Bug 49623 - CVE-2003-1418 - all httpd versions seem to expose inode values in FileEtag
Summary: CVE-2003-1418 - all httpd versions seem to expose inode values in FileEtag
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Core (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: FixedInTrunk
Depends on:
Reported: 2010-07-20 11:36 UTC by a.nurwono
Modified: 2015-04-14 06:14 UTC (History)
2 users (show)


Note You need to log in before you can comment on or make changes to this bug.
Description a.nurwono 2010-07-20 11:36:58 UTC
Apache seems to simply hex-encodes inodes retrieved by fstat() directly into etags through simple encoding.

Apache 2.2.3 in httpd-2.2.3/modules/http/http_etag.c:
    next = etag_ulong_to_hex(next, (unsigned long)r->finfo.inode);

    if (fstat(thefile->filedes, &info) == 0) {
    finfo->inode = info->st_ino;

This shows up as a security vulnerability through exposure of inode information for files hosted by httpd:


An example solution to the problem was posted on OpenBSD, which is to use a hash of the inode instead of directly presenting an encoded inode into the etag value:


I propose that future versions of Apache would either have FileEtag -Inode turned on or have the inode be hashed by default.  (Preferably the original behavior could be optional instead i.e.  FileEtag -noInodehash )

This would prevent security scanners from flagging all apache implementations as vulnerable.

Comment 1 William A. Rowe Jr. 2011-09-01 21:21:54 UTC
Please provide a citation of how possessing an arbitrary identifier, the inode, represents either a local or remote exploit?

No, not the respective validation test that is failing, but an actual citation 
w.r.t. the value of an inode to exploiting a machine.  Validation vendors are
famous for not actually probing for vulnerabilities, but regurgitating them
based on version numbers.
Comment 2 Joe Orton 2011-09-05 13:07:21 UTC
Tomas Hoger pointed out that CVE-2003-1418 also mentions a pid leak in the byterange filter; I fixed that part in r1165268 since it seems cheap and harmless.
Comment 3 Tomas Hoger 2011-09-05 13:21:08 UTC
Comment suggests this part is probably redundant now after the change:
Comment 4 Phil Dietz 2011-09-15 15:34:13 UTC
I proprose that 'FileETag MTime Size' become the default along with the fix for the hex problem.  why expose inode in the 1st place... unless you need it.
Comment 5 Stefan Fritsch 2012-01-23 22:22:55 UTC
fixed in r1199086
Comment 6 Stefan Fritsch 2012-02-26 17:07:13 UTC
fixed in 2.4.1
Comment 7 Takashi Sato 2015-04-14 06:14:44 UTC
r1165268 was backported to 2.2 in r1165607, this was released on 2.2.21.
r1199086 has not been backported to 2.2 yet.