Bug 26153 - Apache cygwin directory traversal vulnerability
Summary: Apache cygwin directory traversal vulnerability
Status: REOPENED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Core (show other bugs)
Version: 2.0.48
Hardware: PC All
: P1 critical (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-01-15 04:12 UTC by Jeremy Bae
Modified: 2019-01-06 13:17 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Bae 2004-01-15 04:12:13 UTC
on cygwin environment, any files can be retrieved by malicious users.

Apache 1.3.29 and 2.0.48 (source compile version) vulnerability
http://[server]/..%5C..%5C..%5C..%5C..%5C..%5C/boot.ini

cf.
http://cert.uni-stuttgart.de/archive/bugtraq/2002/08/msg00241.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0661
Comment 1 Paul Querna 2004-08-30 04:50:11 UTC
Can anyone on cgywin verify this issue?  This should likely goto security@ if it is a real issue!
Comment 2 Jeremy Bae 2004-08-30 05:17:09 UTC
Bug 26152 (Apache 1.3.29) has been fixed by Stipe Tolj.
http://issues.apache.org/bugzilla/show_bug.cgi?id=26152

Bug 26153 is not yet fixed.
http://issues.apache.org/bugzilla/show_bug.cgi?id=26153
Comment 3 Paul Querna 2004-08-30 05:51:23 UTC
According to the ChangeLog, CAN-2002-0661 this was fixed in the 2.0.40 release.
Comment 4 Jeremy Bae 2004-08-30 06:35:04 UTC
It is similar to CAN-2002-0661, but new bug of Apache (2.0.48 and below on 
Cygwin).

look at the difference between CAN-2002-0661 and this (%2e).
<CAN-2002-0661 attack signature>
http://[server]/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini 

<this bug attack signature>
http://[server]/..%5C..%5C..%5C..%5C..%5C..%5C/boot.ini

I've tested this on Apache 2.0.48 (cygwin), and it did work.

I guess CAN-2002-0661 patch didn't applied to Cygwin portion.