Bug 26152 - Apache 1.3.29 and below directory traversal vulnerability
Summary: Apache 1.3.29 and below directory traversal vulnerability
Alias: None
Product: Apache httpd-1.3
Classification: Unclassified
Component: core (show other bugs)
Version: 1.3.29
Hardware: PC other
: P3 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL: http://http://www.kogalym.ru
Depends on:
Reported: 2004-01-15 04:10 UTC by Jeremy Bae
Modified: 2011-03-21 11:04 UTC (History)
1 user (show)

patch to fix serious security hole in cygwin platform (5.33 KB, patch)
2004-02-04 16:42 UTC, Stipe Tolj
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Bae 2004-01-15 04:10:03 UTC
on cygwin environment, any files can be retrieved by malicious users

Apache 1.3.24 (cygwin default version) vulnerability

Apache 1.3.29 and 2.0.48 (source compile version) vulnerability

Comment 1 Stipe Tolj 2004-02-03 00:37:35 UTC
confirmed by the cygwin platform maintainer.
Analyzing code and sending patches to the dev@ list.

Please pull any "production level" servers running on the cygwin 1.x platform 
from operations.

Comment 2 Stipe Tolj 2004-02-04 16:42:09 UTC
Created attachment 10222 [details]
patch to fix serious security hole in cygwin platform
Comment 3 Stipe Tolj 2004-02-04 16:44:03 UTC
the attched patch implements an cygwin specific as_os_canonical_filename() 
within src/os/cygwin/util_cygwin.c to map backslashes (that unfortunatly are 
interpreted by the cygwin os layer) to slashes. This allows the later security 
holders to grap within the directory_walk() and file_walk() routines.

Please review and apply. Update bug to fixed then.

Comment 4 Malte S. Stretz 2011-03-21 11:04:30 UTC
Apache HTTP Server 1.3.x is not supported anymore and no bugs will be fixed in the old codebase (cf. <http://mail-archives.apache.org/mod_mbox/httpd-announce/201002.mbox/%3C20100203000334.GA19021@infiltrator.stdlib.net%3E>). Since this bug seems to affect only 1.3.x, I'm closing it as WONTFIX.

If this bug still affects you in a recent version (version 2.2.x or the upcoming version 2.4), please open a new bug.

Thank you for reporting the bug.