- ./apache2filter/php_functions.c Sat May 11 19:49:54 2002 +++ /usr/src/php/sapi/apache2filter/php_functions.c Wed Jul 24 16:23:43 2002 @@ -90,7 +90,7 @@ ADD_STRING(method); ADD_LONG(mtime); ADD_LONG(clength); -#if !MODULE_MAGIC_AT_LEAST(20020506,0) +#if !AP_MODULE_MAGIC_AT_LEAST(20020506,0) ADD_STRING(boundary); #endif ADD_STRING(range); Only in /usr/src/php/sapi/apache2filter: php_functions.lo diff -u --recursive ./apache2filter/sapi_apache2.c /usr/src/php/sapi/apache2filt er/sapi_apache2.c --- ./apache2filter/sapi_apache2.c Tue May 7 01:42:23 2002 +++ /usr/src/php/sapi/apache2filter/sapi_apache2.c Mon Aug 12 18:02:22 2002 @@ -531,8 +531,8 @@ ap_hook_post_config(php_apache_server_startup, NULL, NULL, APR_HOOK_MIDD LE); ap_hook_insert_filter(php_insert_filter, NULL, NULL, APR_HOOK_MIDDLE); ap_hook_post_read_request(php_post_read_request, NULL, NULL, APR_HOOK_MIDDL E); - ap_register_output_filter("PHP", php_output_filter, AP_FTYPE_RESOURCE); - ap_register_input_filter("PHP", php_input_filter, AP_FTYPE_RESOURCE); + ap_register_output_filter("PHP", php_output_filter, NULL, AP_FTYPE_RESOU RCE); + ap_register_input_filter("PHP", php_input_filter, NULL, AP_FTYPE_RESOURC E); } AP_MODULE_DECLARE_DATA module php4_module = { Only in /usr/src/php/sapi/apache2filter: sapi_apache2.lo Only in /usr/src/php/sapi/cgi: .deps Only in /usr/src/php/sapi/cli: .deps Only in /usr/src/php/sapi/cli: Makefile ------------------------------------------------------------------- Don't worry about missing files - they get generated by configure/compile process. Bojan
Reopening to close as fixed. The report was valid (pre-2.0.40)
Properly identified, and closed as fixed in 2.0.40. See the URL for information about working 'around' the bug.